LinkBack URL
About LinkBacksI know there is a way to make it so that 755 is the highest that a server will allow for chmod on users accounts,
can someone tell me how to do this,
and also allow users to set permissions to 444
block users from chmod 777
I know there is a way to make it so that 755 is the highest that a server will allow for chmod on users accounts,
can someone tell me how to do this,
and also allow users to set permissions to 444
Why would you want to do this? It would keep your customers from installing and running certain scripts.
777 is a choice of last resort and is horribly insecure. I would gues by disallowing it he hopes to enforce better practicesOriginally Posted by ddeans
If you setup right there isnt a script out there that needs to be set to 777,
755 will work just fine,
as a matter of fact we have alot of things running as 750
since world never needs to write to a file
Might try searching the forums for PHPSuExec. I think that's what you want.
we have phpsuexec however users can still set any folder that dosnt have a php folder thats in use to 777 and it causes no faults,
I have scripts to run every night to reset the folder permissions to 755 but we have some serious knuckle heads that just keep flipping the folders back, and then yell at me when someone drops a phishing site into their folders
so to eliminate this problem I want to block a users access from setting 777,
we looked at umask but that dosnt stop the users ability, it just controls files and folders that are created dynamically
I assume these are reseller accounts and the reseller clients are installing phishing sites or are these subdomains of existing domains?
I guess I am asking is how are these people getting access to hosting these files in the first place?
Nope,
these are not reseller accounts,
the funny thing about folders left to 777 is you can use an outside source to write files into this folder,
happens all the time, and they dont have to have any account access,
this is why we want to remove this ability,
I didnt like getting the calls from 2 major banks that a client had these in his folders,
since the clients some WONT listen and say that WP says that they HAVE to have these folders set to global write, I want to take the option out of their hands,
I see, so I need to ask another question. What method were they using to upload these files, anon ftp? account holder created ftp or any other method?
The reason I am curios is the many thousands of cpanel accounts I oversee, I was only aware of 1 phishing site which happened to be setup by the account holders themselves. Needless to say, they were reported / deleted instantly.
Because of this, I tend to find your trouble perhaps isolated to one or two clients that will not cooperate or perhaps aide in this practice by not taking proper responsibility over their space. These are the type of clients I would shove to the curb with or without their baggage.
CSF also helps with suspicious file monitoring as well as many other tactics.
Putting this:
find /home -perm 00777 -exec chmod 755 {} \;
in a cron job to run periodically would take care of it.
I do wonder, particularly for the larger hosting sites - does the switch to phpsuexec, which is really the only way you can actually do the above without breaking sites, have an impact on performance?
I already have this setup as a cron
find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;
works for/home anything/ and all users
Problem is this his will only chmod the folders after the fact,
I need to make it so that they cant set them to 777 at all,
at least through ftp
most wont think to go through the filemanager,
I have see this on other hosts just cant remember where...
Reply With Quote