cPanel Plugin to access configuration files, with web server's user?

[yclian]

Hi there,

I have a YAML file that contains OAuth consumer key and secret, they're placed at /var/cpanel/xxx. This file is generated by the administrator via WHM and a user shall not have access to it except the admin and the web server's user.

The user (say 'luser') accesses to the plugin via /frontend/x3/xxx/index.phpcp, and I just realized that it will be running under the permission of 'luser' instead of the web server.

Is there any way I can grant access to the web server (I suppose cPanel runs Apache as 'root') and to use that credential to perform something in a plugin?

Thanks.

[cPanelMatt]

Well, just for the sake of semantics, cpanel uses it's own webserver - cpsrvd.

This runs as it's user. The best way to handle this sort of interaction is to make the file owned root:usergroup. This will allow both users and root to access the file.

Or you could just own the file to the user all together (root can handle it either way).

Your other option is to create a setuid binary that can retrieve that information using checks to ensure the correct user is calling it.

[dreas]

Your other option is to create a setuid binary that can retrieve that information using checks to ensure the correct user is calling it.

Are you able to provide an example program for this? This cPanel design is causing us a lot of trouble as well.

[dreas]

Actually could we write this program simply in PHP, and make it executable (but not readable) by world? And then the PHP script would verify if the action is allowed for the specific user/domain? Or does this have to be some C binary?

[dreas]

Actually could we write this program simply in PHP, and make it executable (but not readable) by world? And then the PHP script would verify if the action is allowed for the specific user/domain? Or does this have to be some C binary?

It has to be a binary. The (PHP) interpreter cannot execute the file without having read access.