Allow Top-Level Server User to have Read/Write Access to all Data

See http://www.virtualmin.com/node/13555

Feature Request: Allow the top-level server user to have read/write access to all data in the account (via the group permissions). To accomplish this, the virtualmin code must create new homes directories that enable group read+write+directory traversal. In addition, Proftpd needs to have a umask so that the files or directories created via ftp will be set correctly.

I've got a workable solution below. I'm sure you can come up with something more elegant. Perhaps allowing it to apply to not just everyone or nobody, but on selected top-level servers only.

A lot of my customers were screaming for this. My solution has the benefit of stopping the screaming! :-)

========================= SOLUTION:

I've done some work on the code and I've found a solution. It amounts to modifying the file:

/usr/libexec/webmin/virtual-server/virtual-server-lib-funcs.pl

in the function:

set_usermin_imap_password

The solution was to change every occurrence of 0700 with 0770, and every occurrence of 0600 with 0660. In addition to this, the file:

/etc/proftpd.conf

needed to be modified. It needs to have the directive:

Umask 007

If absent, add it; if there is another value (e.g., 027), then change it to 007.

With those two changes, the account (top-level server) owner can now read and write files that belong to users created via Edit Mail and FTP Users.

It would be nice if there were a GUI that allows one to choose the one mode or the other. It might have to be a solution that applies to all domains. But, if the Virtualmin team can figure out an even more elegant way to do this, it would be a big help for people who want the top-level server user to have the ability to read and write all files in the account.

Status: 
Active

Comments

Are you sure you want to use 770 permissions for mailbox home directories? This means that mail users could write to each others' homes, assuming that they aren't blocked by FTP chrooting.

It seems to me that 750 permissions would be better ..