homepage Welcome to WebmasterWorld Guest from 54.211.47.170
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

    
How to create a "sub-user" with access to a specific directory
Getting a "could not resolve the symlink" error
MichaelBluejay




msg:4613440
 1:28 pm on Sep 28, 2013 (gmt 0)

My webhost has a wiki page about how to give a subuser access to a particular directory, but I tried it, it doesn't work, and they don't provide any support for that kind of setup.

Here's what I did:

(1) Created the main user ("main") and the directory ("thedirectory") I want both to be able to edit.

(2) Created the subuser ("subuser").

(3) Created a Unix group ("thegroup") and put both users in it.

(4) Assign the group to the directory with this: chgrp -R thegroup thedirectory

(5) Set the permissions for the directory with this: chmod -R g+rwxs thedirectory

(6) Log in as the subuser and create a symbolic link with this: ln -s /home/main/example.com/thedirectory /home/subuser/

The symbolic link gets created just fine, but when I try to cd to it I get the error "Permission denied". I double-checked thedirectory and its group is indeed "thegroup", and the permissions for group are read/write/execute.

So I'm stumped. Any ideas?

 

lammert




msg:4613570
 4:08 am on Sep 29, 2013 (gmt 0)

The rights assigned to and ownership of the symbolic link are not relevant in this case. What you should check are the rights in all the directories leading to the link and the destination directory, i.e. /home, /home/main, /home/main/example.com and /home/main/example.com/thedirectory, and the rights assigned to /home/subuser. If one of those directories is not accessible by the sub user, you'll get the permission denied error.

MichaelBluejay




msg:4613580
 5:03 am on Sep 29, 2013 (gmt 0)

Thank you for your help.

I don't understand security well, but it seems that giving the subuser read access to /home/, /home/main/, and /home/main/example.com/ is a risk, so I'd prefer to avoid doing so if I can.

So I thought maybe I could try it the opposite way, putting the actual files in the subuser's directory, and then creating a symbolic link in the main user's directory:

(1) Create /home/subuser/test/, and make sure /home/subuser/ and its contents are chmod 755.
(2) Log in as the main user, and create a symbolic link with: ln -s /home/subuser/test /home/main/example.com/test

When I do that, the main user can open the symbolic link without errors. However, when I try to open http://example.com/test/ in a browser, I get a 403 Forbidden error. My .htaccess file has Options+FollowSymLinks as the very first item. My error log says, "Symbolic link not allowed or link target not accessible." What am I doing wrong?

MichaelBluejay




msg:4613708
 6:25 am on Sep 30, 2013 (gmt 0)

Okay, I got my second idea above to work, by doing the following:

(1) Changing the ownership of the symbolic link to "main" (not sure if this was really necessary, but it was the first thing I tried. That alone didn't fix it.)
(2) Changing the ownership of /home/subuser/test to "main". (That also didn't fix it.)
(3) Setting the permissions of /home/subuser/test/ to 777.

That does seem like a bit of a security risk, though. I imagine the risk is that if anyone is able to log onto my system, no matter what user they are, they can scan for directories that have write access, and then put web-accessible files there. But I don't know a way around this.

Is there a way to do either the first method, the second method, or some other method of granting editing access to a subuser without compromising security?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved