Share Directory Across Multiple Accounts
I'm trying to share a directory with multiple accounts (all owned by me; in fact, every account on the server belongs to me). So,
/home/example/www/images/
should be able to be modified by both user "example" and user "new".
Here's what I've done:
But I still get "permission denied" errors when I try to upload from /new/. My server provider suggested that I chown the entire /home/example/ directory, as well as every subdirectory that I would like to share, like so:
When I did this to a test directory, though, it showed the Owner/Group as: example/new Now, since I added "new" to the "example" group earlier, this looks backwards to me. Why am I changing the group to new? Would making this change leave "example" unable to make changes to its own directory, since they now belong to a group that "example" doesn't belong to? /example/ is a very active account (my bread and butter), so I really don't like doing anything to it that could mess it up. So before I go and make a mess of things, I'm hoping you guys can confirm... is this right?
# Add "new_username" to group "example"
# Note: the -a here is for "append", so new_username can modify files
# under both groups "example" and "new"
usermod -aG example new_username
# Change permissions for each directory to be shared
umask 002
chmod -R 2777 /home/example/images/
But I still get "permission denied" errors when I try to upload from /new/. My server provider suggested that I chown the entire /home/example/ directory, as well as every subdirectory that I would like to share, like so:
chown example.new /home/example/
chown example.new /home/example/www/
chown example.new /home/example/www/images/
When I did this to a test directory, though, it showed the Owner/Group as: example/new Now, since I added "new" to the "example" group earlier, this looks backwards to me. Why am I changing the group to new? Would making this change leave "example" unable to make changes to its own directory, since they now belong to a group that "example" doesn't belong to? /example/ is a very active account (my bread and butter), so I really don't like doing anything to it that could mess it up. So before I go and make a mess of things, I'm hoping you guys can confirm... is this right?
-
[quote="GoWilkes, post: 1640101">But I still get "permission denied" errors when I try to upload from /new/.
Note that this type of setup is not supported, and considered bad security practice. Could you elaborate on the specific error message you receive and the exact method you are using to upload files? That might generate more user-feedback to the thread. Thank you.0 -
I understand why it's considered bad security practice, but I really don't think it applies to me when I own every account on the server; I can access everything as "root", anyway. First, I tried accessing /home/example/www/images via SSH, while logged in as "new". This was a simple: cd /home/example/www/images
This gave the error:-bash: cd: /home/example/www/images/: Permission denied
I also have a symlink at /home/new/www/ that links to /home/example/www/images/ (created as root), but I can't cd to that symlink, either; same error. Then, I tried using a simple Perl script that was uploaded to "new":#!/usr/bin/perl use File::Copy; copy("/home/new/www/images/santa.jpg", "/home/example/www/images/santa.jpg"); exit;
This doesn't actually throw an error, but when I add this after the "copy" command (before exit):if (-f "/home/new/www/images/santa.jpg") { print "Found"; } else { print "Not Found"; }
it prints "Not Found". And, of course, double-checking via SSH shows that the file does not exist on /example/. I've changed the group for /images/ using the chown command I pasted in the first post, but my server provider said that I would need to do that for every parent directory leading up to /images/. This is where I get nervous; I worry that changing the group for the entire account is going to cause a problem I didn't expect (like, scripts not being able to create or modify directories or files in their own account).0 -
For anyone following this in the future, I found the problem, and it was much simpler than I thought. Since I'm seeing this question asked a LOT across the web, with no real solutions given, I thought I'd share what I learned. In order to share the directories across multiple accounts, all that I really needed to do was add the user to the shared group, then chmod the permission of each parent directory above the subdirectory. So, the entire process was: # Add "new_username" to group "example" # Note: the -a here is for "append", so new_username can modify files # under both groups "example" and "new" usermod -aG example new_username # Change permissions for each directory to be shared # Note: /home/example/ is 771, not 777, and the "2" sticky bit is not needed umask 002 chmod 771 /home/example/ chmod 777 /home/example/public_html/ chmod 777 /home/example/public_html/images/
As I originally suspected, changing the owner (chown) was the wrong thing to do. Now, my scripts under /home/new/ can create a file at /home/example/, /home/example/public_html/, or /home/example/public_html/images/. When they do, though, it's worth knowing that the owner is "new", and the group is "example".0 -
Update to this solution: At some point in the last few months, this system broke. Symlinks across accounts like this simply stopped working. I found the culprit in /usr/local/apache/conf/httpd.conf: Options ExecCGI FollowSymLinks IncludesNOEXEC Indexes SymLinksIfOwnerMatch AllowOverride All
Simply remove "SymLinksIfOwnerMatch", then restart Apache. Whether this is going to break every time Apache updates, I don't know, so maybe someone else can suggest how to make this a permanent fix?0 -
You can preserve custom changes to the Apache configuration file using the methods described in the following document: Preserving Custom Changes to the Apache Configuration Thank you. 0 -
Michael, I ran the script on that page on Dec 22, but Apache still overwrote my change. Here's the script I ran: /usr/local/cpanel/bin/apache_conf_distiller --update
I can't have this be overwritten every time WHM updates, so how do I make changes to the section permanent? Can I do something like this in the .htaccess files?Options -SymLinksIfOwnerMatch
I guess it would have to be in the /www/ directory for both accounts (the one linking to the other)?0 -
Could you open a support ticket using the link in my signature so we can take a closer look at why the changes were overwritten? You can post the ticket number here so we can update this thread with the outcome. Thank you. 0 -
Is the ticket number the same as the "Request id"? If so, it is: 5942725 0 -
To update, the user was advised to make these changes via: "WHM: Main >> Service Configuration >> Apache Configuration >> Global Configuration" Thank you. 0
Please sign in to leave a comment.
Comments
9 comments