Folder permissions automatically reverted

[PatrickVeenstra]

I have an addon domain in its own folder $HOME/domain, the main domain is obviously in $HOME/public_html

Once in a while (in this case November 1, November 23 and December 6 -the exact date may be wrong, it's the date I noticed) the permissions of that folder are changed to 755 back from 777.

What process, cronjob, etc. modifies folder permissions?

p.s. the owner is the user, not nobody:nogroup or nobody:nobody. Would changing that be a fix? (it would allow to use the 755 permission). ref: What permissions / ownership to set on PHP Sessions Folder when running FastCGI / PHP-FPM (as user "nobody")?

 

[cPanelLauren]

Hi @PatrickVeenstra

There shouldn't be any cron that changes file permissions. The only thing I can think of is fileprotect:

 ls -lah /scripts/ |grep fileprotect
-rwxr-xr-x  1 root root  3.1K Jun 26 14:14 disablefileprotect
-rwxr-xr-x  1 root root  3.1K Jul 18 09:18 enablefileprotect

If you run the script to disable fileprotect does the issue persist?


Thanks!

 

[PatrickVeenstra]

I've just ran the script. I'll let you know in a couple of weeks I guess. Thanks.

 

[cPanelLauren]

Hi @PatrickVeenstra

I would assume it's happening during an update, you could try running the update process to see if anything changes.

 

[PatrickVeenstra]

Just checked and permissions were reverted again.

"fixed" it, recompiled Apache (EasyApache) and it was reverted again

 

[rpvw]

Check to see if you have enabled WHM » Server Configuration » Tweak Settings > Security > Enable File Protect
This option enables the EasyApache FileProtect module, which improves the security of each user’s public_html director

Tweak Settings - Security - Version 74 Documentation - cPanel Documentation

Overview
The EasyApache FileProtect option improves the security of each user's public_html directory. In EasyApache 4, the system enables this option by default.

Usage
Use this option to protect each cPanel account user's public_html directory and each addon domain's document root directory so that only Apache and the user may view its contents.

When you enable this option, EasyApache performs the following actions:

• Creates the /var/cpanel/fileprotect file.
• Executes the /usr/local/cpanel/scripts/enablefileprotect script, which sets more secure permissions for each user's /public_html directory.
• Sets the files in the user's /home/username/ directory to 0711 permissions.
  
  Note:
  When you disable this option, EasyApache sets these files to 0755 permissions.
  
  
• Sets the public_html directory's GroupID to the nobody user.
  
  Note:
  When you disable this option, EasyApache sets the GroupID to the username user, where username represents the user's username.

Requirements
This option does not possess any requirements.

Compatibility

• This option functions when you enable the ModRuid2 Apache module.
• This option does not possess any known compatibility issues.

Enable or Disable FileProtect
In the interface
You can enable or disable the FileProtect option with the Enable File Protect option in the Security section of WHM's Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).

This option defaults to enabled.

On the command line
To enable the FileProtect option, run the following script:

/usr/local/cpanel/scripts/enablefileprotect
To disable the FileProtect option, run the following script:

/usr/local/cpanel/scripts/disablefileprotect


For more information about these scripts, run these scripts with the --help flag.

The EasyApache 4 FileProtect Option - EasyApache 4 - cPanel Documentation

 

[PatrickVeenstra]

Thanks but Enable File Protect is Off

 

[rpvw]

Note:
When you disable this option, EasyApache sets these files to 0755 permissions.

Is that not what you are seeing ?

the permissions of that folder are changed to 755 back from 777.

 

[PatrickVeenstra]

Correct, when you disable it it sets 755 when you enable it 750

 

[rpvw]

Now I am confused.

755 is the correct and default permission level for cPanel folders - why would you want them to be 777 which is inherently too permissive and insecure, and opens the folder and its content for any process to use for malware ?

I don't think the folders should have ever been changed to 777 in the first place !

 

[PatrickVeenstra]

I want Apache to create a directory and write a few files. It's a single user server and performance is a must.

 

[cPanelLauren]

I want Apache to create a directory and write a few files. It's a single user server and performance is a must.

That didn't really answer the question and I believe I misunderstood the original question. The issue you're having is that Files/Folders aren't staying with 777 perms. What PHP handler are you running? I'm not entirely sure this matters though, where are you trying to create the folder?

 

[PatrickVeenstra]

I'm creating them in $HOME/subdomain (e.g. $HOME/subdomain/AA)
I used to run Apache 2.2 with DSO, but right now I'm running Apache 2.4 with PHP 5.6 and 7.1 in cgi. That specific account is using 5.6.

 

[cPanelLauren]

Hi @PatrickVeenstra

You might try running DSO again, you can get it in EasyApache - just search DSO in PHP Extensions. One word of warning though you can only have it installed/active on one PHP version at a time.

The documentation here might help in explaining why what's happening is PHP Handlers - EasyApache 4 - cPanel Documentation

 

[PatrickVeenstra]

So there's no way to keep permissions? The only way would be to check permissions and setup a cron job to modify them if needed?

Isn't there some way to execute a script after easy-apache runs? (to run a shell script to re-modify permissions)

edit: Reading the old EA3 documentation: Script Hooks - EasyApache - cPanel Documentation

Can I create a shell script named /scripts/posteasyapache to chmod that particular directory?

 

[cPanelLauren]

Hi @PatrickVeenstra


A hook would work, only if you've determined the exact thing that triggers the permissions changes. Since EA4 the EasyApache process has changed so they're no longer relevant for EasyApache specifically but you could create one:

Guide to Standardized Hooks - Hookable Events - Developer Documentation - cPanel Documentation

 

[PatrickVeenstra]

So there's no Apache build hook anymore? Should I hook UPCP? That wouldn't work with a manual rebuild of Apache.
What can I hook?

Another "solution" would be to change the directory owner to nobody (as I see now, half of the folders in there are already owned by nobody), but....

 

[rpvw]

As @cPanelLauren suggested, change the PHP handler for that account to one that will execute your PHP as the account user rather than 'nobody' (eg DSO + mod_mpm_itk or mod_ruid2 OR suPHP + mod_suphp). That way you will be able to write to the folder using the standard permissions mask, without having to make it world writeable, which would make it altogether more secure.

See PHP Handlers - EasyApache 4 - cPanel Documentation for full details