Folder permissions automatically reverted

PatrickVeenstra

Well-Known Member
Feb 12, 2012
169
3
68
Barcelona
cPanel Access Level
Root Administrator
I have an addon domain in its own folder $HOME/domain, the main domain is obviously in $HOME/public_html

Once in a while (in this case November 1, November 23 and December 6 -the exact date may be wrong, it's the date I noticed) the permissions of that folder are changed to 755 back from 777.

What process, cronjob, etc. modifies folder permissions?

p.s. the owner is the user, not nobody:nogroup or nobody:nobody. Would changing that be a fix? (it would allow to use the 755 permission). ref: What permissions / ownership to set on PHP Sessions Folder when running FastCGI / PHP-FPM (as user "nobody")?
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
Hi @PatrickVeenstra

There shouldn't be any cron that changes file permissions. The only thing I can think of is fileprotect:

Code:
 ls -lah /scripts/ |grep fileprotect
-rwxr-xr-x  1 root root  3.1K Jun 26 14:14 disablefileprotect
-rwxr-xr-x  1 root root  3.1K Jul 18 09:18 enablefileprotect
If you run the script to disable fileprotect does the issue persist?


Thanks!
 

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Check to see if you have enabled WHM » Server Configuration » Tweak Settings > Security > Enable File Protect
This option enables the EasyApache FileProtect module, which improves the security of each user’s public_html director


Tweak Settings - Security - Version 74 Documentation - cPanel Documentation
Overview
The EasyApache FileProtect option improves the security of each user's public_html directory. In EasyApache 4, the system enables this option by default.

Usage
Use this option to protect each cPanel account user's public_html directory and each addon domain's document root directory so that only Apache and the user may view its contents.

When you enable this option, EasyApache performs the following actions:

  • Creates the /var/cpanel/fileprotect file.
  • Executes the /usr/local/cpanel/scripts/enablefileprotect script, which sets more secure permissions for each user's /public_html directory.
  • Sets the files in the user's /home/username/ directory to 0711 permissions.

    Note:
    When you disable this option, EasyApache sets these files to 0755 permissions.

  • Sets the public_html directory's GroupID to the nobody user.

    Note:
    When you disable this option, EasyApache sets the GroupID to the username user, where username represents the user's username.
Requirements
This option does not possess any requirements.

Compatibility
  • This option functions when you enable the ModRuid2 Apache module.
  • This option does not possess any known compatibility issues.
Enable or Disable FileProtect
In the interface
You can enable or disable the FileProtect option with the Enable File Protect option in the Security section of WHM's Tweak Settings interface (WHM >> Home >> Server Configuration >> Tweak Settings).

This option defaults to enabled.

On the command line
To enable the FileProtect option, run the following script:

/usr/local/cpanel/scripts/enablefileprotect
To disable the FileProtect option, run the following script:

/usr/local/cpanel/scripts/disablefileprotect


For more information about these scripts, run these scripts with the --help flag.
The EasyApache 4 FileProtect Option - EasyApache 4 - cPanel Documentation
 
  • Like
Reactions: cPanelLauren

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
Now I am confused.

755 is the correct and default permission level for cPanel folders - why would you want them to be 777 which is inherently too permissive and insecure, and opens the folder and its content for any process to use for malware ?

I don't think the folders should have ever been changed to 777 in the first place !
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
I want Apache to create a directory and write a few files. It's a single user server and performance is a must.
That didn't really answer the question and I believe I misunderstood the original question. The issue you're having is that Files/Folders aren't staying with 777 perms. What PHP handler are you running? I'm not entirely sure this matters though, where are you trying to create the folder?
 

PatrickVeenstra

Well-Known Member
Feb 12, 2012
169
3
68
Barcelona
cPanel Access Level
Root Administrator
I'm creating them in $HOME/subdomain (e.g. $HOME/subdomain/AA)
I used to run Apache 2.2 with DSO, but right now I'm running Apache 2.4 with PHP 5.6 and 7.1 in cgi. That specific account is using 5.6.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston
Hi @PatrickVeenstra

You might try running DSO again, you can get it in EasyApache - just search DSO in PHP Extensions. One word of warning though you can only have it installed/active on one PHP version at a time.

The documentation here might help in explaining why what's happening is PHP Handlers - EasyApache 4 - cPanel Documentation
 

PatrickVeenstra

Well-Known Member
Feb 12, 2012
169
3
68
Barcelona
cPanel Access Level
Root Administrator
So there's no way to keep permissions? The only way would be to check permissions and setup a cron job to modify them if needed?

Isn't there some way to execute a script after easy-apache runs? (to run a shell script to re-modify permissions)

edit: Reading the old EA3 documentation: Script Hooks - EasyApache - cPanel Documentation

Can I create a shell script named /scripts/posteasyapache to chmod that particular directory?
 
Last edited:

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,295
1,255
313
Houston

PatrickVeenstra

Well-Known Member
Feb 12, 2012
169
3
68
Barcelona
cPanel Access Level
Root Administrator
So there's no Apache build hook anymore? Should I hook UPCP? That wouldn't work with a manual rebuild of Apache.
What can I hook?

Another "solution" would be to change the directory owner to nobody (as I see now, half of the folders in there are already owned by nobody), but....
 
Last edited:

rpvw

Well-Known Member
Jul 18, 2013
1,101
458
113
UK
cPanel Access Level
Root Administrator
As @cPanelLauren suggested, change the PHP handler for that account to one that will execute your PHP as the account user rather than 'nobody' (eg DSO + mod_mpm_itk or mod_ruid2 OR suPHP + mod_suphp). That way you will be able to write to the folder using the standard permissions mask, without having to make it world writeable, which would make it altogether more secure.

See PHP Handlers - EasyApache 4 - cPanel Documentation for full details
 
  • Like
Reactions: cPanelLauren