SOLVED Composer Package Available to All Users with Jailshell Enabled?

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
I've been using PHP Codesniffer with some additional rulesets installed via Composer on several accounts to test PHP code before I upgrade the PHP version. Currently, I've got PHP Codesniffer installed on each account where I use it in the users' /home folder and added the path to each users' .bashrc so I can run commands without including the entire path; however, as I use PHP Codesniffer on more and more accounts, I've decided it would be easier to install it in one place that would allow it to be used from any user's account, but require that it be installed in only one place.

Into which folder can I install PHP Codesniffer--or any Composer package--to make the associated command(s) executable from any users' account when they're logged in via SSH?

If this is a bad idea for some reason, I'd like to know that, too.

My server is using Apache, jailshell is enabled, and I'm not using Cloudlinux. Composer is already installed and running fine globally.
 
Last edited by a moderator:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hello,


This is a 3rd party extension that isn't provided by or developed by cPanel. To determine the best practice for the extension I'd suggest contacting them directly here: squizlabs/PHP_CodeSniffer
 

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
Thanks, Lauren. I don't need help with PHP Codesniffer, really. I have it working locally in each users' account. I'm more interested in where to install Composer packages so they can be used globally in all user accounts on a CentOS/cPanel server using jailshell, and although the developers of PHP Codesniffer may be able to help with that, I expected they would tell me to come here and ask. :)
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston

linux4me2

Well-Known Member
Aug 21, 2015
259
78
78
USA
cPanel Access Level
Root Administrator
@cPanelLauren

I think I have it figured out, and I'll explain what I did in case you see something I shouldn't be doing, and for others who may be interested.

Using SSH, I logged in on a user account and ran the command:

echo $PATH

which showed me the current path:

/usr/local/cpanel/3rdparty/lib/path-bin:/usr/local/cpanel/3rdparty/lib/path-bin:/usr/lib64/qt-3.3/bin:/usr/local/cpanel/3rdparty/lib/path-bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/cpanel/composer/bin:/root/bin

That told me that /opt/cpanel/composer/bin was already in the path so all users can run Composer. As a test, I logged in as root, built a simple shell script in /opt/cpanel/composer/bin, made it executable with chmod, logged back in as a user, and found I could run the shell script from a user account. However, by default, Composer loads all the packages you install into a folder called "/vendor/bin," so I knew I needed that in the path in order to run PHP Codesniffer without the path, just using the command "phpcs..." (I think Composer might allow you to change the default install directory in a composer.json file, but the following method is just as easy.)

I looked in /etc/profile.d, and found out there is a file called cpanel-php-composer.sh. Looking into that file, I found that it has the line:

export PATH="$PATH:/opt/cpanel/composer/bin

so I knew that's where /opt/cpanel/composer/bin gets added to the path. I modified that line to add the /vendor/bin folder:

export PATH="$PATH:/opt/cpanel/composer/bin:/opt/cpanel/composer/vendor/bin"

then logged in as a user and found that /opt/cpanel/composer/vendor/bin was indeed added to the path. In the cpanel-php-composer.sh file, it says:

## NOTE: If you want to disable this file, comment out or ##
## delete the 'export' line below. If you simply delete the ##
## file itself, then it will come back the next time that you ##
## update cPanel & WHM. ##

Since I modified the export line, I'm thinking my changes will persist when cPanel and WHM update if commenting it out is preserved. I'll find out with the next update.

Next, as root, I installed PHP Codesniffer and the extra compatibility standards in /opt/cpanel/composer, where Composer dutifully created the /vendor/bin folders. Finally, I logged in as a user and was successfully able to run PHP Codesniffer using the command(s) without the path.

Unless you see something I did wrong or that causes a security problem, this works and is the way to install Composer packages to make them available to any user on an Apache server with jailshell enabled. Now I only have to maintain Composer packages in one place. ;)
 
  • Love
Reactions: cPanelLauren

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,271
313
Houston
Hey @linux4me2

I double checked with one of our L3 Analysts who just got back to me on this. As far as we are aware this modification shouldn't pose any security concerns, the one thing to note though is if CodeSniffer has vulnerabilities it could pose a concern, but you'd have that concern whether or not you allowed it for the accounts.
 
  • Like
Reactions: linux4me2