SOLVED Composer Package Available to All Users with Jailshell Enabled?

[linux4me2]

I've been using PHP Codesniffer with some additional rulesets installed via Composer on several accounts to test PHP code before I upgrade the PHP version. Currently, I've got PHP Codesniffer installed on each account where I use it in the users' /home folder and added the path to each users' .bashrc so I can run commands without including the entire path; however, as I use PHP Codesniffer on more and more accounts, I've decided it would be easier to install it in one place that would allow it to be used from any user's account, but require that it be installed in only one place.

Into which folder can I install PHP Codesniffer--or any Composer package--to make the associated command(s) executable from any users' account when they're logged in via SSH?

If this is a bad idea for some reason, I'd like to know that, too.

My server is using Apache, jailshell is enabled, and I'm not using Cloudlinux. Composer is already installed and running fine globally.

 

[cPanelLauren]

Hello,


This is a 3rd party extension that isn't provided by or developed by cPanel. To determine the best practice for the extension I'd suggest contacting them directly here: squizlabs/PHP_CodeSniffer

 

[linux4me2]

Thanks, Lauren. I don't need help with PHP Codesniffer, really. I have it working locally in each users' account. I'm more interested in where to install Composer packages so they can be used globally in all user accounts on a CentOS/cPanel server using jailshell, and although the developers of PHP Codesniffer may be able to help with that, I expected they would tell me to come here and ask.

 

[cPanelLauren]

@linux4me2


To be completely honest I'm not familiar with the composer packages. But From what I understand there doesn't seem to be any restriction on composer packages outside of the account having shell access - per the documentation here: How to Set Up (PHP) Composer - cPanel Knowledge Base - cPanel Documentation

 

[linux4me2]

@cPanelLauren

I think I have it figured out, and I'll explain what I did in case you see something I shouldn't be doing, and for others who may be interested.

Using SSH, I logged in on a user account and ran the command:

echo $PATH

which showed me the current path:

/usr/local/cpanel/3rdparty/lib/path-bin:/usr/local/cpanel/3rdparty/lib/path-bin:/usr/lib64/qt-3.3/bin:/usr/local/cpanel/3rdparty/lib/path-bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/cpanel/composer/bin:/root/bin

That told me that /opt/cpanel/composer/bin was already in the path so all users can run Composer. As a test, I logged in as root, built a simple shell script in /opt/cpanel/composer/bin, made it executable with chmod, logged back in as a user, and found I could run the shell script from a user account. However, by default, Composer loads all the packages you install into a folder called "/vendor/bin," so I knew I needed that in the path in order to run PHP Codesniffer without the path, just using the command "phpcs..." (I think Composer might allow you to change the default install directory in a composer.json file, but the following method is just as easy.)

I looked in /etc/profile.d, and found out there is a file called cpanel-php-composer.sh. Looking into that file, I found that it has the line:

export PATH="$PATH:/opt/cpanel/composer/bin

so I knew that's where /opt/cpanel/composer/bin gets added to the path. I modified that line to add the /vendor/bin folder:

export PATH="$PATH:/opt/cpanel/composer/bin:/opt/cpanel/composer/vendor/bin"

then logged in as a user and found that /opt/cpanel/composer/vendor/bin was indeed added to the path. In the cpanel-php-composer.sh file, it says:

## NOTE: If you want to disable this file, comment out or ##
## delete the 'export' line below. If you simply delete the ##
## file itself, then it will come back the next time that you ##
## update cPanel & WHM. ##

Since I modified the export line, I'm thinking my changes will persist when cPanel and WHM update if commenting it out is preserved. I'll find out with the next update.

Next, as root, I installed PHP Codesniffer and the extra compatibility standards in /opt/cpanel/composer, where Composer dutifully created the /vendor/bin folders. Finally, I logged in as a user and was successfully able to run PHP Codesniffer using the command(s) without the path.

Unless you see something I did wrong or that causes a security problem, this works and is the way to install Composer packages to make them available to any user on an Apache server with jailshell enabled. Now I only have to maintain Composer packages in one place.

 

[cPanelLauren]

@linux4me2

This is fantastic, thank you for your diligence and the detailed instructions, it's much appreciated.

 

[linux4me2]

You're welcome! I guess that means I didn't compromise the entire server.

 

[cPanelLauren]

I don't believe anything done there is a risk, but just to be on the safe side, I'm going to run it by a higher-level analyst.

 

[linux4me2]

I don't believe anything done there is a risk, but just to be on the safe side, I'm going to run it by a higher-level analyst.

Thank you!

 

[cPanelLauren]

Hey @linux4me2

I double checked with one of our L3 Analysts who just got back to me on this. As far as we are aware this modification shouldn't pose any security concerns, the one thing to note though is if CodeSniffer has vulnerabilities it could pose a concern, but you'd have that concern whether or not you allowed it for the accounts.

 

[linux4me2]

I understand. Thanks for taking the time to double-check this for me. I really appreciate it.