The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Change owner of files

Discussion in 'General Discussion' started by micho101, Aug 7, 2009.

  1. micho101

    micho101 Member

    Joined:
    Sep 29, 2008
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Is there a way to reset ownership of files to user:user? Shell is disabled.

    For example, DirectAdmin has the option to do this in their File Manager, even recursive. I'm quite surprissed there isn't option like this in cPanel, or at least I don't see it.

    I don't want tu use the perforcmance killing suPHP or give users shell access.
     
  2. Vision

    Vision Active Member

    Joined:
    Mar 18, 2002
    Messages:
    35
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    If you have shell access i think /scripts/chownpublichtmls will do the job. You can setup a cron job and run it whenever you want.
     
  3. micho101

    micho101 Member

    Joined:
    Sep 29, 2008
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Yes, but scenario is usually like this:

    - user (no shell access) install Joomla etc.
    - user uploads custom themes via web browser
    - user wants to start afresh or delete some themes
    - he can't do it, since owner of those files is apache user
    - he wants it *now* and not in few hours time when cron will be run

    Why not make a way for user to reset ownership himself? Like DA did.
     
  4. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Why not avoid this whole user nobody mess in the first place by running SuPHP and SuExec?
     
  5. micho101

    micho101 Member

    Joined:
    Sep 29, 2008
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    That's the workaround, but I've read it slows performance down drastically.

    As said, DA have the option in their file manager to take ownership of files back...
     
  6. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    On contemporary server hardware, the performance difference is not noticeable. On rare occasion, modifying which modules are installed on a server creates an adverse reaction causing a noticeable performance decrease. If you experience a significant performance decrease when using SuPHP and/or SuExec, feel welcome to have our technical analysts take a look at that for you.

    Another benefit of using SuPHP/SuExec is that it would curb malicious users from rewriting the scripts of other users on your server, since the scripts would now be owned and run by individual users (rather all of them being user nobody). Also, scripts with insecure permissions (e.g. 777) would no longer run, making any mass exploitation by means of rewriting those scripts impractical.

    Regarding File Manager letting cPanel users change the ownership of files they do not own but are within their home directory, that is something our developers are considering. However, this introduces significant security concerns that would also need to be addressed before we proceed with implementing such functionality. Internal Case 28070.
     
  7. micho101

    micho101 Member

    Joined:
    Sep 29, 2008
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Thank your for your reply. I will try using suExec & suPHP and see if there's any impact, I can deal with few %'s.
     
  8. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    The performance impact of using SuPHP is negligible and very minor unless you try to install a performance enhancer like FastCGI or eAccelerator (These actually SLOW DOWN performance when running SuPHP and is a common mistake by many administrators when first migrating over to SuPHP). Otherwise, the impact performance wise of changing over to SuPHP is very minimal and you likely won't notice anything whatsoever. The security gains on the other hand are ENORMOUS and will drastically increase your ability to track scripts and close down a huge long list of security issues as well as potential cross site script vulnerabilities!

    Three things to remember when running SuPHP though ....

    1. Scripts no longer need permission 777 so you can ignore all script
    instructions that tell you to change permissions to 777. In fact it is
    not allowed and your script will fail if you do change to 777.

    2. Files uploaded by script will now be owned correctly by the owner
    of the account instead of the generic user "nobody". You can go ahead
    and change the ownership of all files back to the account owner.

    3. Custom PHP settings in .HTACCESS will no longer work and if you have
    any "php_flag" or "php_value" commands in your .htaccess files, your
    site WILL throw an error 500 condition. If you have a site that
    requires custom PHP settings, those can still by using a custom PHP.INI
    file specified in the Virtualhost settings.

    Most of these updates can be scripted fairly easily ...

    I actually do these sort of migrations daily for clients and there is not much to worry about although you may want to notify your clients before converting that they may have a few "glitches" just while everything is being converted over to the new PHP system.

