How to get free "unlimited" disk space for any cpanel account

[electric]

Note: This does not apply if you are running phpsuexec on your server.​

It appears to be easily possible for any cpanel account user to get free "unlimited" disk space.

1) Create a cpanel account with a disk space limit of 5mb.

2) Upload any PHP script that allows file uploads using html form posts.

3) Use the script to upload files... don't stop until the drive is full.

The files uploaded by the php script are owned by the "nobody" user, so the Cpanel quota system does not include them in the disk space usage calculation for the user. You can only see actual disk usage for a folder by clicking the "Disk Usage Viewer" utility in cpanel. If you rely on WHM or the "cpanel stats" quota system, then all the files uploaded by the php script will not be seen, and it's possible for any cpanel user to upload unlimited files with no way to know about it. Their account will never be frozen since they will never go over their cpanel account "limit".

If anyone knows about a solution to this problem, I'm interested to know what it is. We only became aware of this after seeing the daily backups for some accounts were very large, when the actual disk usage shown by cpanel for the account was very small.

 

[chae]

I noticed the same thing by chance last week with a customers site, they run an auction software package & the software lets those running an auction upload images as you would expect but the images etc are uploaded as nobody nobody. The owner of the site pays for 500Mb of disk space but in reality they're using about 4Gb. Worse thing is they run about 4 different specialty auction sites...we asked them to contact the software developers to see if this could be resolved and nothing as yet from them.

 

[yapluka]

A crude fix could be to run a cronjob that will chown -R user.user /home/user/public_html/*

Something like this :

#!/bin/bash
cd /var/cpanel/users
for user in *
do
chown -R $user.$user /home/$user/public_html/*
done

 

[chirpy]

That's the only way (yapluka post) you're going to work around the issue if you don't enable phpsuexec as it's a limitation of the security model of PHP and the way *nix quotas work since the files aren't and can't be owned by the user account.

 

[sjat]

Well....
I see its not a new thread, but it is the answer of my question

Now we comes to my really newbie question: How do I do that ?
Just create the script and then drop it to /etc/cron.hourly ?
(If I want to run the script every hour)

Regards
Sjat

 

[gvard]

Hello,

You can run /scripts/chownpublichtmls but I don't think you should make it run every hour, because from the beginning until the end of the script all pages on the server show 403 errors (it lasts about 5 mins, I run it once per month).

 

[sjat]

Thank you for your reply
Does that mean that I just can drop the /scripts/chownpublichtmls to /etc/cron.monthly ?
And then it will be executed once pr month ?

 

[jayh38]

Thank you for your reply
Does that mean that I just can drop the /scripts/chownpublichtmls to /etc/cron.monthly ?
And then it will be executed once pr month ?

I'm not sure you would want to run that. Last I recall is that will delete files owned by "nobody" unless that has changed, I have not looked at the script to verify.

I would use the original script from yapluka, and yes, you can dump that into cron.hourly and it will obviously not remove access while it is running. I use it myself on 400 plus account servers every couple hours.

 

[sjat]

Thank you very much.....
You are very helpfull - I think I will try the last solution as jayh38 described.

 

[yapluka]

Thank you very much.....
You are very helpfull - I think I will try the last solution as jayh38 described.

Just don't forget to give the execute permission to the script. chmod 700 will do the trick just fine

 

[gvard]

I'm not sure you would want to run that. Last I recall is that will delete files owned by "nobody" unless that has changed, I have not looked at the script to verify.

Hello,

The scripts doesn't delete all files owned by nobody, it just changes the owner of the files. I'm doing it once every month in my server and no files were deleted.

 

[jayh38]

Perhaps cPanel needs to update their documentation. But nevertheless, the other method is much faster and sites are always available during its run. I would get too many calls if all pages were 403 for several minutes.

Quote from cpanel document as found here.

chownpublichtmls - Change ownership of all users web space to them, which is useful for converting to suexec. Files owned by nobody are deleted.

 

[mwmconsulting]

Thank You!

yapluka's fix is a beauty! Spot on for fixing this issue (which I'm surprised cPanel has not addresses personally).

I might also suggest adding another element to this script. If you are using cPanel 10, after the chown line add

rm -f /home/$user/.cpanel-datastore/quota_-v

and for cPanel 11 add

rm -f /home/$user/.cpanel/datastore/quota_-v

This addition will ensure that the disk usage information displayed on the cPanel page will be up-to-date when the user next visits their cPanel (as the deleted quota_-v file will automatically be recreated with the updated information). Ordinarily, I'm told the cpanel information is refreshed every 24 hours so this step is not mandatory just beneficial.

Lastly, for those of you who implement Menalto's Gallery (http://gallery.menalto.com), you'll also need to chown all the files in the user's gallery albums directory (as they too are owned by "nobody").

 

[jrehmer]

What about these types of messages where the disk quota is exceeded and it won't chown?

chown: changing ownership of `/home/someone/public_html/gallery/g2data/cache/module/customfield/0/1/14.inc': Disk quota exceeded