The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Apache / PHP user security question

Discussion in 'EasyApache' started by whl02, Mar 26, 2010.

  1. whl02

    whl02 Registered

    Joined:
    Mar 26, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Hi, first, thanks for any help you might offer on this issue...

    We run Cpanel/WHM 11.25 on a server with PHP 5, suEXEC on, and CGI as the PHP handler.

    Our sites are all agent sites for a group of insurance companies that are independent agents but under one broker. So, as part of the broker's package to the agents, they get their own semi-customizable site.

    What I'm trying to build is a way that each user can login to a central location on the server and customize THEIR OWN files/site... Long story short, it would be much easier maintenance on us and we've been using XML files rather than a central database.

    So, here's the setup:

    brokerdomain.com
    agent1.com
    agent2.com

    Obviously under Cpanel these are all separate users (and we want to keep them that way), so I've got it so a user logs into brokerdomain.com and the database says ok, you're agent 2 associated with agent2.com, /home/agent2/public_html/site_files is where your stuff is stored.

    Apache/PHP is setup to prevent users from accessing other user's domains, but I have full access to the server... I just don't know how to make an exception for this one user to be able to access the "site_files" directory from any user home on the server. How do I make it so the php application running on brokerdomain.com can access /site_files/ under agent2.com (another user) ?

    I'm a decent programmer but not an Apache expert, so please be gentle on me! Any suggestions/assistance would be awesome! :)

    Thanks so much.
     
    #1 whl02, Mar 26, 2010
    Last edited: Mar 26, 2010
  2. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Assuming this is really how you are setup, this is ill advised ...

    I would strongly recommend changing to either SuPHP or FCGI

    There is several different ways to go about doing this even taking into consideration ownerships being a suexec/setuid environment but I would have to know a little more about your specific layout particularily what logins your users use and are the addon users or the main account users, etc as this can have an impact on which way to go with that.

    In the simplest form, could just give them their own FTP logins

    Your main item is that you don't want files added or edited by one user
    to be setup as that user because that will cause problems when executing or accessing those files as owner.
     
  3. whl02

    whl02 Registered

    Joined:
    Mar 26, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for your reply.

    Not sure we're on the same page. Everyone has their own FTP accounts as well as access to their own cpanel. What I'm after is a way to use a centralized PHP application that can still save files to an authorized user's home directory.

    As for the rest of your reply, users login with a password that is verified by the php application. It is completely separate from cpanel, ftp, etc. It's just a login that links them with their account with the broker.
     
  4. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Are you needing to just simply read files across accounts or edit those files?

    I know you are executing as owner and that is a primary concern ...

    Do you have open_basedir limits in place?

    Using a custom config for each user account?

    At this particular point looking at this fairly blind, I'm inclined to think setting up a linux "group" would be the best option and then setting your permissions to the file shared between this to be group accessible to the new group of which you make both users members.
     
  5. whl02

    whl02 Registered

    Joined:
    Mar 26, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Thanks again for your reply.

    I need to edit the files as well. It's basically a small xml file that has user-configurable options in it such as phone number, website settings enabled, etc.

    I can currently read them from the web, but the php application cannot open them... Yes, open_basedir protection is enabled.

    Each user account has the same PHP settings for their cpanel account.

    I did add a group and set the folder "site_files" to be in that group using the chgrp command. Then I added the two users to the group, chmod file permissions for group read/write, and tried to access the directory: no go. I also tried chown- the directory to the user running the php app just to see; that didn't work either... That was a good idea, though...

    I realize it's not an ideal setup or an ideal situation, but sometimes we have to play the cards we're dealt, you know? Thanks for being patient with me. Any other ideas?
     
  6. m4rc3

    m4rc3 Active Member

    Joined:
    Mar 26, 2010
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8
    #6 m4rc3, Mar 27, 2010
    Last edited: Mar 27, 2010
  7. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    It's a bit more complicated than that ....

    Anyway back on the group, did you adjust the permissions on "public_html" itself to allow access for the new group?

    Ownerships should not need be changed but you may need to change th permission settings there.
     
  8. m4rc3

    m4rc3 Active Member

    Joined:
    Mar 26, 2010
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8

    Based on that I assumed that he already took care of the permissions bit, so the only thing that I could think off was open_basedir.
     
  9. whl02

    whl02 Registered

    Joined:
    Mar 26, 2010
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Guys, thank you so very much for your help. Spiral's solution saved the day.

    Here's a summary for anybody else interested:

    1. Create a group
    2. Add all appropriate users to group
    3. Set group permissions for the entire public_html folder

    That was what I was doing wrong... didn't know I had to give group permission to public_html as well.

    Thanks, m4rc3 and Spiral for your awesome assistance!
     
  10. m4rc3

    m4rc3 Active Member

    Joined:
    Mar 26, 2010
    Messages:
    39
    Likes Received:
    2
    Trophy Points:
    8
    hahaha cool, spiral is the man :D
     
Loading...

Share This Page