Apache / PHP user security question

[whl02]

Hi, first, thanks for any help you might offer on this issue...

We run Cpanel/WHM 11.25 on a server with PHP 5, suEXEC on, and CGI as the PHP handler.

Our sites are all agent sites for a group of insurance companies that are independent agents but under one broker. So, as part of the broker's package to the agents, they get their own semi-customizable site.

What I'm trying to build is a way that each user can login to a central location on the server and customize THEIR OWN files/site... Long story short, it would be much easier maintenance on us and we've been using XML files rather than a central database.

So, here's the setup:

brokerdomain.com
agent1.com
agent2.com

Obviously under Cpanel these are all separate users (and we want to keep them that way), so I've got it so a user logs into brokerdomain.com and the database says ok, you're agent 2 associated with agent2.com, /home/agent2/public_html/site_files is where your stuff is stored.

Apache/PHP is setup to prevent users from accessing other user's domains, but I have full access to the server... I just don't know how to make an exception for this one user to be able to access the "site_files" directory from any user home on the server. How do I make it so the php application running on brokerdomain.com can access /site_files/ under agent2.com (another user) ?

I'm a decent programmer but not an Apache expert, so please be gentle on me! Any suggestions/assistance would be awesome!

Thanks so much.

[Spiral]

We run Cpanel/WHM 11.25 on a server with PHP 5, suEXEC on, and CGI as the PHP handler.

Assuming this is really how you are setup, this is ill advised ...

I would strongly recommend changing to either SuPHP or FCGI

What I'm trying to build is a way that each user can login to a central location on the server and customize THEIR OWN files/site... Long story short, it would be much easier maintenance on us and we've been using XML files rather than a central database.

There is several different ways to go about doing this even taking into consideration ownerships being a suexec/setuid environment but I would have to know a little more about your specific layout particularily what logins your users use and are the addon users or the main account users, etc as this can have an impact on which way to go with that.

In the simplest form, could just give them their own FTP logins

Your main item is that you don't want files added or edited by one user
to be setup as that user because that will cause problems when executing or accessing those files as owner.

[whl02]

Thanks for your reply.

Not sure we're on the same page. Everyone has their own FTP accounts as well as access to their own cpanel. What I'm after is a way to use a centralized PHP application that can still save files to an authorized user's home directory.

As for the rest of your reply, users login with a password that is verified by the php application. It is completely separate from cpanel, ftp, etc. It's just a login that links them with their account with the broker.

[Spiral]

Are you needing to just simply read files across accounts or edit those files?

I know you are executing as owner and that is a primary concern ...

Do you have open_basedir limits in place?

Using a custom config for each user account?

At this particular point looking at this fairly blind, I'm inclined to think setting up a linux "group" would be the best option and then setting your permissions to the file shared between this to be group accessible to the new group of which you make both users members.

[whl02]

Thanks again for your reply.

I need to edit the files as well. It's basically a small xml file that has user-configurable options in it such as phone number, website settings enabled, etc.

I can currently read them from the web, but the php application cannot open them... Yes, open_basedir protection is enabled.

Each user account has the same PHP settings for their cpanel account.

I did add a group and set the folder "site_files" to be in that group using the chgrp command. Then I added the two users to the group, chmod file permissions for group read/write, and tried to access the directory: no go. I also tried chown- the directory to the user running the php app just to see; that didn't work either... That was a good idea, though...

I realize it's not an ideal setup or an ideal situation, but sometimes we have to play the cards we're dealt, you know? Thanks for being patient with me. Any other ideas?

[m4rc3]

I think PHP open_basedir is getting in your way here.

Try disabling it

[Spiral]

I think PHP open_basedir is getting in your way here.

Try disabling it

It's a bit more complicated than that ....

Anyway back on the group, did you adjust the permissions on "public_html" itself to allow access for the new group?

Ownerships should not need be changed but you may need to change th permission settings there.

[m4rc3]

I did add a group and set the folder "site_files" to be in that group using the chgrp command. Then I added the two users to the group, chmod file permissions for group read/write, and tried to access the directory: no go. I also tried chown- the directory to the user running the php app just to see; that didn't work either... That was a good idea, though...

Based on that I assumed that he already took care of the permissions bit, so the only thing that I could think off was open_basedir.

[whl02]

Guys, thank you so very much for your help. Spiral's solution saved the day.

Here's a summary for anybody else interested:

1. Create a group
2. Add all appropriate users to group
3. Set group permissions for the entire public_html folder

That was what I was doing wrong... didn't know I had to give group permission to public_html as well.

Thanks, m4rc3 and Spiral for your awesome assistance!

[m4rc3]

hahaha cool, spiral is the man