commands.allow and commands.deny for per-user control

Version 1.38.0

Finished Allow/Deny Users specific commands based on these files, if they exist. They won't exist by default. /usr/local/directadmin/data/users/username/commands.allow /usr/local/directadmin/data/users/username/commands.deny They work in a similar manner to the /etc/hosts.allow|deny files. - commands.allow overrides commands.deny. If an item is in both, the command will be allowed. - if commands.allow exists, but is empty, that User will not be able to do anything - adding commands to commands.allow that do not exist in the given accounts access level won't work (eg: you cannot run Admin level commands as a User) Special keywords will be used to allow full or zero permission on an entire access level (both the allow and deny files can use them): ALL_USER ALL_RESELLER ALL_ADMIN which would be mainly used for cases where you want the full access level of one level, but want to refer to other areas for limitations. Example, if you want to create a Super Reseller, where that Reseller can create other Resellers, you would create an Admin account, and add: ALL_RESELLER ALL_USER CMD_ACCOUNT_RESELLER which essentially is a Reseller, but who can create other Resellers. The ALL_USER, ALL_RESELLER, and ALL_ADMIN values are handy to use because they'll be dynamic between versions, in case there are new commands for that level. You will need to be careful if you're doing this example since many non-Admin commands are changed if the account is of type "Admin". For example, CMD_SKINS is a Reseller command, but when run as Admin, it has access to the global skins folder. CMD_SSL, when pasting a cert/key on a shared IP will be accessing the shared server certificate for the whole server. *** IMPORTANT *** If you allow CMD_LOGIN to an Admin or Reseller, then they will be able to call CMD_LOGIN for the "Login As" feature for accounts under their control. As such, they'd be able to execute any commands that the logged-in User can do, regardless of their own commands.allow/deny. (They'd still be limited to that logged-in accounts command.allow/deny files, should they exist)

Try DirectAdmin with a 30-day money back guarantee!