Permissions for each website run under different users (suexec, lsphp...) — CyberPanel - WebHosting Control Panel for OpenLiteSpeed

Permissions for each website run under different users (suexec, lsphp...)

Hi,
Is there any tutorial to do that, as I see currently the system is using a single user for all webs: sslipse

[[email protected] public_html]# ls -lah
total 24K
drwxr-xr-x 3 sslipse sslipse 4.0K Mar 22 06:44 .
drwxr-xr-x 4 sslipse sslipse 4.0K Mar 22 04:13 ..
drwxr-xr-x 2 sslipse sslipse 4.0K Mar 22 04:13 .well-known
-rwxr--r-- 1 sslipse sslipse  725 Mar 22 04:14 index.html
-rw-r--r-- 1 sslipse sslipse   20 May  8  2014 info.php
-rw-r--r-- 1 sslipse sslipse  144 May 17  2016 who.php

For example web 1.com running as user1 privilege; web 2.com running as user2 privilege;

This is to limit the localattack

Comments

  • You are inside a public_html of a single website (All child domains under this will use this user)

    However each website runs via its own user, you need to run

    ls -la /home

    1. Add a USER: user1
    2. Add WEBSITE for user1: ssl9.ipserver.ml
    3. Check Permission /home:
    [[email protected] ~]# ls -lah /home/
    total 28K
    drwxr-xr-x  7 root       root       4.0K Mar 22 07:15 .
    dr-xr-xr-x 20 root       root       4.0K Mar 22 04:40 ..
    drwx------  2 cyberpanel cyberpanel 4.0K Mar 22 06:42 cyberpanel
    drwxr-xr-x  4 sslipse    sslipse    4.0K Mar 22 04:13 ssl.ipserver.ml
    drwxr-xr-x  4 sslipse    sslipse    4.0K Mar 22 04:53 ssl8.ipserver.ml
    drwxr-xr-x  4 sslipse    sslipse    4.0K Mar 22 07:15 ssl9.ipserver.ml
    drwx------  2 vmail      vmail      4.0K Mar 22 04:02 vmail
    
    1. Check vHost Conf of WEBSITE ssl9.ipserver.ml:
    docRoot                   $VH_ROOT/public_html
    vhDomain                  $VH_NAME
    vhAliases                 www.$VH_NAME
    adminEmails               [email protected]
    enableGzip                1
    enableIpGeo               1
    
    index  {
      useServer               0
      indexFiles              index.php, index.html
    }
    
    errorlog $VH_ROOT/logs/$VH_NAME.error_log {
      useServer               0
      logLevel                ERROR
      rollingSize             10M
    }
    
    accesslog $VH_ROOT/logs/$VH_NAME.access_log {
      useServer               0
      logFormat               "%v %h %l %u %t "%r" %>s %b"
      logHeaders              5
      rollingSize             10M
      keepDays                10  compressArchive         1
    }
    
    scripthandler  {
      add                     lsapi:sslipse php
    }
    
    extprocessor sslipse {
      type                    lsapi
      address                 UDS://tmp/lshttpd/sslipse.sock
      maxConns                10
      env                     LSAPI_CHILDREN=10
      initTimeout             60
      retryTimeout            0
      persistConn             1
      pcKeepAliveTimeout      1
      respBuffer              0
      autoStart               1
      path                    /usr/local/lsws/lsphp72/bin/lsphp
      extUser                 sslipse
      extGroup                 sslipse
      memSoftLimit            2047M
      memHardLimit            2047M
      procSoftLimit           400
      procHardLimit           500
    }
    context /.filemanager {
      type                    NULL
      location                /usr/local/lsws/Example/html/FileManager
      allowBrowse             1
      autoIndex               1
    
      accessControl  {
        allow                 127.0.0.1, localhost
        deny                  0.0.0.0/0
      }
      addDefaultCharset       off
    }
    
    vhssl  {
      keyFile                 /usr/local/lsws/conf/vhosts/SSL-ssl9.ipserver.ml/privkey.pem
      certFile                /usr/local/lsws/conf/vhosts/SSL-ssl9.ipserver.ml/fullchain.pem
      certChain               1
      sslProtocol             31
    }
    
