Reseller Owner Permissions

[sarahsboy18]

I just moved from a shared WHM/CPanel environment (as a reseller) to a dedicated server running WHM. I moved my reseller account over along with the accounts it owned and everything seems to look good... except:

My clients all have the same industry specific needs on their sites... I have built scripts that I placed on my main reseller account that they could run to make changes to the files in their individual sites.

Since moving over I am getting permission errors when I run these scripts... So without chmoding my clients directories to 777 (bad idea) how to I give my reseller account owner status over it's client's accounts? This just worked automatically on my old hosting.

[brianoz]

From your description, my guess is that your old server was running phpsuexec/suexec and your new server isn't. Just recompile Apache with suexec/phpsuexec and you'll be right.

Phpsuexec is such a big boost to system security that if your current host doesn't know enough to run it, or isn't prepared to switch to running it, you should look elsewhere for your hosting needs. They'll be spending all their time cleaning up their system after a while anyways!

[sarahsboy18]

Thanks for the reply! I went into the "Apache Update" page in WHM... Suexec was already enabled and compiled, while PHPSuexec Support was not. So I enable PHPSuexec Support and recompiled. This actually made things worse... Now none of my accounts can even read from each other at all much less write. Is there some sort of option I need to have enabled when I turn on phpsuexec?

From what I am reading the purpose of phpsuexec is to stop all possible cross-account execution of php files... I need the exact opposite to take place. I need my subaccounts to have read/execute privileges on the reseller accounts... And I need my reseller account to have full read/write privileges to it's sub accounts.

[brianoz]

From what I am reading the purpose of phpsuexec is to stop all possible cross-account execution of php files... I need the exact opposite to take place. I need my subaccounts to have read/execute privileges on the reseller accounts...

Ah ... then phpsuexec will definitely make things worse!!

That's an unusual requirement; why do you want to do that? Reason I ask is that there are probably other ways of satisfying the requirement. It can certainly be accomplished at unix group permission level, but you'll need direct access to the server for that.

[sarahsboy18]

Ah ... then phpsuexec will definitely make things worse!!

That's an unusual requirement; why do you want to do that? Reason I ask is that there are probably other ways of satisfying the requirement. It can certainly be accomplished at unix group permission level, but you'll need direct access to the server for that.

I have direct root access... It's my dedicated server

I just need to know how to do it... And what is weird to me is that my old shared host was already setup to do that by default...

The reason I need it to work is because I don't offer typical hosting to my clients. I actually offer a an industry specific web software my clients can use to manage their websites. Obviously I can just install the software on each account as I signup a client... But instead I split the core libraries of the software from the executed php files... the real advantage being that I have instant version control. If I find a bug in the system I can just change it on my reseller account and it is instantly fixed for all my clients. But because I store the individual client data on their individual account... the libraries in my reseller account have to be able to write to the client accounts.

Without phpsuexec or open_basedir protection on I am able to have my client accounts read and execute my reseller libraries without a problem... The permission errors come when the reseller libraries try to save data to the individual client site.

[brianoz]

Hmm ok .. try turning both phpsuexec and suexec off. Then you want to look at file ownerships/permissions for the shared files - make sure they're readable to Apache.

You might be able to get past this by putting the files in /usr/local/lib/php and including them, not sure, perhaps not. The ownership of PHP files in /usr/local/lib/php isn't tested in the same way as files under /home.

[sarahsboy18]

As much as I'd like to move those files outside the /home folder there are alot of JS/CSS files that have to be pulled by the browser directly... So that really wouldn't work.

They way I got around this was to just chmod the files to 755 and set them to [owner]:nobody. So far that seems to be allowing my remote code to operate.

I'm still not 100% happy with this solution though as it requires me to manually chmod the folders every time I create an account... I'd really like to know how my old hosting company was automatically giving the reseller's account full permissions into it's client's accounts.

[brianoz]

You can arrange for JS/CSS files to come in via an Alias, if you put it in the main section ("Section 2") in the httpd.conf, rather than the per-site container.

