Additional ssh account or other way to give ssh access per domain

Good day and thanks for hestiacp, the best thing of its kind!

I am using hestiacp as a dev/staging environment. All sites are domains under one common user. It is super convenient. We use VS Code remote development plugin to quickly do updates on the server. All the in-house team (just the 2 of us)) uses the same account without trouble.

But now I need to give access to just several sites to a contractor outside of the team. I can’t cope with just additional ftp user, as I need to give them ability to use VS Code remote development plugin too. And it needs ssh access.

My question is is it possible to give per site access to additional ssh user or to another hestia user that already exists (I can create one per contractor)?

I know it is possible as I have this on my shared hosting. But they claim they use some POSIX ACL modifications. So might not be easily reproducible. But I am not good enough in server administration to know for sure)

Or is there any other way I can solve this task?

Thanks!

Hi,

You could create a normal user:

adduser dev1

And add these ACLs:

setfacl -R -m u:dev1:rwx /home/mainuser/web/site1.tld
setfacl -R -d -m u:dev1:rwx /home/mainuser/web/site1.tld

User dev1 should be able to access your server via ssh and use /home/mainuser/web/site1.tld as the remote path in VS Code.

You can also add a line in .bashrc file so the user always access to the site’s dir:

echo 'cd /home/mainuser/web/site1.tld' >> /home/dev1/.bashrc

Thank you very much @sahsanu !

I have tried it with an existing user, created through hestia’s dashbord. But it didn’t work for some reason. Then I tried with a new user created through bash and it worked.

Do you know why could that be? Or I just didn’t do it right?

I would love to be able to give access to an existing hestia user so the dashboard could be still reachable, if that is possible.

Hestia users have a different ACL, which is why I said you should create a “normal” user.

Even if you add a new Hestia user, that user won’t see the site you want to work on.

Thanks, @sahsanu ! If you could share a link about that different ACL for hestia users, I would be grateful and examine it.

And while we’re here can I add another question please. Is it possible to make files and folders, created by that new normal user, be created as with original domain owner user as owner and his group? So that they would be read normally by the webserver.

❯ getfacl /home/mainuser
getfacl: Removing leading '/' from absolute path names
# file: home/mainuser
# owner: root
# group: root
user::rwx
user:mainuser:r-x
group::---
group:hestia-users:---
mask::r-x
other::--x

The important ACL here is group:hestia-users:---, which removes all access for users in the hestia-users group. Hestia adds every user to this group, and that is why it works when using a normal user but does not work with a user created by Hestia.

You could remove the user dev1 from the hestia-users group:

gpasswd -d dev1 hestia-users

This will work, but once the user is rebuilt, Hestia will re-add dev1 to the hestia-users group.

By default, all files created by the user have the umask 0002, which results in -rw-rw-r-- for files and drwxrwxr-x for directories. This means the web server should be able to serve all the content.

If you also need the web server group (www-data) to have write access, you can use setgid:

chmod -R g+s /home/mainuser/web/site1.tld/public_html/

Also, instead of applying these ACLs to site1.tld, apply them only to public_html.

setfacl -R -m u:dev1:rwx /home/mainuser/web/site1.tld/public_html/
setfacl -R -d -m u:dev1:rwx /home/mainuser/web/site1.tld/public_html/

Thank you @sahsanu for a great thorough answer!