The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

File Ownership bug with Account Transfer feature

Discussion in 'General Discussion' started by sneader, Sep 23, 2009.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    I keep running into this problem, using WHM's Account Transfer feature.

    If a customer has a directory and/or files that have group and ownership of nobody, when the directory/files are transferred, the group and ownership are not preserved, and instead, changed to the customer's account.

    This breaks scripts that rely on nobody ownership to be able to write to those files/directories.

    Is this a bug or a feature?

    - Scott
     
  2. MattCurry

    MattCurry Well-Known Member

    Joined:
    Aug 18, 2009
    Messages:
    275
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Houston, Tx
    File Ownership

    The behavior you are seeing is designed and intentional. Moving forward, ideally in a shared hosting environment users should be sand boxed within their own environment, such that one user's misdeeds cannot negatively affect another user. The transfer script makes the assumption in this case that starting fresh on a new server, the account will be run under suPHP mode. Scripts that call an explicit user of nobody realistically need to be updated to behave in a more sane fashion, as even outside the confines of cPanel, not every Linux distribution opts for a user of 'nobody'. To put it bluntly, coding for a specific user is a deprecated and unrecommended practice. Please let me know if there is anything else I can do for you.

    Thank you,
    Matthew Curry
     
  3. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,460
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    It's a little of both.

    When we restore the files in the home directory, the operation is performed as the user. Users typically cannot change ownership of files although they can often change the group ( within certain parameters ).
     
  4. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Perhaps I'm not fully understanding, but current scripts such as Joomla and WordPress are breaking. Are you saying I need to change my server so that it breaks Joomla and WordPress, then demand the authors of these programs to recode their scripts?

    - Scott
     
  5. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    I am confused. Neither Joomla nor WordPress rely on user nobody permissions. I have been using both in phpSuExec/SuPHP environments (not as user nobody) for at least 3 years.
     
  6. Spiral

    Spiral BANNED

    Joined:
    Jun 24, 2005
    Messages:
    2,023
    Likes Received:
    7
    Trophy Points:
    0
    I strongly recommend that you convert your system over to SuPHP!

    Under SuPHP, you won't have to worry about scripts having global write acccess or being insecurely (and incorrectly) setup as user "nobody" instead of the actual owner running the scripts.

    Incidentally, the reason some of your user's script files are currently "nobody" is because you are running PHP as an Apache DSO module which insecurely executes all scripts from all accounts as user "nobody". Among other problems when scripts directly write or update files, those files will consequently be saved with "nobody" ownership instead of the actual owner. CMS systems such as Joomla and others often write and modify their own files and thus end up with many files with the wrong ownerships. To circumvent the complications of this issue, the script authors typically tell you to set certain folders or files to permission "777" which stops the errors but takes a moderate security problem and turns it into an enormous catastrophic one!

    You should actually never have any files or folders setup with permission 777 and ideally you would never want any scripts to be owned by the user "nobody" as this is very unsafe and makes your site openly vulnerable to cross site scripting and other security weaknesses. Under SuPHP, all your scripts will actually execute as the original owner directly so you won't be putting a band-aid on top of a band-aid like you are doing currently!
     
    #6 Spiral, Sep 29, 2009
    Last edited: Sep 29, 2009
  7. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Well, all that said... I see today that cPanel posted the following in the change logs:

    Current 42335
    2009-12-23 07:23:33
    Ensured Nobody-owned files are restored properly during account transfer


    Thank you for beating me up first... then listening and fixing the problem. :)

    - Scott
     
Loading...

Share This Page