The Community Forums

Interact with an entire community of cPanel & WHM users.
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Reseller Owner Permissions

Discussion in 'General Discussion' started by sarahsboy18, Apr 15, 2006.

  1. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I just moved from a shared WHM/CPanel environment (as a reseller) to a dedicated server running WHM. I moved my reseller account over along with the accounts it owned and everything seems to look good... except:

    My clients all have the same industry specific needs on their sites... I have built scripts that I placed on my main reseller account that they could run to make changes to the files in their individual sites.

    Since moving over I am getting permission errors when I run these scripts... So without chmoding my clients directories to 777 (bad idea) how to I give my reseller account owner status over it's client's accounts? This just worked automatically on my old hosting.
     
  2. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    From your description, my guess is that your old server was running phpsuexec/suexec and your new server isn't. Just recompile Apache with suexec/phpsuexec and you'll be right.

    Phpsuexec is such a big boost to system security that if your current host doesn't know enough to run it, or isn't prepared to switch to running it, you should look elsewhere for your hosting needs. They'll be spending all their time cleaning up their system after a while anyways! :rolleyes:
     
  3. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply! I went into the "Apache Update" page in WHM... Suexec was already enabled and compiled, while PHPSuexec Support was not. So I enable PHPSuexec Support and recompiled. This actually made things worse... Now none of my accounts can even read from each other at all much less write. Is there some sort of option I need to have enabled when I turn on phpsuexec?

    From what I am reading the purpose of phpsuexec is to stop all possible cross-account execution of php files... I need the exact opposite to take place. I need my subaccounts to have read/execute privileges on the reseller accounts... And I need my reseller account to have full read/write privileges to it's sub accounts.
     
    #3 sarahsboy18, Apr 15, 2006
    Last edited: Apr 15, 2006
  4. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Ah ... then phpsuexec will definitely make things worse!!

    That's an unusual requirement; why do you want to do that? Reason I ask is that there are probably other ways of satisfying the requirement. It can certainly be accomplished at unix group permission level, but you'll need direct access to the server for that.
     
  5. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I have direct root access... It's my dedicated server :D

    I just need to know how to do it... And what is weird to me is that my old shared host was already setup to do that by default...

    The reason I need it to work is because I don't offer typical hosting to my clients. I actually offer a an industry specific web software my clients can use to manage their websites. Obviously I can just install the software on each account as I signup a client... But instead I split the core libraries of the software from the executed php files... the real advantage being that I have instant version control. If I find a bug in the system I can just change it on my reseller account and it is instantly fixed for all my clients. But because I store the individual client data on their individual account... the libraries in my reseller account have to be able to write to the client accounts.

    Without phpsuexec or open_basedir protection on I am able to have my client accounts read and execute my reseller libraries without a problem... The permission errors come when the reseller libraries try to save data to the individual client site.
     
    #5 sarahsboy18, Apr 15, 2006
    Last edited: Apr 15, 2006
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Hmm ok .. try turning both phpsuexec and suexec off. Then you want to look at file ownerships/permissions for the shared files - make sure they're readable to Apache.

    You might be able to get past this by putting the files in /usr/local/lib/php and including them, not sure, perhaps not. The ownership of PHP files in /usr/local/lib/php isn't tested in the same way as files under /home.
     
  7. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    As much as I'd like to move those files outside the /home folder there are alot of JS/CSS files that have to be pulled by the browser directly... So that really wouldn't work.

    They way I got around this was to just chmod the files to 755 and set them to [owner]:nobody. So far that seems to be allowing my remote code to operate.

    I'm still not 100% happy with this solution though as it requires me to manually chmod the folders every time I create an account... I'd really like to know how my old hosting company was automatically giving the reseller's account full permissions into it's client's accounts.
     
  8. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    You can arrange for JS/CSS files to come in via an Alias, if you put it in the main section ("Section 2") in the httpd.conf, rather than the per-site container.

    To check this out, try out the URL http://www.somedomainonyourcpanelserver.com/icons/world1.gif and notice it comes up with an icon. That icon actually came from /usr/local/apache/icons and that was all configured with the global line:

    Code:
    Alias /icons/ "/usr/local/apache/icons/"
    (there's actually a permission block right after it, which you should also include if you do this in real life).

    You may not actually want to know how your previous company was providing access into the client accounts. It could be as simple as an ACL (although I doubt it!) and it could be as simple as mode 777 on every directory/file. You definitely don't want to do that!
     
  9. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Now, by moving those files out of the /home directory... does that automaticaslly give them root priviliges?

    ACL actually sounds like a pretty good possibility as I am sure they didn't have everything set to 777... Is there a ACL component out there that I install? Or is this something already available in the server that I have to configure?
     
  10. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Can't see that an ACL is necessary, provided the directory has execute (mode 711 or mode 751, ie rwxr-x--x) and the files have read permission (755, rwxr-xr-x) all your accounts should be able to read them. Now that I think about it a little more, that's probably what your old host was doing.

    Files themselves don't have "root privileges" - not sure what you mean by that. Do you mean, do .php files run as root? Probably not, you'll need to look into that. I wouldn't recommend running as root, but you may be able to get them to run as non-root.
     
