The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

cPanel addons - php script is being executed under logged user rights

Discussion in 'cPanel Developers' started by NightRider, Mar 27, 2010.

  1. NightRider

    NightRider Active Member

    Joined:
    Jan 23, 2007
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Hello.

    I'm writing some plugin in PHP for cPanel. Faced with the problem of publicly available php sources in x3 directory, as the script must have world-wide readable chmod.
    So, every user can read the source with, e.g., shell script.
    This makes no sense in developing scripts connected directly with system: I can't use any logins/passwords, as users can see them in a source, I can't edit files, owned by root, as script executes under logged user.
    Thus, we have a very strict set of functions we can use...

    I need to let single users to edit files, owned by root, but not writeable by others. I understand, I can queue the corrections in some 777 folder, and watch it with some daemon under root, but the solution isn't acceptable, as, again, any user can edit his own queue file, thereby he can bypass necessary checks...

    Turns out a vicious circle...
    Any ideas are appreciated..
     
  2. cPanelDavidN

    cPanelDavidN Integration Developer
    Staff Member

    Joined:
    Dec 17, 2009
    Messages:
    571
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    NightRider,

    Could you give a specific example? In most cases, I would think that having a cPanel user account modifying files belong to root is either a) the wrong approach to solving the problem or b) the only solution that is not worth the risk. I could be very wrong concerning your situation -- a more concrete example would help illustrate the functionality you desire and possible illuminate a valid path to achieving it.

    Are you making a cPanel Plugin or a cPAddon?

    Regards,
    -Dave
     
  3. leefrom

    leefrom Active Member

    Joined:
    May 27, 2008
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    6
    This is typically resolved by putting the stuff you don't want everyone to see in a directory which is not accessible via the web, and include it from the script itself.

    Regular cpanel users can't put stuff under the x3 theme in order to turn a script into PHP shell, typically.
     
  4. MattDees

    MattDees cPanel Product Owner
    Staff Member

    Joined:
    Apr 29, 2005
    Messages:
    417
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I completely understand your problem, and we are looking into it.

    One solution would be to have a setuid script for executing the root perms. This would of course have to ensure that the user has the rights to perform the action in question. We do this all over the place in cPanel :)
     
Loading...

Share This Page