Change owner of files
Is there a way to reset ownership of files to user:user? Shell is disabled.
For example, DirectAdmin has the option to do this in their File Manager, even recursive. I'm quite surprissed there isn't option like this in cPanel, or at least I don't see it.
I don't want tu use the perforcmance killing suPHP or give users shell access.
If you have shell access i think /scripts/chownpublichtmls will do the job. You can setup a cron job and run it whenever you want.
Yes, but scenario is usually like this:Originally Posted by Vision
- user (no shell access) install Joomla etc.
- user uploads custom themes via web browser
- user wants to start afresh or delete some themes
- he can't do it, since owner of those files is apache user
- he wants it *now* and not in few hours time when cron will be run
Why not make a way for user to reset ownership himself? Like DA did.
Why not avoid this whole user nobody mess in the first place by running SuPHP and SuExec?
That's the workaround, but I've read it slows performance down drastically.
As said, DA have the option in their file manager to take ownership of files back...
On contemporary server hardware, the performance difference is not noticeable. On rare occasion, modifying which modules are installed on a server creates an adverse reaction causing a noticeable performance decrease. If you experience a significant performance decrease when using SuPHP and/or SuExec, feel welcome to have our technical analysts take a look at that for you.
Another benefit of using SuPHP/SuExec is that it would curb malicious users from rewriting the scripts of other users on your server, since the scripts would now be owned and run by individual users (rather all of them being user nobody). Also, scripts with insecure permissions (e.g. 777) would no longer run, making any mass exploitation by means of rewriting those scripts impractical.
Regarding File Manager letting cPanel users change the ownership of files they do not own but are within their home directory, that is something our developers are considering. However, this introduces significant security concerns that would also need to be addressed before we proceed with implementing such functionality. Internal Case 28070.
Thank your for your reply. I will try using suExec & suPHP and see if there's any impact, I can deal with few %'s.
The performance impact of using SuPHP is negligible and very minor unless you try to install a performance enhancer like FastCGI or eAccelerator (These actually SLOW DOWN performance when running SuPHP and is a common mistake by many administrators when first migrating over to SuPHP). Otherwise, the impact performance wise of changing over to SuPHP is very minimal and you likely won't notice anything whatsoever. The security gains on the other hand are ENORMOUS and will drastically increase your ability to track scripts and close down a huge long list of security issues as well as potential cross site script vulnerabilities!
Three things to remember when running SuPHP though ....
1. Scripts no longer need permission 777 so you can ignore all script
instructions that tell you to change permissions to 777. In fact it is
not allowed and your script will fail if you do change to 777.
2. Files uploaded by script will now be owned correctly by the owner
of the account instead of the generic user "nobody". You can go ahead
and change the ownership of all files back to the account owner.
3. Custom PHP settings in .HTACCESS will no longer work and if you have
any "php_flag" or "php_value" commands in your .htaccess files, your
site WILL throw an error 500 condition. If you have a site that
requires custom PHP settings, those can still by using a custom PHP.INI
file specified in the Virtualhost settings.
Most of these updates can be scripted fairly easily ...
I actually do these sort of migrations daily for clients and there is not much to worry about although you may want to notify your clients before converting that they may have a few "glitches" just while everything is being converted over to the new PHP system.
For those that need to update the ownerships, I'll go ahead and give you a simple script for that now:
The above script (written for Cpanel servers on Linux) will reset all web files in theCode:#!/bin/bash IFS="$" cd /home ls /var/cpanel/users | grep -v "root\|nobody\|mysql" | while read CUSER; do CPATH=$(grep "${CUSER}:x:" /etc/passwd | grep -v ':0:0:' | head -1 | cut -d':' -f6 | cut -d':' -f1) if [ -d ${CPATH}/public_html ]; then chown -Rhc ${CUSER}:${CUSER} ${CPATH}/public_html/* fi done
every cpanel account on the server back to the original account owner / login name
and display a detailed report of any changes applied to files that need updating.
Last edited by Spiral; 08-13-2009 at 04:49 PM.
Because there are a few 10's of Joomla etc. installations on this server, is there a script already which will reset directory and file permissions for each user automatically?1. Scripts no longer need permission 777 so you can ignore all script
instructions that tell you to change permissions to 777. In fact it is
not allowed and your script will fail if you do change to 777.
Thanks.
The script I posted above to reset ownerships could be modified for that
and you could put the following in place or after the "chown" line ...
Code:find ${CPATH}/public_html -type d -perm 0777 | xargs chmod 0755 find ${CPATH}/public_html -type f -perm 0777 -name '*.php' | xargs chmod 0640
In reference to the script Spiral posted above that changes ownership:
When performing mass ownership reassignments like this, one should have the script explicitly exclude files owned by root.
Last edited by cpanelkenneth; 08-13-2009 at 04:13 PM. Reason: typo
Kenneth
Product Manager
cPanel, Inc.
Collaboration Efforts from all towards open source project security
I've started a thread at oscommerceuniversity.com entitled Securing major open source projects 777 folders and files collaboration effort
Things that we should work to accomplish:
- Own to websever group
- convert to suPHP
- Set the GID & UID bits
Create your username and select to permanent post and link on that forum while we build it and return to this thread on cpanel and post the beta/gold release to the public.
At some point in time, we can release it on sourceforge as a multi-open-source security bash script or cpanel owners and maybe get picked up in cpanel's wiki.
Inetbizo, I am flattered at you using my script code snippet above as a base ...
However, what you are asking to develop, I already developed long ago!
(The script above is only a small subset of a much larger script and
cronjob I wrote a while back to illustrate how to do global permission
or ownership changes. The full script actually scans the entire server
for GLOBAL accessible permissions in folders or PHP scripts and changes
those to the correct restricted owner permissions for systems running
SuPHP, moves .htaccess PHP overrides out to secured custom config files
and basically all the conversions needed to convert from DSO to SuPHP
on a totally automated basis. It also works in reverse and can convert
from SuPHP based servers back to DSO as well correctly updating all
permissions and ownerships and PHP custom settings)
--Spiral
PS: Then again, maybe you wouldn't be interested in my code as my first
company was named "Skynet" many, many years ago and as side trivia,
I actually really do work with Artificial Intelligence as my real job.
Last edited by Spiral; 08-22-2009 at 03:32 PM.
Re: Change owner of files
We run PHP as a DSO. We use php to upload files and write to folder. We do not run SELinux. We need a way to run through all files written as nobody.nobody and change the ownership of that file to cpuser but the group can stay as nobody.
Thoughts?
StrikeHawk eCommerce Inc. * osCommerce Community Support Specializes in CRE Loaded open source e-commerce cart.
Re: Change owner of files
I tried to use this but I get the following error:
Here is the whole snippet:Code:find: missing argument to `-exec'
Code:#!/bin/bash IFS="$" cd /home ls /var/cpanel/users | grep -v "root\|nobody\|mysql" | while read CUSER; do CPATH=$(grep "${CUSER}:x:" /etc/passwd | grep -v ':0:0:' | head -1 | cut -d':' -f6 | cut -d':' -f1) if [ -d ${CPATH}/public_html/images ]; then chown -Rhc ${CUSER}:nobody ${CPATH}/public_html/images/* find ${CPATH}/public_html/images/ -type d -exec chmod 0775 {} \: fi done
StrikeHawk eCommerce Inc. * osCommerce Community Support Specializes in CRE Loaded open source e-commerce cart.
LinkBack URL
About LinkBacks
Reply With Quote