  11. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    OK... I hate to revive my old thread but I been able to piece some things together about how my old host was doing things...

    They are definitely using phpsuexec/suexec... I have confirmed this. Yet they must be using some type of ACL of some kind that gives reseller accounts read/write/execute access to their sub account's home directory. And in reverse the sub accounts have read/execute only access back to the files in the reseller's home directory.

    So basically everything is jailed into the reseller account and it's sub accounts but there is access between.

    Does anyone know what this addon/hack might be?
     
  12. jackie46

    jackie46 BANNED

    Joined:
    Jul 25, 2005
    Messages:
    537
    Likes Received:
    0
    Trophy Points:
    0
    Nope, they probably have their servers setup properly and you dont.
    What are you talking about? Sounds like your not ready to host you own clients since you have no idea how to setup your own box.

    My suggestion is that you seek the expert advise of a depenable consulting company. I recommend, http://efastconsulting.com or http://rack911.com.
     
    #12 jackie46, Jun 1, 2006
    Last edited: Jun 1, 2006
  13. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thank you for your all your help... :rolleyes:

    Anybody out there who wants to give information/guidence instead of just flaming the newbie?
     
    #13 sarahsboy18, Jun 1, 2006
    Last edited: Jun 1, 2006
  14. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Sarahsboy - sounds like they were hosting the new accounts as addon domains, that would describe what you were seeing perfectly. With addon domains the userid is the same so the reseller would have access to the files under them, and vice-a-versa (although your ftp wouldn't let you see them). The control panel would have been shared, so I'd guess you didn't have access to it.
     
  15. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Aha! ... Actually Jackie46 was closer to being right... :rolleyes:

    I finally just setup a new reseller account and created a client account in the reseller WHM panel instead of from the the root WHM panel. I dropped a phpinfo file in the reseller's home directory and an ran a php include to grab it from the client side and BINGO!

    The reseller/client relationship does function the way I wanted it to by default. (I'M NOT CRAZY!!! :D )

    The reseller account and client accounts I had been testing with had been transferred from my old server... and although I gave my reseller correct controls in WHM it didn't update the client permissions to reflect at the user/group level.

    Thanks for your help Brian... I know you have put alot of thought into this and I appreciate it.
     
    #15 sarahsboy18, Jun 3, 2006
    Last edited: Jun 3, 2006
  16. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Ok... back to square one :(

    I still don't have write access for the reseller.... and as soon as I started phpsuexec everything failed again. I know for a fact the other server I was on used phpsuexec.
     
    #16 sarahsboy18, Jun 3, 2006
    Last edited: Jun 3, 2006
  17. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    38
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    That makes more sense. The reason it worked without phpsuexec is that the public_html directory is group nobody, so when Apache/PHP runs as nobody it has access to ALL the public_html directories on the system. There's no special relationship between the reseller and the client in terms of permissions.

    You could probably add part of that relationship by putting the clients into the same group as the reseller. The unix command would look like: usermod -G reseller -a client
    Problem is, this won't give you access to the public_html directory which needs to be in group nobody for apache to access it. You could of course give the reseller public_html directory execute access (from "drwxr-x--- 12 reseller nobody" to "drwxr-x--x 12 waterf reseller"), and turn down the permissions on the subdirectories to only allow group access, and this would then be quite a good solution.

    Basically, your alternatives are:

    1. open up permissions on the reseller public_html as above (this gives all accounts on the system access to your PHP scripts, including any database passwords etc).

    2. put the files into /usr/local/lib/php/app and call them from there. (include 'app/myinclude.php';)

    3. add the clients to the reseller group as above, and remove 'all' permission from the subdirectory which the application is in inside your reseller account. ie: chmod 750 /home/reseller/public_html/app. Your clients will then be able to include files from the app directory although you won't be able to access them via http. (apache will still run as nobody, and therefore won't have access to the files unless the directory is in group nobody or 'all' has execute permission.) This shouldn't be too much of a problem.

    Both alternatives 1 and 2 let everyone on the system read your PHP files, which may or may not be a problem for you. ALternative 3 is more secure but requires a little more thought.

    - brian
     
  18. sarahsboy18

    sarahsboy18 Member

    Joined:
    Apr 14, 2006
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    OK.... That makes sense to me as well. By default cpanel sets up each client public_html as owned by the user, e.g. 'client_a' ... in non-phpsuexec mode php runs as 'nobody' which is given read permissions across the system. This allowed my reseller/app to be readable. Then in order to make client site's writeable for my reseller script I would just add their home directory to the group 'nobody' and 775 it.

    When I enable phpsuexec now php runs under each site as it's own username. Therefore client user 'cliant_a' can't read, execute or write to client 'client_b' or 'reseller'... and vice versa.

    What you are saying is that if I use the "usermod -G reseller -a client" line I can add my client into the 'reseller' group and thus give it read access to reseller/app in spite of phpsuexec.... correct? And if I then reverse this can I add 'reseller' to the group 'client_a' and therefore give it write access to 'client_a's home directory?
     
    #18 sarahsboy18, Jun 4, 2006
    Last edited: Jun 4, 2006
Loading...

Share This Page