Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Privilege separation - run each virtual domain as a different user

Discussion in 'EasyApache' started by shodanshok, Jan 25, 2017.

  1. shodanshok

    shodanshok Member

    Joined:
    Jan 25, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hi all,
    I would like to ask about privilege separation for different virtualhost.

    I already know that each different domain user runs Apache with its own account permission. However, I would like to understand if it is possible to runs different virtualhost *inside the same user account* with different privileges.

    For example, let me create the example.com domain, with its own user "exampleuser". The www.example.com site will run with "exampleuser" permission (as show by get_current_user PHP function). Now I add a subdomain to the same user account, let call it sub1.example.com, with its virtualhost, say www.sub1.example.com. It is possible to run this second site with different privileges?

    Thanks.
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    If I understand you correctly, you'd want to create a second cPanel account using the subdomain.
     
  3. shodanshok

    shodanshok Member

    Joined:
    Jan 25, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hi, thanks for your reply.

    Does it means that the apache process belonging to the subdomain account will run under its own user/permission?

    Thanks.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Yes, each cPanel account you create runs under it's owners name.
     
  5. shodanshok

    shodanshok Member

    Joined:
    Jan 25, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Hi, thanks for your reply.

    From what I understand, creating a new cpanel account means, in WHM, to create a new domain/subdomain.

    I would ask another thing: having a single domain, there is method to create multiple accounts associated with this domain, each running with their own permissions?

    Example: I have the "example.com" domain, with user "example1". Can I create another user in domain "example.com" (eg: "example2") and run it with its own privileges? Or any domain can only run with a single set of privileges/user?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Creating a new cPanel account means creating a cPanel account, not a domain.
    My answer above addresses this.

    Any account. A single cPanel account can have many domain names, but they'll all be owned by a single cPanel user.

    If you want to use the same domain name for a normal cPanel account and also use that same domain for a subdomain owned by a different user, creating a cPanel account using the domain is the way to go.

    If this information is not helpful, please expand on what it is you're actually hoping to do here.
     
  7. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  8. shodanshok

    shodanshok Member

    Joined:
    Jan 25, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator

    Ok, let me explain my usage scenario.

    I want to host multiple web sites on a single machine. These sites can be of entirely different domains or from the same domain. Each site must be totally isolated from others and run with specific privileges (basically, each site must run under a different system user).

    Case1: sites from different domains
    Let suppose I have example.com and domain.com. I would create two domains (example.com and domain.com) and accounts (user1 and user2) in WHM. Loading some php pages via cPanel, I can see that example.com runs under system user "user1", while domain.com runs under system user "user2". All right here.

    Case2: sites from SAME domain
    Let suppose I have example.com and blog.example.com. I would create a domain in WHM (example.com) and a corresponding user account (user1).
    Problem: In WHM, I can not found any means to create a "user2" account linked to the same "example.com" domain. I am missing something?
    From my understanding, both example.com and blog.example.com runs under "user1" system user. This means that a vulnerability on "blog.example.com" can be used against "example.com".
    Possible solution: create a "user2" account linked to "blog.example.com" domain (but this will create many DNS records I don't need).

    How should I approach this situation? I am missing something?
    Thanks.
     
    #8 shodanshok, Jan 26, 2017
    Last edited by a moderator: Jan 26, 2017
  9. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    DNS records are needed for everything to work properly.

    This same solution was offered in the second post to this thread:
     
  10. shodanshok

    shodanshok Member

    Joined:
    Jan 25, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Italy
    cPanel Access Level:
    Root Administrator
    Ok, so this is how it is supposed to work.

    Thanks for your patience.
     
  11. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,765
    Likes Received:
    313
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Happy to help. :)
     
Loading...

Share This Page