Topic: how to set up a user as a "limited" admin?

[mophilly]

I would like to allow another user access to update the Primary ibay, as well as the files under /opt/. I also would like to restrict access to other areas such as templates and so on. The purpose is to allow the user to assist with the upkeep of the web applications.

Is it possible to set up this arrangement within the SME manager?
(it's already there and I missed it?)

Do I need to create something special "under the hood" for this case?

What are others doing for cases like this?

TIA,

 - Mark

[gzartman]

I would like to allow another user access to update the Primary ibay, as well as the files under /opt/. I also would like to restrict access to other areas such as templates and so on. The purpose is to allow the user to assist with the upkeep of the web applications.

You are looking at working outside of SME Security Model.  What you are wanting to do is not supported in anyway by SME and you should think twice before proceeding.  Giving a user access to the e-smith-templates directory gives them the ability to control the lions share of SME's configuration. 

If all you are wanting to do is give a user the ability to help with web apps, perhaps you could post which apps you wanting to delegate access too.  We may be able to give you some direction to provide the needed access.   Another option would be to install the web app directly in the ibay and give the user access to just that ibay.  This would allow them the ability to modify everything except maybe admin dbase tasks.

Is it possible to set up this arrangement within the SME manager?
(it's already there and I missed it?)

No, nor should you even try.  You are just asking for trouble.


Greg

[CharlieBrady]

I would like to allow another user access to update the Primary ibay ...

You don't need to do that. Configure the primary domain to use a different ibay. Set the group for that ibay to include whichever users you want.

[gzartman]

You don't need to do that. Configure the primary domain to use a different ibay. Set the group for that ibay to include whichever users you want.

This won't work if the user installs web apps the "right way," which installs the web app in a dir location other than ~/ibays/ and includes a httpd template fragment to setup httpd to point to the web app. 

As previously stated, the user would need to install the webapp directly into an ibay and give those who will admin this web app the "Ibay password"  Simply including a user in the ibay group won't provide the access needed to admin the webapp unless this user is on the internal LAN, which is very unlikely in the case presented by the OP.

Greg

[David Harper]

Rather than give your limited administrator access to the SME Server itself, have you considered a simple content management system like SiteX (which you can also see in action on my website)?

That way, they can have full admin rights to the website - upload photos, add new pages, whatever - but no access to the SME Server backend.

[mophilly]

Thanks for the thoughtful replies. I was hoping for an "almost admin" level user or perhaps something like ACL's for this that wouldn't break the SME model.

The web apps, MantisBT, MediaWiki and a couple of applications we produce, are in /opt/. We use the Primary ibay for the top level web site. I would like to give one tech the role of "webmaster" for the web apps, while I will remain responsible for SME config, etc..

A CMS would be a solution to some of the tasks for the webmaster. SiteX does look interesting and I will play with it a bit soon.

The idea of using a regular iBay is workable too. I think, for our situation, I would ought to set up a user account so the user "home" would be the workspace, and write a script to update the Primary as needed. The web apps are a challenge.

Thanks, again.

[janet]

Mophilly

The simplest way is to put all your web apps in ibays, and then allow user access as required via group ownership of the ibays.
Users can connect via VPN remotely and only have access to the ibays they are allowed to administer. Nice and easy and safe.

Move your apps from /opt to ibays and stop using Primary. Point your main domain name at an ibay in the domains panel. There is nothing unsafe about using ibays, sme was designed to use them like this, for these very reasons.

[mophilly]

Thanks, mary,

I thought about placing the top level site in an ibay but wondered about security. I am encouraged by your comments.

BTW, what do you use the Primary ibay for?

[janet]

Mophilly

..what do you use the Primary ibay for?

Of course it can be used for the main domain web content etc.
It may be appropriate for small organisations who have minimal websites and minimal tech support staff, where only one person ie the admin user, will administer the whole server.

If you have multiple administrators (of web sites) as you do, then using ibays is a better alternative.
You could still use the Primary ibay if you really want to, but it only has admin user access, so updating by users is limited ie users must send info to the admin user who then updates Primary.

[mophilly]

We are pursuing the suggestion made by Charlie and mary to use another ibay for the primary domain.

I plan to use the "files" directory in the ibay for the app's presently in /opt/. Please let me know if this isn't the appropriate choice.

Thanks again to everyone. Your replies have made this much easier.

[gzartman]

Thanks for the thoughtful replies. I was hoping for an "almost admin" level user or perhaps something like ACL's for this that wouldn't break the SME model.

The web apps, MantisBT, MediaWiki and a couple of applications we produce, are in /opt/. We use the Primary ibay for the top level web site. I would like to give one tech the role of "webmaster" for the web apps, while I will remain responsible for SME config, etc..

A CMS would be a solution to some of the tasks for the webmaster. SiteX does look interesting and I will play with it a bit soon.

The idea of using a regular iBay is workable too. I think, for our situation, I would ought to set up a user account so the user "home" would be the workspace, and write a script to update the Primary as needed. The web apps are a challenge.

Thanks, again.

You are making this much more complex than it needs to be.  As Mary and I have suggested, use ibays to control admin type access to an your web apps.  All of the apps you've suggested will install directly into ibays.  However, MediaWiki will require that you either run with SME 8 or install PHP 5 next to PHP 4.

You could have this up and running in under 30min.

Greg

[gzartman]

We are pursuing the suggestion made by Charlie and mary to use another ibay for the primary domain.

I plan to use the "files" directory in the ibay for the app's presently in /opt/. Please let me know if this isn't the appropriate choice.

Thanks again to everyone. Your replies have made this much easier.

No.  You'll want to drop the web app directly into the html directory and enable executable content for the ibay.

You'll then be able to access the web app with:  www.yourdomain/ibay name.  Or, you could setup a hostname for your webapp and point it to the webapp ibay, then access your ibay with somename.yourdomain.

Once again, you are really making this into a bigger problem than it needs to be.

Greg

[janet]

Mophilly

I plan to use the "files" directory in the ibay for the app's presently in /opt/. Please let me know if this isn't the appropriate choice.

That's not appropriate.
All web content should normally be installed in the html folder.
Some types of code (eg cgi) would be installed into the cgi-bin folder.
The files folder is really for samba file sharing on a LAN.

Please read the manual as I'm certain this is covered there, and your knowledge seems to indicate you have never read the manual.

To the many out there who may want to respond to my "read the manual" comment in an antagonistic way, please don't.
In this situation "read the manual" is a valid request to make.

[gzartman]

It is worth noting that there is some risk when enabling executable content for an ibay and opening up the ibay to internet/no-password.

Remember, authenticated LAN users will also have access to the html dir via windows file sharing.  This means it is possible for a LAN user to drop a malicious php file named index.php into the html dir and it will be executed when the ibay is accessed via www.

There are ways to mitigate this (e.g., create a custom samba template fragment to turn off windows browsing for the ibay), but the admin needs to be aware of what is going on.  AFAIK, this isn't covered in the manual.

Greg

[janet]

gzartman & mophilly

It is worth noting that there is some risk when enabling executable content for an ibay and opening up the ibay to internet/no-password.

Which in part is one of the reasons that had been put forward for using  /opt instead of an ibay.

An answer is to limit local (LAN) access to web enabled ibays using group ownership.
Good policy would be to severely limit access to a ibay that contains web content.
Only those admins who will update the site and can be trusted should be made members of the group that "owns" the ibay.
Therefore no-one else can access the ibay locally to inadvertantly or deliberately add malicious content.

Better still eg for Joomla CMS (& others where applicable etc), only allow updating of content via the front end/back end panels built in to the CMS.