The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Share Directory Across Multiple Accounts

Discussion in 'General Discussion' started by GoWilkes, May 8, 2014.

  1. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I'm trying to share a directory with multiple accounts (all owned by me; in fact, every account on the server belongs to me). So,

    /home/example/www/images/

    should be able to be modified by both user "example" and user "new".

    Here's what I've done:

    Code:
    # Add "new_username" to group "example" 
    #   Note: the -a here is for "append", so new_username can modify files 
    #   under both groups "example" and "new" 
    usermod -aG example new_username
    
    # Change permissions for each directory to be shared 
    umask 002
    chmod -R 2777 /home/example/images/
    
    But I still get "permission denied" errors when I try to upload from /new/.

    My server provider suggested that I chown the entire /home/example/ directory, as well as every subdirectory that I would like to share, like so:

    Code:
    chown example.new /home/example/
    chown example.new /home/example/www/
    chown example.new /home/example/www/images/
    
    When I did this to a test directory, though, it showed the Owner/Group as:

    example/new

    Now, since I added "new" to the "example" group earlier, this looks backwards to me. Why am I changing the group to new? Would making this change leave "example" unable to make changes to its own directory, since they now belong to a group that "example" doesn't belong to?

    /example/ is a very active account (my bread and butter), so I really don't like doing anything to it that could mess it up. So before I go and make a mess of things, I'm hoping you guys can confirm... is this right?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Note that this type of setup is not supported, and considered bad security practice. Could you elaborate on the specific error message you receive and the exact method you are using to upload files? That might generate more user-feedback to the thread.

    Thank you.
     
  3. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I understand why it's considered bad security practice, but I really don't think it applies to me when I own every account on the server; I can access everything as "root", anyway.

    First, I tried accessing /home/example/www/images via SSH, while logged in as "new". This was a simple:

    Code:
    cd /home/example/www/images
    
    This gave the error:

    Code:
    -bash: cd: /home/example/www/images/: Permission denied
    
    I also have a symlink at /home/new/www/ that links to /home/example/www/images/ (created as root), but I can't cd to that symlink, either; same error.

    Then, I tried using a simple Perl script that was uploaded to "new":

    Code:
    #!/usr/bin/perl 
    use File::Copy; 
    copy("/home/new/www/images/santa.jpg", "/home/example/www/images/santa.jpg"); 
    exit; 
    
    This doesn't actually throw an error, but when I add this after the "copy" command (before exit):

    Code:
    if (-f "/home/new/www/images/santa.jpg") { print "Found"; }
    else { print "Not Found"; }
    
    it prints "Not Found". And, of course, double-checking via SSH shows that the file does not exist on /example/.

    I've changed the group for /images/ using the chown command I pasted in the first post, but my server provider said that I would need to do that for every parent directory leading up to /images/. This is where I get nervous; I worry that changing the group for the entire account is going to cause a problem I didn't expect (like, scripts not being able to create or modify directories or files in their own account).
     
  4. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    For anyone following this in the future, I found the problem, and it was much simpler than I thought. Since I'm seeing this question asked a LOT across the web, with no real solutions given, I thought I'd share what I learned.

    In order to share the directories across multiple accounts, all that I really needed to do was add the user to the shared group, then chmod the permission of each parent directory above the subdirectory. So, the entire process was:

    Code:
    # Add "new_username" to group "example" 
    #   Note: the -a here is for "append", so new_username can modify files 
    #   under both groups "example" and "new" 
    usermod -aG example new_username
    
    # Change permissions for each directory to be shared 
    #   Note: /home/example/ is 771, not 777, and the "2" sticky bit is not needed
    umask 002
    chmod 771 /home/example/
    chmod 777 /home/example/public_html/
    chmod 777 /home/example/public_html/images/
    
    As I originally suspected, changing the owner (chown) was the wrong thing to do.

    Now, my scripts under /home/new/ can create a file at /home/example/, /home/example/public_html/, or /home/example/public_html/images/. When they do, though, it's worth knowing that the owner is "new", and the group is "example".
     
  5. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Update to this solution:

    At some point in the last few months, this system broke. Symlinks across accounts like this simply stopped working.

    I found the culprit in /usr/local/apache/conf/httpd.conf:

    Code:
    <Directory "/">
        Options ExecCGI FollowSymLinks IncludesNOEXEC Indexes SymLinksIfOwnerMatch
        AllowOverride All
    </Directory>
    
    Simply remove "SymLinksIfOwnerMatch", then restart Apache.

    Whether this is going to break every time Apache updates, I don't know, so maybe someone else can suggest how to make this a permanent fix?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  7. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Michael, I ran the script on that page on Dec 22, but Apache still overwrote my change. Here's the script I ran:

    Code:
    /usr/local/cpanel/bin/apache_conf_distiller --update
    
    I can't have this be overwritten every time WHM updates, so how do I make changes to the <Directory "/"> section permanent?

    Can I do something like this in the .htaccess files?

    Code:
    Options -SymLinksIfOwnerMatch
    
    I guess it would have to be in the /www/ directory for both accounts (the one linking to the other)?
     
    #7 GoWilkes, Dec 26, 2014
    Last edited: Dec 26, 2014
  8. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Could you open a support ticket using the link in my signature so we can take a closer look at why the changes were overwritten? You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
  9. GoWilkes

    GoWilkes Well-Known Member

    Joined:
    Sep 26, 2006
    Messages:
    367
    Likes Received:
    1
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Is the ticket number the same as the "Request id"? If so, it is:

    5942725
     
  10. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,852
    Likes Received:
    675
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    To update, the user was advised to make these changes via:

    "WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration"

    Thank you.
     
Loading...

Share This Page