|How to create a "sub-user" with access to a specific directory|
Getting a "could not resolve the symlink" error
| 1:28 pm on Sep 28, 2013 (gmt 0)|
My webhost has a wiki page about how to give a subuser access to a particular directory, but I tried it, it doesn't work, and they don't provide any support for that kind of setup.
Here's what I did:
(1) Created the main user ("main") and the directory ("thedirectory") I want both to be able to edit.
(2) Created the subuser ("subuser").
(3) Created a Unix group ("thegroup") and put both users in it.
(4) Assign the group to the directory with this: chgrp -R thegroup thedirectory
(5) Set the permissions for the directory with this: chmod -R g+rwxs thedirectory
(6) Log in as the subuser and create a symbolic link with this: ln -s /home/main/example.com/thedirectory /home/subuser/
The symbolic link gets created just fine, but when I try to cd to it I get the error "Permission denied". I double-checked thedirectory and its group is indeed "thegroup", and the permissions for group are read/write/execute.
So I'm stumped. Any ideas?
| 4:08 am on Sep 29, 2013 (gmt 0)|
The rights assigned to and ownership of the symbolic link are not relevant in this case. What you should check are the rights in all the directories leading to the link and the destination directory, i.e. /home, /home/main, /home/main/example.com and /home/main/example.com/thedirectory, and the rights assigned to /home/subuser. If one of those directories is not accessible by the sub user, you'll get the permission denied error.
| 5:03 am on Sep 29, 2013 (gmt 0)|
Thank you for your help.
I don't understand security well, but it seems that giving the subuser read access to /home/, /home/main/, and /home/main/example.com/ is a risk, so I'd prefer to avoid doing so if I can.
So I thought maybe I could try it the opposite way, putting the actual files in the subuser's directory, and then creating a symbolic link in the main user's directory:
(1) Create /home/subuser/test/, and make sure /home/subuser/ and its contents are chmod 755.
(2) Log in as the main user, and create a symbolic link with: ln -s /home/subuser/test /home/main/example.com/test
When I do that, the main user can open the symbolic link without errors. However, when I try to open http://example.com/test/ in a browser, I get a 403 Forbidden error. My .htaccess file has Options+FollowSymLinks as the very first item. My error log says, "Symbolic link not allowed or link target not accessible." What am I doing wrong?
| 6:25 am on Sep 30, 2013 (gmt 0)|
Okay, I got my second idea above to work, by doing the following:
(1) Changing the ownership of the symbolic link to "main" (not sure if this was really necessary, but it was the first thing I tried. That alone didn't fix it.)
(2) Changing the ownership of /home/subuser/test to "main". (That also didn't fix it.)
(3) Setting the permissions of /home/subuser/test/ to 777.
That does seem like a bit of a security risk, though. I imagine the risk is that if anyone is able to log onto my system, no matter what user they are, they can scan for directories that have write access, and then put web-accessible files there. But I don't know a way around this.
Is there a way to do either the first method, the second method, or some other method of granting editing access to a subuser without compromising security?