0

I am building a dashboard to control couple different websites (each is in a cPanel separate account (including the Dashboard), but all hosted on the same server).

The dashboard will use php's shell_exec for example to execute shell commands inside a website's directory:

shell_exec('cd /home/website/www/app/ && php artisan config:cache')

Or simply read a file:

file_get_content('/home/website/www/app/license');

Of course, by default, accounts are not allowed to have access to each other like this! Is there a way to allow one account/user to access/modify other accounts?

Dewan159
  • 2,984
  • 7
  • 39
  • 43
  • 2
    The users need to be in the same group, and the files & directories need to be group readable (possibly group writable & executable as well, depending on what all you want to be able to do). – Vince Sep 30 '19 at 22:36
  • 1
    Or alternatively, you could define access to specific commands within your sudoers file without opening up the user permissions. https://serverfault.com/questions/294661/how-to-grant-sudo-rights-only-to-specific-script-files – matticustard Sep 30 '19 at 23:15
  • @Vince I added both the "dashboard" and the "website1" users to the "clients" group. Using `usermod -a -G clients [user]`. Now, should i make the files I want to access group-readable, or also every directory in the path? e.g /home/ & /home/website1/ & /home/website1/www/ ... etc? – Dewan159 Oct 01 '19 at 20:17
  • If users need to read a given file `path/to/file.ext`, the directories `path`, and `to` need to be, at minimum, group readable. But other files within those directories do not necessarily need to be group readable. You also need to be sure that your web server is running as a user in the same group. Does that answer your question? – Vince Oct 01 '19 at 20:25
  • @Vince I found that every directory is already group-readable/writable already. Also I added "root" to the "clients" group (after I found that apache is running as root!). But I still get permission denied. – Dewan159 Oct 01 '19 at 20:37
  • @Vince I am actually trying to just read a file for now. And as for running apache as root, I am actually not sure, all of this is new to me! Thanks for the help. – Dewan159 Oct 01 '19 at 20:44
  • 1
    Idk man. I did just notice you are calling `file_get_content` rather than `file_get_contents` here, but you're probably doing it right in your actual code. I'm stumped. If the file is group-readable, and the web server is in the same group as the the file, it should have permission to read it. – Vince Oct 01 '19 at 21:05
  • @Vince I feel close to the solution, but I don't know what to do. How can I know the user of the web server? – Dewan159 Oct 02 '19 at 19:27
  • @Vince Also, should change the "group" for the directory, or the user being in the group is enough? – Dewan159 Oct 02 '19 at 19:43
  • You can see what user Apache is running as by running `ps aux | egrep '(apache|httpd)'` (see [this answer](https://serverfault.com/a/133932)). It ***should*** be running as `www-data`. – Vince Oct 02 '19 at 19:54
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/200318/discussion-between-dewan159-and-vince). – Dewan159 Oct 02 '19 at 20:01

2 Answers2

1

I would use SSH as this would not restrict you having to be on a single server and means that you do not have to breach the isolation of each cPanel account.

https://www.php.net/manual/en/function.ssh2-connect.php

I would suggest using this or alternatively this:

How To Execute SSH Commands Via PHP

Josh
  • 1,316
  • 10
  • 26
  • Sounds great, but this would need me to change ALOT of the code I have written sadly. I will make it my last resort. Thanks – Dewan159 Oct 01 '19 at 20:18
1

Supposing Apache is running as www-data in the group www-data any file you need the server to have access to should be group-readable and have the group www-data.

You can see what Apache is running as by running:

ps aux | egrep '(apache|httpd)'

Also remember, the whole path to the file needs to be readable by the group. In other words, given a file /path/to/some/file.txt the directories path, to, and some all need to be group readable and have the group www-data (or whatever Apache is running as).

Vince
  • 3,207
  • 1
  • 17
  • 28