suPHP and Symbolic links on a reseller account

wcs4web

Member
May 7, 2002
10
0
301
I am looking to change my server so that it uses suPHP instead of DSO. One reason is for security but I am also noticing a number of software packages requiring the security model implemented by suPHP.

Anyway, my issue is this...I have a reseller who has created a shared code base for an application they offer to their customers. Their customers access this shared code base via symbolic links setup on their own web hosting account they get from the reseller.

Before implementing suPHP, we did a test focusing on this particular setup and utilizing suggestions we recieved from this forum. We turned on suPHP, ran a couple of requests to the client websites (sites with symbolic links) in order to get data in the log file, and then switched back to DSO.

The message we were receiving was "[warn] Directory /home/[owner_username]/shared_code is not owned by [client_username]". "client_username" is the account with the symbolic links to the "owner_username" shared code library.

I have read somewhere that shared code libraries like this should be owned by root. Not sure if this is true, but the problem is that the reseller will no longer be able to maintain their codebase on the server if it is owned by root.

We have been searching all over for an answer, but nothing...Hopefully we can get some answers here.

Thanks
George
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Hey George,

In my travels with cPanel and WHM, suPHP wants the following:

- User/User Ownerships;
- Permissions 755 as a max permission. (anything lower is also acceptable, like, say, 644)

I've done a lot of suPHP conversions that were very successful just keeping that in mind.

suPHP basically says, "The user being used to access this site has to own the files being accessed."

If the Apache config says to use user "username" and the symlink and hard directories and files are owned by "username" then it should be ok. Basically, Apache switches user from "nobody" to the "web site owner" when accessing files.

If you compromise the ownership of the folder being symlinked, you'll run in to issues.

Regards,
 

wcs4web

Member
May 7, 2002
10
0
301
Thanks for the reply....

The problem is that the folder and the files that are being linked to are owned by the reseller and not the client. The symlink is owned by the client but not the files the link references to. I am receiving an Internal Server Error 500 on the client website the suPHP log tells me that "Directory /home/[reseller]/test is not owned by [client]".

George
 

LiNUxG0d

Well-Known Member
Jun 25, 2003
206
1
168
Gatineau, Quebec, Canada
Is it ONE set of files that EVERYONE uses or does EVERYONE have a subset of those files?

Example:

-=-=-
/home/reseller/folder/file.php
-=-=-

Or is it:

-=-=-
/home/reseller/folder/client1/file.php
/home/reseller/folder/client2/file.php
-=-=-

Maybe the second would work best. You could chown the "client1" and "client2" folders to reflect the linking client... maybe that would work for you. This is a suggestion. ;) It's kinda hard to do what you want since you're doing directory transversal (kinda) as well as having ownership problems.

Let me know,
 

wcs4web

Member
May 7, 2002
10
0
301

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
42
348
somewhere over the rainbow
cPanel Access Level
Root Administrator

wcs4web

Member
May 7, 2002
10
0
301
So what you are saying is that an account cannot create a symbolic link to a folder outside of their home directory. From what I have researched, it appears that you can but it also appears that their are issues. No one seems to be coming out with "no you cannot" or "yes you can but this is how it should be done"...

Any feed back on that?

Thanks
George
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
42
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
I am not stating you cannot create a symlink to another directory on another account. I am stating that what you are trying to do will not work. You can create all the symlinks you would like from the reseller account to these other accounts, but those symlinks will not function to provide content to users that do not own the original files under suPHP unless FileProtect is disabled.

If this is still unclear, please let me know.
 

wcs4web

Member
May 7, 2002
10
0
301
Thanks Tristan,

I have a couple of questions:
- Will I have to run this everytime I upgrade apache?
- I would like to run a test, would there be any impact if I run the fileprotect script and then switch back to DSO mode?

Thanks
George
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
42
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
Hello George,

If you run FileProtect and then switch back to DSO, DSO works similar to having FileProtect disabled since PHP processes run as the user nobody. There shouldn't be an impact, but you can re-enable FileProtect using /scripts/enablefileprotect and then running the commands I noted to backup Apache configuration and so on afterward:

Code:
cp /usr/usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak110531
/usr/local/cpanel/bin/apache_conf_distiller --update
/scripts/rebuildhttpdconf
/etc/init.d/httpd restart
As for upgrading Apache, if you run EasyApache, the option is in the Exhaustive Options list and can be de-selected there as well:

Fileprotect (Prevent Users from reading other webroots)
Any settings on an EasyApache compile will carry over to the next recompile provided you select to use the last saved settings.

Thanks.
 

olemire

Registered
Apr 24, 2012
1
0
51
cPanel Access Level
Root Administrator
Hi, I just found this thread. I am having the exact same issue. How can I have multiple (selected) customer using the same global files without comprimising security and without them uploading files as 'nobody'. but as their own respective user. Is there a way to rely on the user's group instead of the username ?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
42
348
somewhere over the rainbow
cPanel Access Level
Root Administrator
After this original discussion, I did find a way to reference images or scripts on all accounts without those accounts owning the file or script. The user cannot upload images or scripts to the location being referenced, though:

http://forums.cpanel.net/f5/read-php-script-reseller-account-suphp-243912.html#post1010212

Basically, place the script or images into /usr/local/cpanel/htdocs and call them using the full path to the script or image. This does work under suPHP.