Second FTP user to home directory - quota?

[markus909]

TL;DR
If I add a second FTP user and add the home directory of the main cPanel account (instead of a subdirectory). What quota do I have to set? If the cPanel account quota is set to 10GB, does the second FTP user also require those 10GB?


I am handing over a project where I run the site on my new reseller cPanel hosting.

I am not giving away the cPanel account right away, but I think the client must have something at hand (bus factor / risk management).
So I want to give them access via FTP.

For better separation, checking logs if necessary, I want to give them their own FTP user.

By default a new FTP user gets its own home directory. So I change that, so that it points to the home directory of the account.
I thought I better set up some quota, otherwise the client could fill up and take down my main account.

However, here I need the explanation of quota.

If quota on the main account is set to 10GB. Do I have to give that second user also 10GB?
Or can I just give them 1GB so they can upload some files e.g. in a /home/download directory but can't exceed that 1GB in total?

On the screenshot set up the new ftp account for the client with a quota of 1GB.
I am confused by the numbers though.

The new cPanel account for the client uses 2583 / 1000MB while the default root cPanel account uses 4152 / 10.000 MB.
I thought at least the "used" storage must be equal in that case.

 

[vanessa]

The cPanel account quota trumps the FTP quota.

 

[markus909]

The cPanel account quota trumps the FTP quota.

So that means, if I give an FTP account a lower quota it will work, e.g. when I just set it up for a different directory like /home/clientwebsite/downloads
but it won't work when I give the FTP account access to the entire home directory /home/clientwebsite/ → in that case even if I add a lower quota, it just won't be applied

It's just somehow weird -- perhaps it's absolutely not a way to do it setting up an additonal FTP user to give access to the entire home directory.

I don't see any other way to give the client full access to FTP without giving access to the entire cPanel account (where they could mess up even JetBackup and more)

 

[cPRex]

That all sounds correct to me. If they need access to all of /home/username, you're already trusting them with the entire account's file structure anyway, so they may as well have full cPanel access at that point.

 

[markus909]

Giving the entire cPanel is a completely different level, no? They could delete cPanel backups, they could change DNS when the zone files is managed within cPanel. There is so much more. From my point of view, it's responsible to give the client the opportunity to access the full site via FTP, to be able in the worst case (bus factor) to access the site as admin and get a backup or migrate it.

It's irresponsible on the other hand to give them the opportunity to delete backups or mess with the DNS.

Maybe I can't see the big picture yet, but to me those are 2 different levels of permissions/access

 

[cPRex]

If they have FTP access to /home/username, the only thing they couldn't really adjust is DNS or delete the database content. They would have the ability to delete or access everything else on the domain, as all files are stored there.

 

[markus909]

I thought about for some time - I think those 2 arguments would be strong enough, e.g. do not allow DNS + database access, but full file level access. I'll watch what's coming with Team Members from cPanel 112, maybe that gives some further options.

I personally do find it difficulty as a sole proprietor to not hand out anything to the client. They should have something, should something happen to me. I personally find it also difficult to hand out everything.

The path in the middle would be to hand out FTP and a narrowed down cPanel (with the new Manage Team feature)