Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

chmod 700 permission question

Discussion in 'General Discussion' started by coffeeboyuk, Mar 2, 2019.

  1. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Hi,

    I just realized that when I set a file permission to chmod 700 everyone can still download and read the file. I would have thought 700 means only the owner have read, write, and execute permission, and group and other is anybody. Is there a setting on cpanel or WHM I need to configure for this to work?

    Note: When I set the chmod permission to 70 then nobody can download the file. This is pretty much what I'm trying to achieve but then again, it doesn't allow me (the owner) to read or write the file.

    Please advise.

    Regards,

    L
     
    #1 coffeeboyuk, Mar 2, 2019
    Last edited: Mar 2, 2019
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Ahh... sorry. Just a simple text file .txt extension. How do I seperate user from owner? There are some files I want to protect from public access, so I like the ability to turn access on and off when needed for convenience.
     
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    I have tried. Chown doesn't work. I get the following error:

    chown: changing ownership of ‘xtest.txt’: Operation not permitted
     
  6. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Hi,

    I think I know a solution which is to get apache to execute files based on group or other permission settings instead of owner. Is it possible to configure apache this way, and if yes how? This will solve the problem when I change file permission to owner since apache will no longer serve the file. I use to had this working under cpanel but it doesn't work anymore for some impractical reason.
     
  7. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed.
     
  8. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Well, this is the default settings on CPANEL. Shouldn't CPANEL by now have preconfigured all this to work properly under the correct file groups?

    Can someone provide some help?
     
  9. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    What specifically are you doing to duplicate this?

    Who owns the file?

    Who owns the process that is allegedly accessing the file that shouldn't be accessing the file?
     
  10. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Well, I chmod 700 the file I can still browse to the file at:

    public_html/test1.txt

    I check the permission via SSH and the permission is as follows:

    -rwx------. 1 myusername myusername 5 Mar 3 02:49 test1.txt

    There something awfully wrong here. Apache is reading the file.
     
  11. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Apache runs as myusernamewhen reading the files which is why it can still read it. This is normal and expected and desirable.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    It's not that desirable. It means my chmod permissions are made redundant. I can no longer protect my files should should I choose too. Are there complications in changing/correcting it?

    Also, I might want to protect certain files but permit script access. With this setup I can't actually do this without exposing sensitive files.
     
    #12 coffeeboyuk, Mar 2, 2019
    Last edited: Mar 2, 2019
  13. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    What specifically is reading the file?

    If you go to http://domainnamethatreferstomyusernamepublichtmldirectory.tld/test1.txt are you saying it shows the contents of the test1.txt file?

    Are you running Apache with mod_ruid2?
     
  14. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Hi,

    I got a response from CPANEL today. Apparently mod_ruid2 is running as user. I have been advise to uninstall it.

    Yes. http://domainnamethatreferstomyusernamepublichtmldirectory.tld/test1.txt allows apache to read it regardless of chmod permission 700.

    I just read up that mod_ruid2 has better security and better speed. In terms of security it's not that secure because it disables my permissions. Why can't they make mod_ruid2 to keep the chmod permissions? I will never know.
     
  15. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,920
    Likes Received:
    167
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    It is keeping the permissions.

    It's working exactly like it's suppose to. You just need to understand how it works.

    mod_ruid2 will run each VirtualHost as that user.

    So if the VirtualHost for domainnamethatreferstomyusernamepublichtmldirectory.tld is owned by myusername - then any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld is going to run on the server as myusername.

    This means any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700.

    This is the way it works.
     
  16. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    I understand that part. But it means I can't manage the permission so only I can access the file. Whatever I can access everyone can access. It makes chmod redundant. I think this setup is design for novinces.
     
  17. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Well, for most people this makes sense. A web site is genberall world-available.

    If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place.

    When you are browsing the web page, the server doesn't know its YOU versus anyone else.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Does that generate the .htaccess file?

    What if I have a script that requires access to the file? Will the script be able to access the file without username and password since it resides on the server?
     
  19. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. coffeeboyuk

    coffeeboyuk Member

    Joined:
    Nov 12, 2005
    Messages:
    24
    Likes Received:
    2
    Trophy Points:
    153
    Thanks for this. I will make a note of this in future.

    I've made my decision, and I've come to realize it's better to uninstall mod_ruid2. It's so easy. If I want to enable it I can always re-install it. Considering my needs, my server doesn't make good use of apache so there's no point having mod_ruid2. I might change my mind in the future dependent on needs. Feeling relieved at last that my files are now access denied, and only I, and I alone can access my files basd on my permission group. :-D
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice