The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

suPHP and Symbolic links on a reseller account

Discussion in 'General Discussion' started by wcs4web, May 30, 2011.

  1. wcs4web

    wcs4web Member

    Joined:
    May 7, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    I am looking to change my server so that it uses suPHP instead of DSO. One reason is for security but I am also noticing a number of software packages requiring the security model implemented by suPHP.

    Anyway, my issue is this...I have a reseller who has created a shared code base for an application they offer to their customers. Their customers access this shared code base via symbolic links setup on their own web hosting account they get from the reseller.

    Before implementing suPHP, we did a test focusing on this particular setup and utilizing suggestions we recieved from this forum. We turned on suPHP, ran a couple of requests to the client websites (sites with symbolic links) in order to get data in the log file, and then switched back to DSO.

    The message we were receiving was "[warn] Directory /home/[owner_username]/shared_code is not owned by [client_username]". "client_username" is the account with the symbolic links to the "owner_username" shared code library.

    I have read somewhere that shared code libraries like this should be owned by root. Not sure if this is true, but the problem is that the reseller will no longer be able to maintain their codebase on the server if it is owned by root.

    We have been searching all over for an answer, but nothing...Hopefully we can get some answers here.

    Thanks
    George
     
  2. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Hey George,

    In my travels with cPanel and WHM, suPHP wants the following:

    - User/User Ownerships;
    - Permissions 755 as a max permission. (anything lower is also acceptable, like, say, 644)

    I've done a lot of suPHP conversions that were very successful just keeping that in mind.

    suPHP basically says, "The user being used to access this site has to own the files being accessed."

    If the Apache config says to use user "username" and the symlink and hard directories and files are owned by "username" then it should be ok. Basically, Apache switches user from "nobody" to the "web site owner" when accessing files.

    If you compromise the ownership of the folder being symlinked, you'll run in to issues.

    Regards,
     
  3. wcs4web

    wcs4web Member

    Joined:
    May 7, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for the reply....

    The problem is that the folder and the files that are being linked to are owned by the reseller and not the client. The symlink is owned by the client but not the files the link references to. I am receiving an Internal Server Error 500 on the client website the suPHP log tells me that "Directory /home/[reseller]/test is not owned by [client]".

    George
     
  4. LiNUxG0d

    LiNUxG0d Well-Known Member

    Joined:
    Jun 25, 2003
    Messages:
    206
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gatineau, Quebec, Canada
    Is it ONE set of files that EVERYONE uses or does EVERYONE have a subset of those files?

    Example:

    -=-=-
    /home/reseller/folder/file.php
    -=-=-

    Or is it:

    -=-=-
    /home/reseller/folder/client1/file.php
    /home/reseller/folder/client2/file.php
    -=-=-

    Maybe the second would work best. You could chown the "client1" and "client2" folders to reflect the linking client... maybe that would work for you. This is a suggestion. ;) It's kinda hard to do what you want since you're doing directory transversal (kinda) as well as having ownership problems.

    Let me know,
     
  5. wcs4web

    wcs4web Member

    Joined:
    May 7, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
  7. wcs4web

    wcs4web Member

    Joined:
    May 7, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    So what you are saying is that an account cannot create a symbolic link to a folder outside of their home directory. From what I have researched, it appears that you can but it also appears that their are issues. No one seems to be coming out with "no you cannot" or "yes you can but this is how it should be done"...

    Any feed back on that?

    Thanks
    George
     
  8. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    I am not stating you cannot create a symlink to another directory on another account. I am stating that what you are trying to do will not work. You can create all the symlinks you would like from the reseller account to these other accounts, but those symlinks will not function to provide content to users that do not own the original files under suPHP unless FileProtect is disabled.

    If this is still unclear, please let me know.
     
  9. wcs4web

    wcs4web Member

    Joined:
    May 7, 2002
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Tristan,

    I have a couple of questions:
    - Will I have to run this everytime I upgrade apache?
    - I would like to run a test, would there be any impact if I run the fileprotect script and then switch back to DSO mode?

    Thanks
    George
     
  10. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello George,

    If you run FileProtect and then switch back to DSO, DSO works similar to having FileProtect disabled since PHP processes run as the user nobody. There shouldn't be an impact, but you can re-enable FileProtect using /scripts/enablefileprotect and then running the commands I noted to backup Apache configuration and so on afterward:

    Code:
    cp /usr/usr/local/apache/conf/httpd.conf /usr/local/apache/conf/httpd.conf.bak110531
    /usr/local/cpanel/bin/apache_conf_distiller --update
    /scripts/rebuildhttpdconf
    /etc/init.d/httpd restart
    As for upgrading Apache, if you run EasyApache, the option is in the Exhaustive Options list and can be de-selected there as well:

    Any settings on an EasyApache compile will carry over to the next recompile provided you select to use the last saved settings.

    Thanks.
     
  11. olemire

    olemire Registered

    Joined:
    Apr 24, 2012
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi, I just found this thread. I am having the exact same issue. How can I have multiple (selected) customer using the same global files without comprimising security and without them uploading files as 'nobody'. but as their own respective user. Is there a way to rely on the user's group instead of the username ?
     
  12. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    After this original discussion, I did find a way to reference images or scripts on all accounts without those accounts owning the file or script. The user cannot upload images or scripts to the location being referenced, though:

    http://forums.cpanel.net/f5/read-php-script-reseller-account-suphp-243912.html#post1010212

    Basically, place the script or images into /usr/local/cpanel/htdocs and call them using the full path to the script or image. This does work under suPHP.
     
Loading...

Share This Page