    For those that need to update the ownerships, I'll go ahead and give you a simple script for that now:
    Code:
    #!/bin/bash
    IFS="$"
    
    cd /home
    
    ls /var/cpanel/users | grep -v "root\|nobody\|mysql" | while read CUSER; do
      CPATH=$(grep "${CUSER}:x:" /etc/passwd | grep -v ':0:0:' | head -1 | cut -d':' -f6 | cut -d':' -f1)
    
      if [ -d ${CPATH}/public_html ]; then
         chown -Rhc ${CUSER}:${CUSER} ${CPATH}/public_html/*
      fi
    done
    
    The above script (written for Cpanel servers on Linux) will reset all web files in the
    every cpanel account on the server back to the original account owner / login name
    and display a detailed report of any changes applied to files that need updating.
     
    #8 Spiral, Aug 12, 2009
    Last edited: Aug 13, 2009
  9. micho101

    micho101 Member

    Joined:
    Sep 29, 2008
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Because there are a few 10's of Joomla etc. installations on this server, is there a script already which will reset directory and file permissions for each user automatically?

    Thanks.
     
  10. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    The script I posted above to reset ownerships could be modified for that
    and you could put the following in place or after the "chown" line ...

    Code:
         find ${CPATH}/public_html -type d -perm 0777 | xargs chmod 0755
         find ${CPATH}/public_html -type f -perm 0777 -name '*.php' | xargs chmod 0640
    
     
  11. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    In reference to the script Spiral posted above that changes ownership:

    When performing mass ownership reassignments like this, one should have the script explicitly exclude files owned by root.
     
    #11 cPanelKenneth, Aug 13, 2009
    Last edited: Aug 13, 2009
  12. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    Collaboration Efforts from all towards open source project security

    I've started a thread at oscommerceuniversity.com entitled Securing major open source projects 777 folders and files collaboration effort

    Things that we should work to accomplish:
    1. Own to websever group
    2. convert to suPHP
    3. Set the GID & UID bits

    Create your username and select to permanent post and link on that forum while we build it and return to this thread on cpanel and post the beta/gold release to the public.

    At some point in time, we can release it on sourceforge as a multi-open-source security bash script or cpanel owners and maybe get picked up in cpanel's wiki.
     
  13. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    Inetbizo, I am flattered at you using my script code snippet above as a base ...

    However, what you are asking to develop, I already developed long ago! :D

    (The script above is only a small subset of a much larger script and
    cronjob I wrote a while back to illustrate how to do global permission
    or ownership changes. The full script actually scans the entire server
    for GLOBAL accessible permissions in folders or PHP scripts and changes
    those to the correct restricted owner permissions for systems running
    SuPHP, moves .htaccess PHP overrides out to secured custom config files
    and basically all the conversions needed to convert from DSO to SuPHP
    on a totally automated basis. It also works in reverse and can convert
    from SuPHP based servers back to DSO as well correctly updating all
    permissions and ownerships and PHP custom settings)

    --Spiral

    PS: Then again, maybe you wouldn't be interested in my code as my first
    company was named "Skynet" many, many years ago and as side trivia,
    I actually really do work with Artificial Intelligence as my real job. ;)
     
    #13 Spiral, Aug 22, 2009
    Last edited: Aug 22, 2009
  14. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    We run PHP as a DSO. We use php to upload files and write to folder. We do not run SELinux. We need a way to run through all files written as nobody.nobody and change the ownership of that file to cpuser but the group can stay as nobody.

    Thoughts?
     
  15. inetbizo

    inetbizo Well-Known Member

    Joined:
    Mar 28, 2008
    Messages:
    72
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    New Smyrna Beach, FL US
    cPanel Access Level:
    Root Administrator
    Twitter:
    I tried to use this but I get the following error:
    Code:
    find: missing argument to `-exec'
    Here is the whole snippet:
    Code:
    #!/bin/bash
    IFS="$"
    
    cd /home
    
    ls /var/cpanel/users | grep -v "root\|nobody\|mysql" | while read CUSER; do
      CPATH=$(grep "${CUSER}:x:" /etc/passwd | grep -v ':0:0:' | head -1 | cut -d':' -f6 | cut -d':' -f1)
    
      if [ -d ${CPATH}/public_html/images ]; then
         chown -Rhc ${CUSER}:nobody ${CPATH}/public_html/images/*
         find ${CPATH}/public_html/images/ -type d -exec chmod 0775 {} \:
      fi
    done
     
Loading...

Share This Page