Each domains have its own owner user and own group created by Virtualmin like:
/home/domain1
owner: domain1, group: domain1
/home/domain2
owner: domain2, group: domain2
/home/domain3
owner: domain3, group: domain3
The real “core” path is made manually by the ie. “user”:
/home/core
owner: user, group: user
I tried: chmod -R 0777 /home/core
Sadly, when I try to access the URL:
https://[domain1_url]/core/script.js it gets the 403 Forbidden response.
https://[domain2_url]/core/script.js it gets the 403 Forbidden response.
https://[domain3_url]/core/script.js it gets the 403 Forbidden response.
So, even recursive chmoding 0777 for /home/core is not allowing to serve the files under the /home/core from another domain/user.
Is there any way to handle that case and have one core path and files for several domains?
I’m using Apache.
i don’t think that should make a difference, to me it sounds more like the ownership of the file (esp the group) shouldn’t domain1 be a member of core?
This is always a four alarm fire. If you’re ever doing this, something horrible has gone wrong.
You can add the “core” group as a secondary group for all of your other domains, and they’ll be able to read core’s files (but not execute them). However, if I’m understanding what I’m seeing, I think you’re going about it wrong.
Are these files executable parts of an application or are they static assets that are loaded and parsed by the browser? That makes a big difference in how you can/should do what you’re after.
Those are mostly a static assets passed to the browser, however some of them are PHP core scripts that I want to share across the domains.
So, under the “/home/core” I want to have a core part of the website, which is hosted on a different domains on the same machine, each website on domain1/domain2/domain3 is like a copy with a little modifications. That’s the idea of having a “core” part of the website accessible from a different domains.
I know the 0777 is asking for trouble but it was just an example that is not working for the assets.
Nevertheless, the PHP scripts are correctly loaded and executed from the symlinked /home/core - the main PHP scripts under the domain1/domain2/domain3 are just including the scripts like
include “core/php/sampleclass1.php”
require_once “core/php/sampleclass2.php”
where the “core” is symlinked to the “/home/core” and it is working fine when 0777 chmoded.
Just the static assets have some trouble to be passed to the browser and throw 403 Forbidden ie, “core/js/sample.js” where the “core” is symlinked to the “/home/core”.
So for PHP there is a scenario:
domain1 → PHP main script like: main.php
do the: include “core/php/sampleclass.php”
domain2 → PHP main script like: main.php
do the: include “core/php/sampleclass.php”
domain3 → PHP main script like: main.php
do the: include “core/php/sampleclass.php”
(the “core” path is symlinked)
And it works.
But simple static assets handled not by PHP but by the Apache itself:
domain1/core/js/script.js
throws a 403 Forbidden (the “core” path is symlinked)
domain2/core/js/script.js
throws a 403 Forbidden (the “core” path is symlinked)
domain3/core/js/script.js
throws a 403 Forbidden (the “core” path is symlinked)
I would create aliases for all the various domains, something like static.domain1.tld and static.domain2.tld in the core domain and change all of your links to point to that new domain. If you can’t do that (I’ll be very surprised, since most applications are built to allow static assets in a CDN or whatever on alternate domain names/paths), I guess you could configure Apache to follow symlinks. (e.g. https://superuser.com/questions/244245/how-do-i-get-apache-to-follow-symlinks)
“working fine” is working hard here. That’s not fine, that’s dangerous.
If you must do it this way, you should add core as a secondary group for all of the domains that need to access these files, and probably chmod 750 or 751 for executables. Those domains definitely should not be granted write access to the shared files, which you’ve done with 777 (every user has full access with this).
In my case no one domain will be a “core” domain to make it a static/CDN for the assets, I didn’t want that as it will be hard to tell which one is the “core one”. So, I just have a “core” directory on the host server, where the domains will look for a “core” website.
I will try this Apache FollowSymLinks option and chmoding more restrictively to 750 or 751 as you mentioned, Thank you.
Exactly, the “/home/core” was created manually by me and it is not associated with any domain made by Virtualmin.
The /home/domain1 etc. are made by Virtualmin.
I mean, I haven’t tried to think through the implications of doing it entirely in the filesystem, so maybe it’s fine? (Certainly the chmod 777 is crazy and should never happen, but if you do it sanely with group membership and 750 or 640 for executables and static files, maybe it’s OK.)
Currently the “/home/core” is owned by a user, lets say “user1”, group “user1”.
The domain directories are owned by a user and group created by Virtualmin, let’s say like that:
/home/domain1 (owner domain1, group domain1)
/home/domain2 (owner domain2, group domain2)
/home/domain3 (owner domain3, group domain3)
I’m not sure if my current OS which is Debian 12 allows to have a multiple groups for one directory, or assign a user to a multiple groups (or I don’t know how to achieve that).
Maybe I should somehow assign user “user1” to “domain1/domain2/domain3” group, or in reverse add a user “domain1/domain2/domain3” to “user1” group, and then play with the chmoding?
Yes it does just add the user to the other group depending on which way around you want to do it. A user can be a member of multiple groups. The choice is yours, as I have never done anything like this, but i have used php to load includes from a stipulated directory which I guess is about the same thing
I told you what you need to do several times: make all of your domains that need access to those files members of the group that owns them. (Secondary group. Not primary. Users on Linux can be members of any number of groups.)
You cannot make a file owned by multiple users or groups with traditional filesystem permissions. There are advanced ACLs, but you don’t need them. Just do what I’ve suggested several times in this thread, if you must provide access to the files instead of doing it via aliases.