We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

FTP concerns | Forum

dave Leader
dave Jul 20 '13

I decided today to set up some ftp accounts just for updating plugins for my oxwall sites.  This serves two purposes, first it protects the main cpanel login details which is a security issue, and second it only allows access to certain areas of the hosting.

 

So i got the ftp all set up, had a plugin to update so this was a perfect time to test this, and it failed.  What i got was "Provided the user does not have permissions to overwrite files"  So i went back to the original way of doing this which was to give the cpanel main access information.

 

There are several posts on this and people keep fishing and fishing for answers.

 

My question is what is causing this? 

 

I am trying to understand if this is a server(ftp) issue or an oxwall issue?

 

Does Oxwall set a flag someplace that only the ftp/access used to originally install the script is the only one you can use to update it? 

 

I do have other ftp accounts that i use to overwrite files all the time on other domains, so this is very strange to be happening.  

 

Is this an ftp security feature and not Oxwall related?

 

I do strongly believe it is a major security issue to have to give the main cpanel login in order to update a plugin.

 

Maybe a good test for this is next time i have a wordpress.org update i will give them an alternate ftp and see if that works, if it does then it must be an Oxwall issue.  Because i have set up wordpress and installed in the same way as i did Oxwall

 

Any ideas?

The Forum post is edited by dave Jul 20 '13
kevinL
kevinL Jul 21 '13
I think it should be ok to use the cpanel ftp username/password on Oxwall when updated.  I believe that Oxwall will never touch anything on our cpanel stuff, but if you and my site get popular like facebook may be Oxwall might just buy it out, who knows?...



dave Leader
dave Jul 21 '13

My concern is not with Oxwall's intent, i fell fine with that.   My concern is regarding that this a unnecessary security risk that can be prevented.

Den Team
Den Jul 22 '13
Hello guys


dave,


Each time Oxwall connects to your site via ftp protocol with FTP credentials you inserted on update page and tries to create an empty folder in site root directory. If it fails, the script will return the error. So, make sure that FTP user you use is able to create folder/files in directory where Oxwall is installed. If this is and you are still unable to update, send PM to Alia with all login details. She will investigate it deeper.


kevinL.

Yes, exactly. Oxwall never stores FTP details in DB. It uses it only once each time a new plugin update/installation is performed. 

dave Leader
dave Jul 22 '13
Ok thanks Den :)
Den Team
Den Jul 22 '13
You are welcome dave :)
dave Leader
dave Jul 23 '13

Just to follow up on this i did contact cPanel and this is what they said

 

You can create a virtual FTP account in cPanel via:

"cPanel >> Home >> Files >> FTP Accounts"

This is documented at:

http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CpanelDocs/FTPAccounts

Remember to login using the full FTP username (e.g. username@domain.com). Ensure you are attempting to access a directory that you have access to. For instance, you can not edit a file in the public_html directory if you only granted access to public_html/123.

Thank you.

dave Leader
dave Jul 24 '13
I knew that reply from cPanel would not really help so i did some diging an playing around with my ftp.  I think i might have the solution and i will post it here, but i need to wait for a plugin update first to test this out so i dont get egg on my face lol.
dave Leader
dave Jul 25 '13

Ok folks i got it, Den here is how its done. :)   Maybe one day this could be incuded in the standard Oxwall docs.

 

The question is:  How to upgrade your plugins without having to give out your main cPanel Username and Password?

 

The answer is:  (and this has been just tested by me and was successful)

 

1. Go into your Cpanel and create a new ftp account.

 

2. If this is for a main domian (top domain) then its easy and follow 2a below. 

 

If this is for a sub domain or add on domain then to go 3 below.

 

  2a.  (main/top domains only)

   

     You can pretty much take the defaults when setting up the ftp, you just have to remember to make sure the directory option in the ftp form shows public_html  (the default will show public_html/name  remove the name so that it is just public_html) (do not remove any slashes that may exist meaning if there is a trailing slash leave it)  

 

     Also when you are presented with the update form in oxwall you need to change local host to ftp.yoursite.com  and then enter the username as name@yoursite.com and then enter the  pw for that ftp account.

 

Example:   if an ftp account is named oxftp@yoursite.com   Then for the host change local host to ftp.yoursite.com and the the username will be oxftp@yoursite.cm and then the password for that ftp account, keep the port 21

 

Done..

 

3. (sub/addon domains only)   Add on domains are alittle trickier but not too bad.  The reason addon and subs are alitte trickier is that the ftp always has to go thru the main/top domain to get to your sub/addon.

