The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_userdir On by Default?

Discussion in 'Security' started by markb14391, Jan 9, 2012.

  1. markb14391

    markb14391 Well-Known Member

    Jun 9, 2008
    Likes Received:
    Trophy Points:

    We want mod_userdir protection to keep people from stealing bandwidth, however we do want to allow new users to access their accounts via IP/~username. I know we could manually exclude the mod_userdir protection for any account, but that doesn't allow for automatic provisioning of accounts. For example, if a client signs up in the middle of the night, he or she can't access their site until we manually deactivate the protection.

    Is there any way to have it the other way around? IP/~username access would be on by default, then we can specifically lock down each user after they've been with us long enough for their domain to propagate?


  2. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Oct 2, 2010
    Likes Received:
    Trophy Points:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Hello Mark,

    It isn't going to be possible to do that for default on with a change to having it off later. It's a better to use includes to disable it for all accounts already existing, then to have another include during account creation that will enable it for that account. Later if you want to disable it for that account, simply remove the include (you could cron delete the include after a time period).

    In order to do this, you will need to uncheck the box in WHM > Security Center > Apache mod_userdir Tweak for "Enable mod_userdir Protection" and click the "Save" button.

    At that point, no users will be restricted for the temporary url. To re-restrict all accounts, then do the following:

    mkdir -p /usr/local/apache/conf/userdata/std/2
    echo "UserDir disabled" > /usr/local/apache/conf/userdata/std/2/userdir.conf
    /scripts/ensure_vhost_includes --all-users
    /etc/init.d/httpd restart
    Then add the following script at /usr/local/cpanel/scripts/postwwwacct:

    my %OPTS = @ARGV;
    $ENV{USER} = "$OPTS{'user'}";
    system q(mkdir /usr/local/apache/conf/userdata/std/2/$USER/);
    system q(echo "UserDir enabled $USER" > /usr/local/apache/conf/userdata/std/2/$USER/userdir.conf);
    system q(/scripts/ensure_vhost_includes --user=$USER);
    system q(/etc/init.d/httpd restart);
    For the script, ensure it is able to execute:

    chmod +x /usr/local/cpanel/scripts/postwwwacct
    You can then try creating a new account to see it should work for the temporary url, while any pre-existing accounts do not.

    For the cron, you'd need to create a perl script that you run via cron that would remove any of these .conf files based on the last update time or something.

    Of note, I did test the above steps, which restricted all of my existing accounts for mod_userdir access, while new accounts worked for that access.

    I also want to explain the reason I went with includes. Include files are user configurable and far easier to remove or update versus making changes to /var/cpanel/userdata files, which cPanel controls. With include files, it is possible to simply remove the configuration file by some cron or script and push the include updates with Apache. It wouldn't be advisable to manipulate the data in /var/cpanel/userdata (the directory used by cPanel to build the Apache httpd.conf VirtualHost sections for individual domains).

Share This Page