suPHP and Symbolic links on a reseller account

[wcs4web]

I am looking to change my server so that it uses suPHP instead of DSO. One reason is for security but I am also noticing a number of software packages requiring the security model implemented by suPHP.

Anyway, my issue is this...I have a reseller who has created a shared code base for an application they offer to their customers. Their customers access this shared code base via symbolic links setup on their own web hosting account they get from the reseller.

Before implementing suPHP, we did a test focusing on this particular setup and utilizing suggestions we recieved from this forum. We turned on suPHP, ran a couple of requests to the client websites (sites with symbolic links) in order to get data in the log file, and then switched back to DSO.

The message we were receiving was "[warn] Directory /home/[owner_username]/shared_code is not owned by [client_username]". "client_username" is the account with the symbolic links to the "owner_username" shared code library.

I have read somewhere that shared code libraries like this should be owned by root. Not sure if this is true, but the problem is that the reseller will no longer be able to maintain their codebase on the server if it is owned by root.

We have been searching all over for an answer, but nothing...Hopefully we can get some answers here.

Thanks
George

[LiNUxG0d]

Hey George,

In my travels with cPanel and WHM, suPHP wants the following:

- User/User Ownerships;
- Permissions 755 as a max permission. (anything lower is also acceptable, like, say, 644)

I've done a lot of suPHP conversions that were very successful just keeping that in mind.

suPHP basically says, "The user being used to access this site has to own the files being accessed."

If the Apache config says to use user "username" and the symlink and hard directories and files are owned by "username" then it should be ok. Basically, Apache switches user from "nobody" to the "web site owner" when accessing files.

If you compromise the ownership of the folder being symlinked, you'll run in to issues.

Regards,

[wcs4web]

Thanks for the reply....

The problem is that the folder and the files that are being linked to are owned by the reseller and not the client. The symlink is owned by the client but not the files the link references to. I am receiving an Internal Server Error 500 on the client website the suPHP log tells me that "Directory /home/[reseller]/test is not owned by [client]".

George

[LiNUxG0d]

Is it ONE set of files that EVERYONE uses or does EVERYONE have a subset of those files?

Example:

-=-=-
/home/reseller/folder/file.php
-=-=-

Or is it:

-=-=-
/home/reseller/folder/client1/file.php
/home/reseller/folder/client2/file.php
-=-=-

Maybe the second would work best. You could chown the "client1" and "client2" folders to reflect the linking client... maybe that would work for you. This is a suggestion. It's kinda hard to do what you want since you're doing directory transversal (kinda) as well as having ownership problems.

Let me know,

[wcs4web]

Here is how we are setup:

On the Reseller Side:

-=-=-
/home/reseller/folder/file1.php
/home/reseller/folder/file2.php
/home/reseller/folder/file3.php
-=-=-

On the client side, we create a symlink to the folder (/home/client/public_html/folder => /home/reseller/folder)

The client website can then render the files as:
-=-=-
http://www.clientsite.com/folder/file1.php
http://www.clientsite.com/folder/file2.php
http://www.clientsite.com/folder/file3.php
-=-=-

Thanks
George

[cPanelTristan]

This setup will not work under suPHP when FileProtect is enabled. I have a discussion about disabling FileProtect at the following location:

http://forums.cpanel.net/f34/execute...tml#post820091

I do not recommend doing this on the system. the reseller should find an alternative way to provide access to these files such as FTP user-based access for the files.

[wcs4web]

So what you are saying is that an account cannot create a symbolic link to a folder outside of their home directory. From what I have researched, it appears that you can but it also appears that their are issues. No one seems to be coming out with "no you cannot" or "yes you can but this is how it should be done"...

Any feed back on that?

Thanks
George

[cPanelTristan]

I am not stating you cannot create a symlink to another directory on another account. I am stating that what you are trying to do will not work. You can create all the symlinks you would like from the reseller account to these other accounts, but those symlinks will not function to provide content to users that do not own the original files under suPHP unless FileProtect is disabled.

If this is still unclear, please let me know.

[wcs4web]

Thanks Tristan,

I have a couple of questions:
- Will I have to run this everytime I upgrade apache?
- I would like to run a test, would there be any impact if I run the fileprotect script and then switch back to DSO mode?

Thanks
George

[cPanelTristan]

Hello George,

If you run FileProtect and then switch back to DSO, DSO works similar to having FileProtect disabled since PHP processes run as the user nobody. There shouldn't be an impact, but you can re-enable FileProtect using /scripts/enablefileprotect and then running the commands I noted to backup Apache configuration and so on afterward:

Code:

cp /usr/usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak110531
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart

As for upgrading Apache, if you run EasyApache, the option is in the Exhaustive Options list and can be de-selected there as well:

Fileprotect (Prevent Users from reading other webroots)

Any settings on an EasyApache compile will carry over to the next recompile provided you select to use the last saved settings.

Thanks.

[olemire]

Hi, I just found this thread. I am having the exact same issue. How can I have multiple (selected) customer using the same global files without comprimising security and without them uploading files as 'nobody'. but as their own respective user. Is there a way to rely on the user's group instead of the username ?

[cPanelTristan]

After this original discussion, I did find a way to reference images or scripts on all accounts without those accounts owning the file or script. The user cannot upload images or scripts to the location being referenced, though:

http://forums.cpanel.net/f5/read-php...ml#post1010212

Basically, place the script or images into /usr/local/cpanel/htdocs and call them using the full path to the script or image. This does work under suPHP.