Access files ouside a user's folder using a symlink

[monkey64]

The VPS I rent only hosts a small number of my own company sites and I have total control over it.

Two of the sites sell the same products (one is Trade, the other Retail).
I need to access the same set of images for both sites. This would mean reading files outside the user's folder. Both accounts are on the same partition of the server (home) and I have root access and SSH access for everything.

I created a Symlink from one user folder to a folder on the other user folder after first changing these WHM settings:

Apache Configuration » Global Configuration » Directory “/” Options » SymLinksIfOwnerMatch [UNTICKED]
Security Center » PHP open_basedir Tweak » [DISABLED]

However I was not able to return the contents of the test file using the PHP file_get_contents function.
I tried the following:

echo file_get_contents("test/logo.gif");

echo file_get_contents("/home/site1/public_html/test/logo.gif");

Symlinks within the user folder work correctly but I cannot access content outside a user's folder.
Is this actually possible? Does anyone have any ideas?

 

[ThinIce]

As you point out the product is now geared in many ways to prevent this from occurring. Things in your apache build within easyapache will likely be most relevant, i.e. what method are you wishing to use to serve php?

 

[cPanelMichael]

Hello

Using a path to files from another account is not recommended. Ideally, you should simply upload the same set of files to both accounts. Or, since you own both of the websites, you could make one of the accounts an Add-On domain name to the other instead of keeping them as two separate accounts.

Thank you.

 

[monkey64]

Hi CPanelMichael

Thanks for your post but I can't upload two sets of files. The files are thumbnails which are automatically created and saved to the local filesystem. As such I don't have access to the second site.

Would it be possible to execute a bash script using the PHP exec function?
If so, I could create a bash script to copy the files from site A to site B
Or would I find similar security issues to prevent this?

Thanks

 

[cPanelMichael]

Thanks for your post but I can't upload two sets of files. The files are thumbnails which are automatically created and saved to the local filesystem. As such I don't have access to the second site.

Would it be possible to execute a bash script using the PHP exec function?
If so, I could create a bash script to copy the files from site A to site B
Or would I find similar security issues to prevent this?

Thanks

You may still want to consider having one domain name as an Add-on domain name if you need to share file ownership. Otherwise, you could develop a custom script that copies the files and updates the ownership values. It does not necessarily have to be a PHP script. You could develop something that runs on a cron job and looks for new files and copies them to the new account.

Thank you.

 

[monkey64]

Eventually settled on a simple CRON script which runs each hour.
Thanks cPanelMicahael for the idea.

 

[quizknows]

You're leaving yourself wide-open to attacks with a setup like that. Pray none of your sites ever get hacked.

Edit; sounds like your cron copies the files. This would certainly be better than cross-account symlinks. I hope you re-enabled openbasedir protection and symlinksifownermatch. These are pretty critical security measures to have on a server with more than one site on it.

 

[monkey64]

A Crontab to copy one user's files to another user's folder was not a viable solution as expected, I ran into permission issues.
It is possible to create a new folder owned by root in /home. Other users can therefore access the data.

@quizknows:
Security is not so much of an issue because I offer no 3rd party access to the server and the 6 sites served are all owned by myself. I use CSF to lock down the server and allow only my IP addresses to connect in via SSH and FTP. Granted, it doesn't prevent a hacker gaining access, but it would slow them down enough to get bored and try an easier target! In the case of a breach, the attacker would only access a folder of thumbnails, unless of course it is possible to do something such as Symlink injection?

 

[quizknows]

Most hacks aren't done with SSH/FTP access; most of them are done using websites themselves. Allowing things like cross-account symlinks, or disabling open_basedir protection, means that if a hacker gets into one web applicaiton (all it takes is an old plugin, or forgotten CMS install, and they're in) that they're far more likely to be able to compromise the other sites too.

Also, having no open_basedir restriction can make it easier to hack the initial site as well.

What PHP handler are you using? This could make it easier for people to help you find a viable solution for your problem. SuPHP is strict about file ownership, but DSO for example should be able to read anything that's world readable in most cases (assuming no open_basedir protection). If you used DSO, you could probably make a world readable folder in /home/ and add that specific folder to the open_basedir configuration. I'm more of a security admin than webapp dev, but it "should" work.