The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

block users from chmod 777

Discussion in 'General Discussion' started by merlinpa1969, Aug 3, 2007.

  1. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    I know there is a way to make it so that 755 is the highest that a server will allow for chmod on users accounts,

    can someone tell me how to do this,
    and also allow users to set permissions to 444
     
  2. ddeans

    ddeans Well-Known Member

    Joined:
    Feb 13, 2004
    Messages:
    296
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Maryland
    Why would you want to do this? It would keep your customers from installing and running certain scripts.
     
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    836
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    777 is a choice of last resort and is horribly insecure. I would gues by disallowing it he hopes to enforce better practices
     
  4. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    If you setup right there isnt a script out there that needs to be set to 777,
    755 will work just fine,

    as a matter of fact we have alot of things running as 750

    since world never needs to write to a file
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,478
    Likes Received:
    203
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Might try searching the forums for PHPSuExec. I think that's what you want.
     
  6. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    we have phpsuexec however users can still set any folder that dosnt have a php folder thats in use to 777 and it causes no faults,

    I have scripts to run every night to reset the folder permissions to 755 but we have some serious knuckle heads that just keep flipping the folders back, and then yell at me when someone drops a phishing site into their folders


    so to eliminate this problem I want to block a users access from setting 777,

    we looked at umask but that dosnt stop the users ability, it just controls files and folders that are created dynamically
     
  7. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    I assume these are reseller accounts and the reseller clients are installing phishing sites or are these subdomains of existing domains?

    I guess I am asking is how are these people getting access to hosting these files in the first place?
     
  8. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    Nope,
    these are not reseller accounts,
    the funny thing about folders left to 777 is you can use an outside source to write files into this folder,

    happens all the time, and they dont have to have any account access,


    this is why we want to remove this ability,

    I didnt like getting the calls from 2 major banks that a client had these in his folders,

    since the clients some WONT listen and say that WP says that they HAVE to have these folders set to global write, I want to take the option out of their hands,
     
  9. jayh38

    jayh38 Well-Known Member

    Joined:
    Mar 3, 2006
    Messages:
    1,215
    Likes Received:
    0
    Trophy Points:
    36
    I see, so I need to ask another question. What method were they using to upload these files, anon ftp? account holder created ftp or any other method?

    The reason I am curios is the many thousands of cpanel accounts I oversee, I was only aware of 1 phishing site which happened to be setup by the account holders themselves. Needless to say, they were reported / deleted instantly.

    Because of this, I tend to find your trouble perhaps isolated to one or two clients that will not cooperate or perhaps aide in this practice by not taking proper responsibility over their space. These are the type of clients I would shove to the curb with or without their baggage.

    CSF also helps with suspicious file monitoring as well as many other tactics.
     
  10. jerrybell

    jerrybell Well-Known Member

    Joined:
    Nov 27, 2006
    Messages:
    90
    Likes Received:
    0
    Trophy Points:
    6
    Putting this:
    find /home -perm 00777 -exec chmod 755 {} \;
    in a cron job to run periodically would take care of it.

    I do wonder, particularly for the larger hosting sites - does the switch to phpsuexec, which is really the only way you can actually do the above without breaking sites, have an impact on performance?
     
  11. merlinpa1969

    merlinpa1969 Well-Known Member

    Joined:
    Dec 3, 2003
    Messages:
    108
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    PA
    cPanel Access Level:
    Root Administrator
    I already have this setup as a cron

    find /home*/*/public_html -type d -perm 0777 -exec chmod 755 {} \;

    works for/home anything/ and all users

    Problem is this his will only chmod the folders after the fact,

    I need to make it so that they cant set them to 777 at all,

    at least through ftp
    most wont think to go through the filemanager,

    I have see this on other hosts just cant remember where...
     
Loading...

Share This Page