The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache, PHP, permissions with SuPHP

Discussion in 'Security' started by alexrussell, Oct 16, 2014.

  1. alexrussell

    alexrussell Registered

    Joined:
    Feb 7, 2007
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I'm running Apache suexec and SuPHP. As far as I can tell from other posts on the forum here the correct permissions should be:

    • all dirs within public_html: user:user755
    • all files in public_html: user:user644
    • public_html itself: user:nobody@750

    That should provide protection from 'others' going into your public_html directory, but allow Apache to do so if it needs to. At least, that's how I understand it.

    Now here's my problem (actually I have a couple of issues/questions).

    The way I write code is to have a public directory in my main source, but a bunch of other folders too (the application's code). Many PHP projects work this way. So first off what's the best way to make this work with cPanel without having all the project's root directories in ~? The way I've kinda decided to do is to add the project into a subdirectory of ~ called src and then recreate ~/public_html as a symlink to ~/src/public. This achieves a couple of good things:

    • No need to change the docroot in Apache/vhost configuration. It uses public_html as normal.
    • My code is all in one place (~/src) which is good as, more often than not, it's a Git repository, so it makes for easy updates.
    • My code is no in the main ~ directory mixed up with the default cPanel directories.

    So first off, is that sensible, asking for trouble, downright wrong, or better done another way?

    The second issue also has a couple of parts to it: basically how do I do the permissions now?

    Because ~/public_html is now a symlink to ~/src, do I need to put the user:nobody@750 on ~/src/public or on ~/public_html (now a symlink) still? (Sub-question, can you even apply permissions to a symlink?)

    And the biggie: in order to semi-test some of this out, I've tried creating a normal directory in ~ called test after SSHing in. That directory, by default gets user:user@775. I can chmod to 755 or 750 fine, but if I try to chown user:nobody it fails saying Operation not permitted, same goes for chgrp nobody.

    In setting all of the above up, I'm trying to do it SSHing in as the user rather than as root, so is there even a way to chgrp a directory to nobody when logged in as the user in question? I'd have though you'd be fine to do that as you (currently) fully own the directory, but hey, I guess that's UNIX permissions for you.

    [HR][/HR]

    So in summary:

    • Is my approach to keeping my code separate okay?
    • What's the best way to set it up so that the src/public directory is accessible via public_html so I don't have to go and edit the docroot in my config files?
     
Loading...

Share This Page