Plesk Refugee: Translate custom vhost.conf to Custom httpd configuration

N

netstepinc

Verified User
Joined
Jul 2, 2006
Messages
73
Location
Seattle, WA Area
Ubuntu 12.04
Apache 2.2.24
DirectAdmin 1.43.1
Php 5.3.26

I'm trying to replicate some capabilities from my Plesk server that I'm putting out of my mysery, but a bit confused about how to use Custom httpd configuration to get the desired result.

GOAL: Symlink a CMS instance to a core file set.
Code: 
ln -s /home/master/domains/master.com/public_html/filename.php /home/slave/domains/slave.com/public_html/filename.php

I've been searching the forum and help files, but I'd like to have a degree of certainty I'm doing this correctly.
Any help would be truly appreciated.

Help doc provides an example, but I'm not sure how to translate that to my setup.
http://help.directadmin.com/item.php?id=182
|?OPEN_BASEDIR_PATH=`HOME`/:/tmp:/usr/local/lib/php/|

I'm also wondering if I need to add anything else like follow symlinks.

The Plesk vhost.conf file contained:
Code: 
<Directory /var/www/vhosts/slave.com/httpdocs >
#php_admin_value open_basedir "/tmp:/usr/share/pear:/var/www/vhosts/slave.com/httpdocs:/var/www/vhosts/master.com/httpdocs/sourcedir"
php_admin_value open_basedir none
Options +FollowSymLinks
</Directory>

Thank you for your help.
 
I gues I've gotten lost in your first code block above; that's a link and has nothing to do with html templates.

The problem I see there, however, is that you're linking /home/slave to /home/master. Presuming that master and slave are both usernames, that's not going to work in a standard DirectAdmin configuration because one user cannot read another user's home directory.

Jeff
 
Jeff,
Thank you for the reply.

The link is an example of what I do on my other server.
I have a central code repository and dozens of sites use that code base.
It keeps disk space down and updates are more efficient.

ln -s /home/master/domains/master.com/public_html/filename.php /home/slave/domains/slave.com/public_html/filename.php

I appreciate the security that user:slave can't access user:master files.
However, I want to figure out a reasonably secure method by which I can maintain one instance of my CMS in user:master and enable slave1, slave2, slave3....to use those CMS core files.

I appreciate any suggestions you may have.
 
If you really want them in separate users, then the only reasonable way to do it would be to play with folder ownership starting at the /home/username level and continuing recursively, for each of the usernames, having them owned for example, by user=slaveX and group=master. Then you may need to adjust the permissions on all the subdirectories and files as well, depending on whether or not you need read or write access. But keep in mind that this means every user will be slaveX FTP lopgin will be able to read the contents of every other slaveX owner's files.

So of course you'll lose some security.

Jeff
 
Thank you. I was hoping to find a solution that didn't involve a significant security reduction, but I guess I'm stuck.

My symlinked core method worked extremely well on my Plesk server, but I did get hacked twice and eventually was hit with a root level compromise.
Plesk creates directories with <user> : psacln permissions by default. We added apache to the psacln group and we could do anything...good news bad news.

One of the main reasons I'm moving back to Plesk is for security.
No point in being one of those idiots that moves somewhere for the quality of life then remakes the new place into the old place and wrecks it.
 
I have my codebase in a user account by itself.

The permissions are as follows:
/home
711 /codebase
751 /domains
751 /masterdomain.com
755 /public_html

Would I be completely exposing myself to a hack if I changed the permissions to 755 all the way down?
AND would this actually enable slave sites to access resources in the master domain?
755 /codebase
755 /domains
755 /masterdomain.com
755 /public_html

Nailing down a shared core strategy is important, but I don't want to build my business on a flawed strategy...and I truly appreciate your insight.
 
netstepinc said:
Would I be completely exposing myself to a hack if I changed the permissions to 755 all the way down?
Click to expand...
Yes. That may be what Plesk was doing. It's significantly less secure.

What I mentioned is actually a reasonably secure way of doing it, as long as you know what you're doing and only do specifically what you need. If you're not sure how to do custom permissions you may want to hire me or someone else who knows how to do it as securely as possible. To contact me, send an email, as I don't answer PMs as quickly as I do emails.

755 is very dangerous. 750 with my suggestions (above) is fairly secure.

Jeff
 
netstepinc said:
I'm trying to replicate some capabilities from my Plesk server that I'm putting out of my mysery, but a bit confused about how to use Custom httpd configuration to get the desired result.
Click to expand...


Hello,

If you want to share your custom PHP code between users of your server, you'd better put it into /usr/local/lib/php/custom/ directory and include it from there. If your apache is patched by custombuild, you might not be able to use symlinks with different UID:GID.
 
You must log in or register to reply here.
Back
Top