Question about deleting files that are owned by root

[zigzam]

It is getting very common that scripts will create files with the ownership of root so the regular cpanel user cannot delete them. Is there better method of fixing this without having to login to root and change the permissions to the user? Is there a script the client could use?

I dont want to use PHP suEXEC

 

[bmcgrail]

what scripts?

web scripts should run as nobody not root. If they are running as root that is a BIG security problem.

 

[zigzam]

what scripts?

web scripts should run as nobody not root. If they are running as root that is a BIG security problem.

They make the files owned by root. Scripts such as Mambo and Joomla

 

[bmcgrail]

They make the files owned by root. Scripts such as Mambo and Joomla

A non-root user cannot make a file owned by root. Nor can it make a file and change the owner to root.

If this is happening at install then you need to be logged in as the user when doing the install.

From command prompt su to root, then do su -m username. The -m option will allow you to become them even if they don't have a valid shell.

If you are installing from cpanel or fantastico then you need to log into cpanel with their password, not from WHM with the root password.

If this is happening just from being used throughout the normal course of the day then you might have apache running as root.

Check your /usr/local/apache/conf/httpd.conf file for User and Group
Should be:

User nobody
Group nobody

Then double check your /etc/passwd file and /etc/group file to make sure that the apache user and group id are not zero.

 

[zigzam]

Same deal if the files are owned by nobody then the clients still cannot delete them.

 

[bmcgrail]

I would need more information to give you any other advice. Do you know an exact file in a directory that is being created by a script? Can you give a way that someone else could re-create the problem?

Scripts that let people upload such as the image gallery scripts uploaded files are owned by nobody and inherit the users group so they can be deleted by the user.

I have yet to see mambo or joomla create a file owned by root.

Maybe you have hackers in your system creating files in these directories? Whatever the case is there is something wrong and you should fix it.

 

[zigzam]

I would need more information to give you any other advice. Do you know an exact file in a directory that is being created by a script? Can you give a way that someone else could re-create the problem?

Scripts that let people upload such as the image gallery scripts uploaded files are owned by nobody and inherit the users group so they can be deleted by the user.

I have yet to see mambo or joomla create a file owned by root.

Maybe you have hackers in your system creating files in these directories? Whatever the case is there is something wrong and you should fix it.

If you do a search on google you will find hundreds of results. You must not run a hosting company or you would run into this everyday. Its not hackers. Even HostGator talks about it:
http://forums.hostgator.com/showthread.php?t=8822

This is not everything it fixes though. PHPSUEXEC is also here to fix file ownership problems. This has been a common issue on a few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

 

[mctDarren]

This is not everything it fixes though. PHPSUEXEC is also here to fix file ownership problems. This has been a common issue on a few Content Management Systems such as Joomla and also on the popular blog software: WordPress.

I might be reading it wrong, but I think the issue they are talking about is one where the script is uploaded to the user's web directory and given ownership/permissions for the user's account. Yet PHP and web server were running as either root or nobody. Now with phpsuexec, it's run as the user so you can adjust ownership/permission to just the user and not leave it open to be owned by root/nobody. But maybe I'm wrong...

 

[zigzam]

This post explains it better:

http://forum.joomla.org/index.php?topic=64080.0;prev_next=prev

 

[dave9000]

They make the files owned by root. Scripts such as Mambo and Joomla

if the files are actually root:root permissions then you have a big problem with your server.

Any files uploaded via a php script will be created with the uid:gid that the apache is running as which should be nobody:nobody

However either way you will not be able to modify or remove the files via a normal username.
Another php script should be able to manage them as it will run as the uid:gid of the apache.

If you run phpsuexec or suPHP then the scripts will run as the owner of the website and you will be able to modify,remove them with ftp or ssh access as the cpanel username.

 

[bmcgrail]

USE AT YOUR OWN RISK

I do not suggest this, you might break more things then you fix but the following script will change all files under public_html and its subdirectories to be owned by the user and grouped by nobody. It will not change any read/write permissions as that will break things for sure.

Change to meet your needs.
It assumes username is equal to /home/username
It assumes apache is running as group nobody
Thus all files under /home/myuser/public_html would be owned by myuser:nobody after the script runs.

edited from csh to sh

#!/bin/sh
cd /home/
f="public_html"
for d in  `ls -d *`
do
        if [ -e $d/$f ]; then
                echo Fixing ownership of: /home/$d/$f
                `/bin/chown -R ${d}:nobody /home/$d/$f`
        fi
done

Want to test it first? Change set f = public_html to set f = test_dir then make a test_dir in a users home directory. Put some junk text files in the test_dir change their owner to root and run the script.

 

[mambovince]

How about running a cron script to just execute the following command say, every day:

/scripts/chownpublichtmls

That would set ownerships on all hosted accounts on that server.

- Vince

 

[NightStorm]

I still don't understand how a file can be owned by root when it wasn't created by root. And if it was created by root, then there is a serious security hole involved... nothing in Apache should be running as root.

 

[mambovince]

I still don't understand how a file can be owned by root when it wasn't created by root. And if it was created by root, then there is a serious security hole involved... nothing in Apache should be running as root.

It is not running as root, just file ownership given to root.
AFAIK, as long as you have initial access rights to those files, you can chmod and give file ownership to anyone else - but then of course loose your ownership to those same files.

- Vince

 

[dgbaker]

It is impossible on any *nix system for a non-priviledged (non root) user to chown a file to root. They will receive an "Operation not permitted" error upon trying to do so.

As has been mentioned if you have apache/php or such creating files with ownership of root, then your system has some major security issues that need to be dealt with. If unsure how to deal with it, hire someone to have a look and ensure the system is secure.

 

[bmcgrail]

AFAIK, as long as you have initial access rights to those files, you can chmod and give file ownership to anyone else - but then of course loose your ownership to those same files.

- Vince

No you can't. Try it. Doesn't happen.

And think about it. What programmer would go out of their way to make a script change file ownership to root. The links given mentioned nothing about root ownership. All they said is that the templates can only be removed or changed from within the joomla script and cannot be modified or removed via ftp. If you have root owned files being created on your system there IS a problem.