The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Access files ouside a user's folder using a symlink

Discussion in 'Security' started by monkey64, Jul 19, 2013.

  1. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    The VPS I rent only hosts a small number of my own company sites and I have total control over it.

    Two of the sites sell the same products (one is Trade, the other Retail).
    I need to access the same set of images for both sites. This would mean reading files outside the user's folder. Both accounts are on the same partition of the server (home) and I have root access and SSH access for everything.

    I created a Symlink from one user folder to a folder on the other user folder after first changing these WHM settings:

    Apache Configuration » Global Configuration » Directory “/” Options » SymLinksIfOwnerMatch [UNTICKED]
    Security Center » PHP open_basedir Tweak » [DISABLED]

    However I was not able to return the contents of the test file using the PHP file_get_contents function.
    I tried the following:

    Code:
    echo file_get_contents("test/logo.gif");  
    
    Code:
    echo file_get_contents("/home/site1/public_html/test/logo.gif");  
    
    Symlinks within the user folder work correctly but I cannot access content outside a user's folder.
    Is this actually possible? Does anyone have any ideas?
     
    #1 monkey64, Jul 19, 2013
    Last edited: Jul 19, 2013
  2. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    346
    Likes Received:
    7
    Trophy Points:
    18
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    As you point out the product is now geared in many ways to prevent this from occurring. Things in your apache build within easyapache will likely be most relevant, i.e. what method are you wishing to use to serve php?
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Using a path to files from another account is not recommended. Ideally, you should simply upload the same set of files to both accounts. Or, since you own both of the websites, you could make one of the accounts an Add-On domain name to the other instead of keeping them as two separate accounts.

    Thank you.
     
  4. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Hi CPanelMichael

    Thanks for your post but I can't upload two sets of files. The files are thumbnails which are automatically created and saved to the local filesystem. As such I don't have access to the second site.

    Would it be possible to execute a bash script using the PHP exec function?
    If so, I could create a bash script to copy the files from site A to site B
    Or would I find similar security issues to prevent this?

    Thanks
     
    #4 monkey64, Jul 19, 2013
    Last edited: Jul 19, 2013
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    You may still want to consider having one domain name as an Add-on domain name if you need to share file ownership. Otherwise, you could develop a custom script that copies the files and updates the ownership values. It does not necessarily have to be a PHP script. You could develop something that runs on a cron job and looks for new files and copies them to the new account.

    Thank you.
     
  6. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Eventually settled on a simple CRON script which runs each hour.
    Thanks cPanelMicahael for the idea. :)
     
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You're leaving yourself wide-open to attacks with a setup like that. Pray none of your sites ever get hacked.

    Edit; sounds like your cron copies the files. This would certainly be better than cross-account symlinks. I hope you re-enabled openbasedir protection and symlinksifownermatch. These are pretty critical security measures to have on a server with more than one site on it.
     
    #7 quizknows, Jul 19, 2013
    Last edited: Jul 19, 2013
  8. monkey64

    monkey64 Well-Known Member

    Joined:
    Nov 6, 2011
    Messages:
    86
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    A Crontab to copy one user's files to another user's folder was not a viable solution as expected, I ran into permission issues.
    It is possible to create a new folder owned by root in /home. Other users can therefore access the data.

    @quizknows:
    Security is not so much of an issue because I offer no 3rd party access to the server and the 6 sites served are all owned by myself. I use CSF to lock down the server and allow only my IP addresses to connect in via SSH and FTP. Granted, it doesn't prevent a hacker gaining access, but it would slow them down enough to get bored and try an easier target! In the case of a breach, the attacker would only access a folder of thumbnails, unless of course it is possible to do something such as Symlink injection?
     
  9. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    940
    Likes Received:
    55
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Most hacks aren't done with SSH/FTP access; most of them are done using websites themselves. Allowing things like cross-account symlinks, or disabling open_basedir protection, means that if a hacker gets into one web applicaiton (all it takes is an old plugin, or forgotten CMS install, and they're in) that they're far more likely to be able to compromise the other sites too.

    Also, having no open_basedir restriction can make it easier to hack the initial site as well.

    What PHP handler are you using? This could make it easier for people to help you find a viable solution for your problem. SuPHP is strict about file ownership, but DSO for example should be able to read anything that's world readable in most cases (assuming no open_basedir protection). If you used DSO, you could probably make a world readable folder in /home/ and add that specific folder to the open_basedir configuration. I'm more of a security admin than webapp dev, but it "should" work.
     
    #9 quizknows, Jul 22, 2013
    Last edited: Jul 22, 2013
Loading...

Share This Page