To check this out, try out the URL http://www.somedomainonyourcpanelser...ons/world1.gif and notice it comes up with an icon. That icon actually came from /usr/local/apache/icons and that was all configured with the global line:

Code:

Alias /icons/ "/usr/local/apache/icons/"

(there's actually a permission block right after it, which you should also include if you do this in real life).

You may not actually want to know how your previous company was providing access into the client accounts. It could be as simple as an ACL (although I doubt it!) and it could be as simple as mode 777 on every directory/file. You definitely don't want to do that!

[sarahsboy18]

Now, by moving those files out of the /home directory... does that automaticaslly give them root priviliges?

ACL actually sounds like a pretty good possibility as I am sure they didn't have everything set to 777... Is there a ACL component out there that I install? Or is this something already available in the server that I have to configure?

[brianoz]

Can't see that an ACL is necessary, provided the directory has execute (mode 711 or mode 751, ie rwxr-x--x) and the files have read permission (755, rwxr-xr-x) all your accounts should be able to read them. Now that I think about it a little more, that's probably what your old host was doing.

Files themselves don't have "root privileges" - not sure what you mean by that. Do you mean, do .php files run as root? Probably not, you'll need to look into that. I wouldn't recommend running as root, but you may be able to get them to run as non-root.

[sarahsboy18]

OK... I hate to revive my old thread but I been able to piece some things together about how my old host was doing things...

They are definitely using phpsuexec/suexec... I have confirmed this. Yet they must be using some type of ACL of some kind that gives reseller accounts read/write/execute access to their sub account's home directory. And in reverse the sub accounts have read/execute only access back to the files in the reseller's home directory.

So basically everything is jailed into the reseller account and it's sub accounts but there is access between.

Does anyone know what this addon/hack might be?

[jackie46]

OK... I hate to revive my old thread but I been able to piece some things together about how my old host was doing things...

They are definitely using phpsuexec/suexec... I have confirmed this. Yet they must be using some type of ACL of some kind that gives reseller accounts read/write/execute access to their sub account's home directory.

Nope, they probably have their servers setup properly and you dont.

And in reverse the sub accounts have read/execute only access back to the files in the reseller's home directory.

What are you talking about? Sounds like your not ready to host you own clients since you have no idea how to setup your own box.

So basically everything is jailed into the reseller account and it's sub accounts but there is access between.

Does anyone know what this addon/hack might be?

My suggestion is that you seek the expert advise of a depenable consulting company. I recommend, http://efastconsulting.com or http://rack911.com.

[sarahsboy18]

Nope, they probably have their servers setup properly and you dont.

What are you talking about? Sounds like your not ready to host you own clients since you have no idea how to setup your own box.

My suggestion is that you seek the expert advise of a depenable consulting company. I recommend, http://efastconsulting.com or http://rack911.com.

Thank you for your all your help...

Anybody out there who wants to give information/guidence instead of just flaming the newbie?

[brianoz]

Sarahsboy - sounds like they were hosting the new accounts as addon domains, that would describe what you were seeing perfectly. With addon domains the userid is the same so the reseller would have access to the files under them, and vice-a-versa (although your ftp wouldn't let you see them). The control panel would have been shared, so I'd guess you didn't have access to it.

[sarahsboy18]

Nope, they probably have their servers setup properly and you dont.

Aha! ... Actually Jackie46 was closer to being right...

I finally just setup a new reseller account and created a client account in the reseller WHM panel instead of from the the root WHM panel. I dropped a phpinfo file in the reseller's home directory and an ran a php include to grab it from the client side and BINGO!

The reseller/client relationship does function the way I wanted it to by default. (I'M NOT CRAZY!!! )

The reseller account and client accounts I had been testing with had been transferred from my old server... and although I gave my reseller correct controls in WHM it didn't update the client permissions to reflect at the user/group level.

Thanks for your help Brian... I know you have put alot of thought into this and I appreciate it.