Permissions for each website run under different users (suexec, lsphp...)

Hi,
Is there any tutorial to do that, as I see currently the system is using a single user for all webs: sslipse

[root@vddos public_html]# ls -lah
total 24K
drwxr-xr-x 3 sslipse sslipse 4.0K Mar 22 06:44 .
drwxr-xr-x 4 sslipse sslipse 4.0K Mar 22 04:13 ..
drwxr-xr-x 2 sslipse sslipse 4.0K Mar 22 04:13 .well-known
-rwxr--r-- 1 sslipse sslipse  725 Mar 22 04:14 index.html
-rw-r--r-- 1 sslipse sslipse   20 May  8  2014 info.php
-rw-r--r-- 1 sslipse sslipse  144 May 17  2016 who.php

For example web 1.com running as user1 privilege; web 2.com running as user2 privilege;

This is to limit the localattack

You are inside a public_html of a single website (All child domains under this will use this user)

However each website runs via its own user, you need to run

ls -la /home

  1. Add a USER: user1
  2. Add WEBSITE for user1: ssl9.ipserver.ml
  3. Check Permission /home:
[root@vddos ~]# ls -lah /home/
total 28K
drwxr-xr-x  7 root       root       4.0K Mar 22 07:15 .
dr-xr-xr-x 20 root       root       4.0K Mar 22 04:40 ..
drwx------  2 cyberpanel cyberpanel 4.0K Mar 22 06:42 cyberpanel
drwxr-xr-x  4 sslipse    sslipse    4.0K Mar 22 04:13 ssl.ipserver.ml
drwxr-xr-x  4 sslipse    sslipse    4.0K Mar 22 04:53 ssl8.ipserver.ml
drwxr-xr-x  4 sslipse    sslipse    4.0K Mar 22 07:15 ssl9.ipserver.ml
drwx------  2 vmail      vmail      4.0K Mar 22 04:02 vmail
  1. Check vHost Conf of WEBSITE ssl9.ipserver.ml:
docRoot                   $VH_ROOT/public_html
vhDomain                  $VH_NAME
vhAliases                 www.$VH_NAME
adminEmails               ncc661@gmail.com
enableGzip                1
enableIpGeo               1

index  {
  useServer               0
  indexFiles              index.php, index.html
}

errorlog $VH_ROOT/logs/$VH_NAME.error_log {
  useServer               0
  logLevel                ERROR
  rollingSize             10M
}

accesslog $VH_ROOT/logs/$VH_NAME.access_log {
  useServer               0
  logFormat               "%v %h %l %u %t "%r" %>s %b"
  logHeaders              5
  rollingSize             10M
  keepDays                10  compressArchive         1
}

scripthandler  {
  add                     lsapi:sslipse php
}

extprocessor sslipse {
  type                    lsapi
  address                 UDS://tmp/lshttpd/sslipse.sock
  maxConns                10
  env                     LSAPI_CHILDREN=10
  initTimeout             60
  retryTimeout            0
  persistConn             1
  pcKeepAliveTimeout      1
  respBuffer              0
  autoStart               1
  path                    /usr/local/lsws/lsphp72/bin/lsphp
  extUser                 sslipse
  extGroup                 sslipse
  memSoftLimit            2047M
  memHardLimit            2047M
  procSoftLimit           400
  procHardLimit           500
}
context /.filemanager {
  type                    NULL
  location                /usr/local/lsws/Example/html/FileManager
  allowBrowse             1
  autoIndex               1

  accessControl  {
    allow                 127.0.0.1, localhost
    deny                  0.0.0.0/0
  }
  addDefaultCharset       off
}

vhssl  {
  keyFile                 /usr/local/lsws/conf/vhosts/SSL-ssl9.ipserver.ml/privkey.pem
  certFile                /usr/local/lsws/conf/vhosts/SSL-ssl9.ipserver.ml/fullchain.pem
  certChain               1
  sslProtocol             31
}

  1. Check passwd
[root@vddos ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:998:997:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
saslauth:x:997:76:Saslauthd user:/run/saslauthd:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
cyberpanel:x:1000:1000::/home/cyberpanel:/bin/bash
lsadm:x:996:995:lsadm:/:/sbin/nologin
mysql:x:995:994:MySQL server:/var/lib/mysql:/sbin/nologin
ftpuser:x:2001:2001:"pureftpd user":/bin/null:/bin/false
pdns:x:994:993:PowerDNS user:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:993:992:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
vmail:x:5000:5000::/home/vmail:/bin/bash
sslipse:x:5001:5001::/home/ssl.ipserver.ml:/bin/bash
vddos:x:5002:5002::/vddos:/sbin/nologin

It seems that I have add as many users or domains, their permissions are under USER sslipse

I understand your point of view, the problem is PHPSuExec user is picked from the domain name.

ssl.ipserver.ml
ssl8.ipserver.ml
ssl9.ipserver.ml

Your domain name here is similar, except the number (numbers are excluded), which is why you are getting the same user every time.

Try with something like:

duy13.ipserver.ml

Everything has been successful, thanks you!

But it seems that CyberPanel users will have trouble with different subdomains for plans CDN Server Static File:
cdn1.cloud.uk
cdn2.cloud.uk

s100.zvideos.cn
s200.zvideos.cn
s300.zvideos.cn

[root@vddos ~]# ls -lah /home/
total 44K
drwxr-xr-x 11 root       root       4.0K Mar 22 07:41 .
dr-xr-xr-x 20 root       root       4.0K Mar 22 04:40 ..
drwxr-xr-x  4 cdnclou    cdnclou    4.0K Mar 22 07:40 cdn1.cloud.uk
drwxr-xr-x  4 cdnclou    cdnclou    4.0K Mar 22 07:41 cdn2.cloud.uk
drwx------  2 cyberpanel cyberpanel 4.0K Mar 22 07:34 cyberpanel
drwx------  2 vmail      vmail      4.0K Mar 22 04:02 vmail
drwxr-xr-x  4 voduyco    voduyco    4.0K Mar 22 07:31 voduy.com

Will add some random characters to PHPSuExec user which should rectify this.