How to get free "unlimited" disk space for any cpanel account

electric

Well-Known Member
Nov 5, 2001
790
11
318
Note: This does not apply if you are running phpsuexec on your server.

It appears to be easily possible for any cpanel account user to get free "unlimited" disk space.

1) Create a cpanel account with a disk space limit of 5mb.

2) Upload any PHP script that allows file uploads using html form posts.

3) Use the script to upload files... don't stop until the drive is full. :eek:

The files uploaded by the php script are owned by the "nobody" user, so the Cpanel quota system does not include them in the disk space usage calculation for the user. You can only see actual disk usage for a folder by clicking the "Disk Usage Viewer" utility in cpanel. If you rely on WHM or the "cpanel stats" quota system, then all the files uploaded by the php script will not be seen, and it's possible for any cpanel user to upload unlimited files with no way to know about it. Their account will never be frozen since they will never go over their cpanel account "limit".

If anyone knows about a solution to this problem, I'm interested to know what it is. We only became aware of this after seeing the daily backups for some accounts were very large, when the actual disk usage shown by cpanel for the account was very small.

:(
 
Last edited:

chae

Well-Known Member
Apr 19, 2003
145
0
166
Auckland, New Zealand
I noticed the same thing by chance last week with a customers site, they run an auction software package & the software lets those running an auction upload images as you would expect but the images etc are uploaded as nobody nobody. The owner of the site pays for 500Mb of disk space but in reality they're using about 4Gb. Worse thing is they run about 4 different specialty auction sites...we asked them to contact the software developers to see if this could be resolved and nothing as yet from them.
 

yapluka

Well-Known Member
Dec 24, 2003
301
2
168
France
cPanel Access Level
Root Administrator
A crude fix could be to run a cronjob that will chown -R user.user /home/user/public_html/*

Something like this :

Code:
#!/bin/bash
cd /var/cpanel/users
for user in *
do
chown -R $user.$user /home/$user/public_html/*
done
 

chirpy

Well-Known Member
Verifed Vendor
Jun 15, 2002
13,437
33
473
Go on, have a guess
That's the only way (yapluka post) you're going to work around the issue if you don't enable phpsuexec as it's a limitation of the security model of PHP and the way *nix quotas work since the files aren't and can't be owned by the user account.
 

sjat

Member
May 9, 2004
14
0
151
Well....
I see its not a new thread, but it is the answer of my question:)

Now we comes to my really newbie question: How do I do that ?
Just create the script and then drop it to /etc/cron.hourly ?
(If I want to run the script every hour)

Regards
Sjat
 

gvard

Well-Known Member
PartnerNOC
Dec 22, 2003
217
12
168
Athens/GREECE
cPanel Access Level
DataCenter Provider
Hello,

You can run /scripts/chownpublichtmls but I don't think you should make it run every hour, because from the beginning until the end of the script all pages on the server show 403 errors (it lasts about 5 mins, I run it once per month).
 

sjat

Member
May 9, 2004
14
0
151
Thank you for your reply :)
Does that mean that I just can drop the /scripts/chownpublichtmls to /etc/cron.monthly ?
And then it will be executed once pr month ?
 

jayh38

Well-Known Member
Mar 3, 2006
1,212
0
166
Thank you for your reply :)
Does that mean that I just can drop the /scripts/chownpublichtmls to /etc/cron.monthly ?
And then it will be executed once pr month ?
I'm not sure you would want to run that. Last I recall is that will delete files owned by "nobody" unless that has changed, I have not looked at the script to verify.

I would use the original script from yapluka, and yes, you can dump that into cron.hourly and it will obviously not remove access while it is running. I use it myself on 400 plus account servers every couple hours.
 

sjat

Member
May 9, 2004
14
0
151
Thank you very much.....
You are very helpfull - I think I will try the last solution as jayh38 described.
 

gvard

Well-Known Member
PartnerNOC
Dec 22, 2003
217
12
168
Athens/GREECE
cPanel Access Level
DataCenter Provider
I'm not sure you would want to run that. Last I recall is that will delete files owned by "nobody" unless that has changed, I have not looked at the script to verify.
Hello,

The scripts doesn't delete all files owned by nobody, it just changes the owner of the files. I'm doing it once every month in my server and no files were deleted.
 

jayh38

Well-Known Member
Mar 3, 2006
1,212
0
166
Perhaps cPanel needs to update their documentation. But nevertheless, the other method is much faster and sites are always available during its run. I would get too many calls if all pages were 403 for several minutes.

Quote from cpanel document as found here.

chownpublichtmls - Change ownership of all users web space to them, which is useful for converting to suexec. Files owned by nobody are deleted.
 

mwmconsulting

Member
Apr 15, 2006
21
0
151
Thank You!

yapluka's fix is a beauty! Spot on for fixing this issue (which I'm surprised cPanel has not addresses personally).

I might also suggest adding another element to this script. If you are using cPanel 10, after the chown line add

Code:
rm -f /home/$user/.cpanel-datastore/quota_-v
and for cPanel 11 add

Code:
rm -f /home/$user/.cpanel/datastore/quota_-v
This addition will ensure that the disk usage information displayed on the cPanel page will be up-to-date when the user next visits their cPanel (as the deleted quota_-v file will automatically be recreated with the updated information). Ordinarily, I'm told the cpanel information is refreshed every 24 hours so this step is not mandatory just beneficial.

Lastly, for those of you who implement Menalto's Gallery (http://gallery.menalto.com), you'll also need to chown all the files in the user's gallery albums directory (as they too are owned by "nobody").
 

jrehmer

Well-Known Member
Apr 10, 2003
286
0
166
Denver, CO
What about these types of messages where the disk quota is exceeded and it won't chown?

chown: changing ownership of `/home/someone/public_html/gallery/g2data/cache/module/customfield/0/1/14.inc': Disk quota exceeded