User in wheel group can't cd into public_html folders

[Optimizr]

Hi,

Since some cli (like wp and composer) are not recommended being ran as root, I tried creating a sudo user and added it to wheel group. Furthermore, I have followed the article here - <Link Removed>. The problem is -

I can sudo ls -la /root, I can cd until /home/users'_home_directories but I cannot cd into public_html directories inside users' home directories. I tried searching on the web with several keywords and no issue like me was found. An answer on serverfault (https://serverfault.com/a/243192/212111) is recommending to give executable permission to other users but I don't think it is safe to do it. What am I possibly missing and how to get it work in a secure way?

Here's what I mean in code version.

[[email protected] ~]$ cd /home/cpanel_user/public_html
-bash: cd: /home/cpanel_user/public_html: Permission denied
[[email protected] ~]$ cd /home/cpanel_user
[[email protected] cpanel_user]$ ls -lah .
ls: cannot open directory .: Permission denied
[[email protected] cpanel_user]$ sudo !!
sudo ls -lah .
[sudo] password for wheel_user:
total 48K
drwx--x--x   20 cpanel_user cpanel_user 4.0K Jan 22  2020 .
drwxr-xr-x. 148 root            root            8.0K Aug 11 14:48 ..
-rw-r--r--    1 cpanel_user cpanel_user   18 Nov 15  2019 .bash_logout
-rw-r--r--    1 cpanel_user cpanel_user  193 Nov 15  2019 .bash_profile
-rw-r--r--    1 cpanel_user cpanel_user  231 Nov 15  2019 .bashrc
drwxrwx--x    5 cpanel_user cpanel_user   36 Nov 15  2019 .cagefs
drwxr-xr-x    2 cpanel_user cpanel_user   46 Jan 21  2020 .cl.selector
-rw-r-----    1 cpanel_user cpanel_user   20 Nov 15  2019 .contactemail
drwx------    5 cpanel_user cpanel_user  152 Jul  9 02:43 .cpanel
drwx------    4 cpanel_user cpanel_user   66 Jan 22  2020 .cphorde
drwxr-x---    2 cpanel_user cpanel_user    6 Nov 15  2019 .htpasswds
-rw-------    1 cpanel_user cpanel_user  258 May 31 14:27 .lastlogin
drwxr-xr-x    2 cpanel_user cpanel_user  150 Dec  9  2019 .razor
drwx--x--x    5 cpanel_user cpanel_user   73 Nov 15  2019 .softaculous
drwx------    2 cpanel_user cpanel_user   23 Nov 15  2019 .spamassassin
-rw-r--r--    1 cpanel_user cpanel_user    0 Nov 15  2019 .spamassassinboxenable
-rw-r--r--    1 cpanel_user cpanel_user    0 Nov 15  2019 .spamassassinenable
drwx------    2 cpanel_user cpanel_user   27 Nov 15  2019 .subaccounts
drwx------    2 cpanel_user cpanel_user   27 Jan 22  2020 .trash
-rw-r--r--    1 cpanel_user cpanel_user  658 Nov 15  2019 .zshrc
lrwxrwxrwx    1 cpanel_user cpanel_user   41 Nov 15  2019 access-logs -> /etc/apache2/logs/domlogs/cpanel_user
drwxr-xr-x    2 cpanel_user cpanel_user    6 Jan 22  2020 cache
drwxr-x---    3 cpanel_user mail              61 May 31 14:27 etc
drwx------    2 cpanel_user cpanel_user 4.0K Aug 11 20:00 logs
drwxr-x--x   11 cpanel_user cpanel_user 4.0K Jan 22  2020 mail
drwxr-x---    3 cpanel_user cpanel_user   21 Nov 15  2019 public_ftp
drwxr-x---    4 cpanel_user cpanel_user  105 Aug  6 02:43 public_html
drwxr-xr-x    5 cpanel_user cpanel_user   72 Jul 21 06:04 ssl
drwxr-xr-x    7 cpanel_user cpanel_user   92 Jan 22  2020 tmp
lrwxrwxrwx    1 cpanel_user cpanel_user   11 Nov 15  2019 www -> public_html
[[email protected] cpanel_user]$

 

[JuliusGonsalvez]

Hello,

Since you have added a sudo user.

Edit /etc/sudoers and add the following entry under root.

sudo_user_name ALL=(ALL) NOPASSWD: ALL (add you sudo user name instead of sudo_user_name).

Then login to your server and run comand :- sudo su -

Do have a try.

 

[Optimizr]

Then login to your server and run comand :- sudo su -

sudo su - just switched the user to root which I don't want because some commands are not recommended to run as root. Please see below the message when I run wp as root

[[email protected] cpanel_user]$ sudo su -
Last login: Sat Aug 15 03:57:49 UTC 2020 on pts/1
Last failed login: Sat Aug 15 03:58:22 UTC 2020 from 119.45.40.87 on ssh:notty
There was 1 failed login attempt since the last successful login.

[[email protected] ~]# wp
Error: YIKES! It looks like you're running this as root. You probably meant to run this as the user that your WordPress installation exists under.

If you REALLY mean to run this as root, we won't stop you, but just bear in mind that any code on this site will then have full control of your server, making it quite DANGEROUS.

If you'd like to continue as root, please run this again, adding this flag:  --allow-root

If you'd like to run it as the user that this site is under, you can run the following to become the respective user:

    sudo -u USER -i -- wp <command>


[[email protected] ~]#

 

[cPanelLauren]

Hello,

Based on what you've shown this is the standard behavior for a wheel user. It has sudo privileges and by default no one should be able to get a directory listing without either being the user which owns the file, being the root user or using sudo to escalate

 

[Optimizr]

or using sudo to escalate

In fact, listing directories isn't my main goal. The main goal here is to cd into each user's directory and run commands like wp and composer but according to your reply it isn't possible without any risk except for the user account itself?

 

[thewarofdestinys]

The method that you have used seems to be correct. I just now tried to replicate it, and it worked just fine.
I am not sure if there is a typo, but there is a slight problem with the command. There is no need to have "mygroup" mentioned in there. The following works
# chmod -R g+swrx /mount/abc

Even, you can remove the s bit, just do g+rwx. After you have changed the permissions, and you do ls -l, it should display the relevant privileges.
34522 silver badges77 bronze badges

• 2
  I removed the typo with the groupname. The directory has the wrx permissions on it when you do ls -l, and it is owned by nobody:mygroup. Even though myuser is part of mygroup, myuser still cannot create/delete files. I hope that makes sense.

 

[Optimizr]

I found out a way and I am sharing it for future visitors. As my main goal is to running the commands I mentioned without having to logout and login to different user with SSH, I use the root account to do usual tasks. When it comes to situation to use those commands that doesn't recommend running as root, I switched to the cpanel user in the same terminal by typing su - cpanelusername. In that way, I can run the commands as non-root and don't have to log out and login.