coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Hi,

I just realized that when I set a file permission to chmod 700 everyone can still download and read the file. I would have thought 700 means only the owner have read, write, and execute permission, and group and other is anybody. Is there a setting on cpanel or WHM I need to configure for this to work?

Note: When I set the chmod permission to 70 then nobody can download the file. This is pretty much what I'm trying to achieve but then again, it doesn't allow me (the owner) to read or write the file.

Please advise.

Regards,

L
 
Last edited:

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,778
331
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user.
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user.
Ahh... sorry. Just a simple text file .txt extension. How do I seperate user from owner? There are some files I want to protect from public access, so I like the ability to turn access on and off when needed for convenience.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,778
331
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root.
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root.
I have tried. Chown doesn't work. I get the following error:

chown: changing ownership of ‘xtest.txt’: Operation not permitted
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Hi,

I think I know a solution which is to get apache to execute files based on group or other permission settings instead of owner. Is it possible to configure apache this way, and if yes how? This will solve the problem when I change file permission to owner since apache will no longer serve the file. I use to had this working under cpanel but it doesn't work anymore for some impractical reason.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed.
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed.
Well, this is the default settings on CPANEL. Shouldn't CPANEL by now have preconfigured all this to work properly under the correct file groups?

Can someone provide some help?
 

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
What specifically are you doing to duplicate this?

Who owns the file?

Who owns the process that is allegedly accessing the file that shouldn't be accessing the file?
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
What specifically are you doing to duplicate this?

Who owns the file?

Who owns the process that is allegedly accessing the file that shouldn't be accessing the file?
Well, I chmod 700 the file I can still browse to the file at:

public_html/test1.txt

I check the permission via SSH and the permission is as follows:

-rwx------. 1 myusername myusername 5 Mar 3 02:49 test1.txt

There something awfully wrong here. Apache is reading the file.
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Apache runs as myusernamewhen reading the files which is why it can still read it. This is normal and expected and desirable.
It's not that desirable. It means my chmod permissions are made redundant. I can no longer protect my files should should I choose too. Are there complications in changing/correcting it?

Also, I might want to protect certain files but permit script access. With this setup I can't actually do this without exposing sensitive files.
 
Last edited:

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Hi,

I got a response from CPANEL today. Apparently mod_ruid2 is running as user. I have been advise to uninstall it.

Yes. http://domainnamethatreferstomyusernamepublichtmldirectory.tld/test1.txt allows apache to read it regardless of chmod permission 700.

I just read up that mod_ruid2 has better security and better speed. In terms of security it's not that secure because it disables my permissions. Why can't they make mod_ruid2 to keep the chmod permissions? I will never know.
 

sparek-3

Well-Known Member
Aug 10, 2002
2,173
280
388
cPanel Access Level
Root Administrator
It is keeping the permissions.

It's working exactly like it's suppose to. You just need to understand how it works.

mod_ruid2 will run each VirtualHost as that user.

So if the VirtualHost for domainnamethatreferstomyusernamepublichtmldirectory.tld is owned by myusername - then any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld is going to run on the server as myusername.

This means any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700.

This is the way it works.
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
It is keeping the permissions.

It's working exactly like it's suppose to. You just need to understand how it works.

mod_ruid2 will run each VirtualHost as that user.

So if the VirtualHost for domainnamethatreferstomyusernamepublichtmldirectory.tld is owned by myusername - then any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld is going to run on the server as myusername.

This means any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700.

This is the way it works.
I understand that part. But it means I can't manage the permission so only I can access the file. Whatever I can access everyone can access. It makes chmod redundant. I think this setup is design for novinces.
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,778
331
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Well, for most people this makes sense. A web site is genberall world-available.

If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place.

When you are browsing the web page, the server doesn't know its YOU versus anyone else.
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Well, for most people this makes sense. A web site is genberall world-available.

If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place.

When you are browsing the web page, the server doesn't know its YOU versus anyone else.
Does that generate the .htaccess file?

What if I have a script that requires access to the file? Will the script be able to access the file without username and password since it resides on the server?
 

GOT

Get Proactive!
PartnerNOC
Apr 8, 2003
1,778
331
363
Chesapeake, VA
cPanel Access Level
DataCenter Provider
Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls
 

coffeeboyuk

Well-Known Member
Nov 12, 2005
60
3
158
Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls
Thanks for this. I will make a note of this in future.

I've made my decision, and I've come to realize it's better to uninstall mod_ruid2. It's so easy. If I want to enable it I can always re-install it. Considering my needs, my server doesn't make good use of apache so there's no point having mod_ruid2. I might change my mind in the future dependent on needs. Feeling relieved at last that my files are now access denied, and only I, and I alone can access my files basd on my permission group. :-D