 

In other words  if i have a main site called   main.com  and i have a add on domain called addon.com   then to build an ftp that will look at addon.com you need to log into main.com with the ftp and then tell it to look at addon.com.   Sounds complicated but not really.

 

  3a.  Go into your cPanel and set up an ftp account.   The name will default to be your main domain so you can name it something like  oxsub@your_main_domain.com   (you might be thinking wait i dont want itto be my main domain, i want it to show my sub/addon domain name), its ok just let it be and then set your password.  You will see how it works here in a few min.. :) 

 

IMPORTANT!  make sure in the directory option that you DO NOT take the default value which in this case would be ?????/public_html/oxsub.  Change that to be   ????/public_html/your_sub or addon dir name     

 

Do not remove or change any slashes at all, just change the location from the default to your sub or add on domain.  (if there is a trailing slash in the default then leave it)

 

3b. And then save the ftp.

 

3c.  This time when you are presented with the plugin update form from oxwall you will:

 

    1.  Change the host to ftp.your main/top domain.com

    2.  username will be  name@your main/top domain.com 

    3.  password will be the password for the ftp account

    4.  port is 21

 

Since this ftp account is set to look at your sub/addon domain via the directory option you chose, it will only allow access to that area.

 

Done! 

 

 

Final comments:

 

1. This allows you to update your oxwall plugins without having to give out your main Cpanel Username and Pass.

 

2.  This also limits access to that update to only one area and not all areas of your hosting.

 

3.  This helps you to run an effective ftp management and hosting access plan for your site.

 

Hope this helps.  :)

 

PS.  want to test this yourself to make sure.  Just set up your ftp in filezilla and make sure when you connect that you are in the right place.. :)

 

The Forum post is edited by dave Jul 25 '13
Alia Team
Alia Aug 1 '13
Dave, good job!!!
I have added your instructions to our docs section: http://docs.oxwall.org/faq:how-to-add-new-ftp-account-to-update-add-plugins-and-themes

Let me know if I missed or misunderstood anything.


dave Leader
dave Aug 1 '13

wow Aliia nice professional job on the doc.   Thank so much im sure that will help alot of people.   You got it right i did not see anything you missed.

 

1 typo though

1st paragraph - you server 

should be:  your server

 

Other than that, perfectly done... Great job yourself :)

Bobby Onions
Bobby Onions Jan 10 '14
I have severe issues with using FTP, as it's antique and insecure.


I cannot believe that in 2014, a modern web application puts such a burden on its users.


My environment will absolutely not allow FTP to be enabled, as we have regulatory obligations that forbid applications that use insecure/plain-text authentication.


Is there any way of reliably updating plugins without enabling FTP?


Please don't respond by saying "Just enable FTP". It's never, ever going to happen.

The Forum post is edited by Bobby Onions Jan 10 '14
dave Leader
dave Jan 11 '14

I suppose you could just install the new version directly every time via cPanel.

Alia Team
Alia Jan 15 '14
>>Is there any way of reliably updating plugins without enabling FTP?

  1. Download the latest plugin's version from Oxwall Store;
  2. Unpack plugin's archive;
  3. Upload unpacked plugin's folder into ow_plugins/ directory (overwrite existing old plugin);
  4. Login to Admin Panel and click “Update PLugin DB” button


IMPORTANT NOTE: DON'T UPDATE YOUR PLUGINS TO 1.6 UNTIL YOU  UPDATE YOUR CORE TO 1.6


Regis Grison
Regis Grison May 24 '14
Hi,

Please have a look here, that may help:
http://www.oxwall.org/forum/topic/19528
Colas Nahaboo
Colas Nahaboo Feb 13 '15
A solution could be for Oxwall to publish the IP adresses from which it will trigger FTP accesses, so that we could enable incoming FTP on our sites from only these adresses?
Regis Grison
Regis Grison Mar 13 '15
Yes... Or we could not use FTP at all...

What's the point in installing an additionnal, not-usefull software?

As far as I know Oxwall is the only software that use FTP for it's own updates as the only way to do it. It could be acceptable to give choice but why forcing users?

By the way, I published a hack 10 month ago on bitbucket and I'm still waiting for an answer...
tammy harris
tammy harris Mar 14 '15
i had same problem with ftp what ever ftp user you use needs to be owner or above and to fix it i loged in as root and changed folder owners recursively 
one command one click fixed 
The Forum post is edited by tammy harris Mar 14 '15