Advise on suPHP with DA user/group rights of symlinked folder

Using suPHP on Debian I've created a folder in /home/cms

The cms folder contains source files for a CMS and I've created symlinks in the folder of the user /home/username/domains/public_html/[here]

This is only working when;

a) all symlinks are chowned to user:user in the /public_html

and

b) /home/cms is chowned to user:user as well!

But that is not what I want, as other users need to use the /home/cms folder also.

I thought I could use root:www-data on /home/cms but this does not work. I've added the example user to the www-data group which is also not working.

Please advise how to solve this little puzzle... ;-)

Still didn't find a solution for this unfortunately. Any help appreciated.

The basic idea is to install a CMS source files outside the users homedir. E.g. /home/.

In the users public_html I want to create a symlink to this source, as if it was really there. suPHP prevents me because of user/group rights that are different.

There must be a way to make this work for every user that uses this CMS and update the CMS so that all users all benefit from the update at the same time.

suPHP seems to be the thing I need to solve to make this work.

suPHP is a tool for executing PHP scripts with the permissions of their owners.

Click to expand...

I guess suPHP wants to run under the /home/$username/ as that would be the user configured with SuexecUserGroup in the users httpd.conf.

Maybe you could make suPHP run as the same user for everyone by modifying the httpd templates and make it run in "force" mode (see explanation and Warning on http://www.suphp.org/DocumentationView.html?file=INSTALL) However I think that beats the purpose of using suPHP.

You might as well just use mod_php (without mod_ruid2 (if using cb 2.0, it would be enabled by default)). Then you can run everything under the same user and php wouldn't be complaining, and it's faster than suPHP too.

Alternatively you could consider using a different setup all together, like just copy the cms to everyones folder and when you want to update, just run a script which would copy all files to all users again. The space it would take usually isn't that big, as it's just a few text/php files.

Because if you symlink it like you say, how do you keep the websites apart? They all need a different database and config file and user uploads etc. Or if your one cms setup can handle all websites, I would use leave out all the different users altogether and add all domains under 1 user, to make it more of a SaaS platform.

Hi Arieh,

The CMS in question, typo3, has core files that are identical to each install. The config files for database access are in a different folder that is not symlinked and created automatically upon setup.

The new release setup for typo3 even notes upon install you are not using symlinks and blocks the next step (but you can override) and it's urged to use symlinks.

So if I hear you correctly; it's best to switch to mod_php. Now to find a good migration plan to ditch suPhp and switch to mod_php without too much hassle and changing currently hosted customers.

Thanks,
Martin

It seems my suggestions are indeed not sufficient for this kind of setup. You can easily switch to mod_php (cli php) with CustomBuild: http://forum.directadmin.com/forumdisplay.php?f=61

I'm not too sure about all this, as usually you'd want to prevent people from leaving their own home directory.

Personally I'd only do this on a server on which people have no FTP or DA access etc, but that's me.

Also I'd test everything on a test server before doing everything on a production platform, and look at all angles concerning security.

Other than that, the thing you should keep in mind with switching from suPHP to mod_php is that php will be running for everyone as the user 'apache', so if peoples directories are owned by their /home/$user they need higher cmod (e.g. 777) for php files to write to them (e.g. uploads/cache systems), where suPHP does not allow chmod 777 and doesn't need it, because it's being ran under the $user.

If you're using the SAC (http://www.directadmin.com/features.php?id=961, which is enabled by default for a while on new installs), user apache can read into everyones public_html dir, so you could place the typo3 files inside a e.g. /home/typo3/domains/x.x/public_html, then make the symlinks to there.

Things I'm not sure about are:
- openbasedir (maybe the typo3 path needs to be added (http://help.directadmin.com/item.php?id=182))
- symlink check: http://help.directadmin.com/item.php?id=421 (it converts FollowSymLinks into SymLinksIfOwnerMatch, which may block the thing you want to do)

Thanks!

I've got some things to consider then ;-)