    
    1. Check passwd
    [[email protected] ~]# cat /etc/passwd
    root:x:0:0:root:/root:/bin/bash
    bin:x:1:1:bin:/bin:/sbin/nologin
    daemon:x:2:2:daemon:/sbin:/sbin/nologin
    adm:x:3:4:adm:/var/adm:/sbin/nologin
    lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
    sync:x:5:0:sync:/sbin:/bin/sync
    shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
    halt:x:7:0:halt:/sbin:/sbin/halt
    mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
    operator:x:11:0:operator:/root:/sbin/nologin
    games:x:12:100:games:/usr/games:/sbin/nologin
    ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
    nobody:x:99:99:Nobody:/:/sbin/nologin
    systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
    systemd-network:x:998:997:systemd Network Management:/:/sbin/nologin
    dbus:x:81:81:System message bus:/:/sbin/nologin
    saslauth:x:997:76:Saslauthd user:/run/saslauthd:/sbin/nologin
    mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
    smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
    rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
    apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
    sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
    nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
    named:x:25:25:Named:/var/named:/sbin/nologin
    tcpdump:x:72:72::/:/sbin/nologin
    cyberpanel:x:1000:1000::/home/cyberpanel:/bin/bash
    lsadm:x:996:995:lsadm:/:/sbin/nologin
    mysql:x:995:994:MySQL server:/var/lib/mysql:/sbin/nologin
    ftpuser:x:2001:2001:"pureftpd user":/bin/null:/bin/false
    pdns:x:994:993:PowerDNS user:/:/sbin/nologin
    postfix:x:89:89::/var/spool/postfix:/sbin/nologin
    dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
    dovenull:x:993:992:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
    vmail:x:5000:5000::/home/vmail:/bin/bash
    sslipse:x:5001:5001::/home/ssl.ipserver.ml:/bin/bash
    vddos:x:5002:5002::/vddos:/sbin/nologin
    

    It seems that I have add as many users or domains, their permissions are under USER sslipse

  • edited March 2018

    I understand your point of view, the problem is PHPSuExec user is picked from the domain name.

    ssl.ipserver.ml
    ssl8.ipserver.ml
    ssl9.ipserver.ml

    Your domain name here is similar, except the number (numbers are excluded), which is why you are getting the same user every time.

    Try with something like:

    duy13.ipserver.ml

  • edited March 2018

    Everything has been successful, thanks you!

    But it seems that CyberPanel users will have trouble with different subdomains for plans CDN Server Static File:
    cdn1.cloud.uk
    cdn2.cloud.uk

    s100.zvideos.cn
    s200.zvideos.cn
    s300.zvideos.cn
    ...

    [[email protected] ~]# ls -lah /home/
    total 44K
    drwxr-xr-x 11 root       root       4.0K Mar 22 07:41 .
    dr-xr-xr-x 20 root       root       4.0K Mar 22 04:40 ..
    drwxr-xr-x  4 cdnclou    cdnclou    4.0K Mar 22 07:40 cdn1.cloud.uk
    drwxr-xr-x  4 cdnclou    cdnclou    4.0K Mar 22 07:41 cdn2.cloud.uk
    drwx------  2 cyberpanel cyberpanel 4.0K Mar 22 07:34 cyberpanel
    drwx------  2 vmail      vmail      4.0K Mar 22 04:02 vmail
    drwxr-xr-x  4 voduyco    voduyco    4.0K Mar 22 07:31 voduy.com
    
  • Will add some random characters to PHPSuExec user which should rectify this.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

This Site is currently in maintenance mode.
Please check back here later.

→ Site Settings