The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about deleting files that are owned by root

Discussion in 'General Discussion' started by zigzam, Jun 4, 2006.

  1. zigzam

    zigzam Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    206
    Likes Received:
    0
    Trophy Points:
    16
    It is getting very common that scripts will create files with the ownership of root so the regular cpanel user cannot delete them. Is there better method of fixing this without having to login to root and change the permissions to the user? Is there a script the client could use?

    I dont want to use PHP suEXEC
     
  2. bmcgrail

    bmcgrail Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    what scripts?

    web scripts should run as nobody not root. If they are running as root that is a BIG security problem.
     
  3. zigzam

    zigzam Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    206
    Likes Received:
    0
    Trophy Points:
    16

    They make the files owned by root. Scripts such as Mambo and Joomla
     
  4. bmcgrail

    bmcgrail Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    A non-root user cannot make a file owned by root. Nor can it make a file and change the owner to root.

    If this is happening at install then you need to be logged in as the user when doing the install.

    From command prompt su to root, then do su -m username. The -m option will allow you to become them even if they don't have a valid shell.

    If you are installing from cpanel or fantastico then you need to log into cpanel with their password, not from WHM with the root password.

    If this is happening just from being used throughout the normal course of the day then you might have apache running as root.

    Check your /usr/local/apache/conf/httpd.conf file for User and Group
    Should be:

    User nobody
    Group nobody

    Then double check your /etc/passwd file and /etc/group file to make sure that the apache user and group id are not zero.
     
  5. zigzam

    zigzam Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    206
    Likes Received:
    0
    Trophy Points:
    16
    Same deal if the files are owned by nobody then the clients still cannot delete them.
     
  6. bmcgrail

    bmcgrail Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    I would need more information to give you any other advice. Do you know an exact file in a directory that is being created by a script? Can you give a way that someone else could re-create the problem?

    Scripts that let people upload such as the image gallery scripts uploaded files are owned by nobody and inherit the users group so they can be deleted by the user.

    I have yet to see mambo or joomla create a file owned by root.

    Maybe you have hackers in your system creating files in these directories? Whatever the case is there is something wrong and you should fix it.
     
  7. zigzam

    zigzam Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    206
    Likes Received:
    0
    Trophy Points:
    16

    If you do a search on google you will find hundreds of results. You must not run a hosting company or you would run into this everyday. Its not hackers. Even HostGator talks about it:
    http://forums.hostgator.com/showthread.php?t=8822

     
  8. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    I might be reading it wrong, but I think the issue they are talking about is one where the script is uploaded to the user's web directory and given ownership/permissions for the user's account. Yet PHP and web server were running as either root or nobody. Now with phpsuexec, it's run as the user so you can adjust ownership/permission to just the user and not leave it open to be owned by root/nobody. But maybe I'm wrong...
     
  9. zigzam

    zigzam Well-Known Member

    Joined:
    May 9, 2005
    Messages:
    206
    Likes Received:
    0
    Trophy Points:
    16
  10. dave9000

    dave9000 Well-Known Member

    Joined:
    Apr 7, 2003
    Messages:
    891
    Likes Received:
    1
    Trophy Points:
    16
    Location:
    arkansas
    cPanel Access Level:
    Root Administrator

    if the files are actually root:root permissions then you have a big problem with your server.

    Any files uploaded via a php script will be created with the uid:gid that the apache is running as which should be nobody:nobody

    However either way you will not be able to modify or remove the files via a normal username.
    Another php script should be able to manage them as it will run as the uid:gid of the apache.

    If you run phpsuexec or suPHP then the scripts will run as the owner of the website and you will be able to modify,remove them with ftp or ssh access as the cpanel username.
     
  11. bmcgrail

    bmcgrail Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    USE AT YOUR OWN RISK

    I do not suggest this, you might break more things then you fix but the following script will change all files under public_html and its subdirectories to be owned by the user and grouped by nobody. It will not change any read/write permissions as that will break things for sure.

    Change to meet your needs.
    It assumes username is equal to /home/username
    It assumes apache is running as group nobody
    Thus all files under /home/myuser/public_html would be owned by myuser:nobody after the script runs.

    edited from csh to sh
    Code:
    #!/bin/sh
    cd /home/
    f="public_html"
    for d in  `ls -d *`
    do
            if [ -e $d/$f ]; then
                    echo Fixing ownership of: /home/$d/$f
                    `/bin/chown -R ${d}:nobody /home/$d/$f`
            fi
    done
    
    Want to test it first? Change set f = public_html to set f = test_dir then make a test_dir in a users home directory. Put some junk text files in the test_dir change their owner to root and run the script.
     
    #11 bmcgrail, Jun 6, 2006
    Last edited: Jun 6, 2006
  12. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    How about running a cron script to just execute the following command say, every day:

    /scripts/chownpublichtmls

    That would set ownerships on all hosted accounts on that server.

    - Vince
     
  13. NightStorm

    NightStorm Well-Known Member

    Joined:
    Jul 28, 2003
    Messages:
    286
    Likes Received:
    4
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Twitter:
    I still don't understand how a file can be owned by root when it wasn't created by root. And if it was created by root, then there is a serious security hole involved... nothing in Apache should be running as root.
     
  14. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
    It is not running as root, just file ownership given to root.
    AFAIK, as long as you have initial access rights to those files, you can chmod and give file ownership to anyone else - but then of course loose your ownership to those same files.

    - Vince
     
  15. dgbaker

    dgbaker Well-Known Member
    PartnerNOC

    Joined:
    Sep 20, 2002
    Messages:
    2,578
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Toronto, Ontario Canada
    cPanel Access Level:
    DataCenter Provider
    It is impossible on any *nix system for a non-priviledged (non root) user to chown a file to root. They will receive an "Operation not permitted" error upon trying to do so.

    As has been mentioned if you have apache/php or such creating files with ownership of root, then your system has some major security issues that need to be dealt with. If unsure how to deal with it, hire someone to have a look and ensure the system is secure.
     
  16. bmcgrail

    bmcgrail Well-Known Member

    Joined:
    Dec 8, 2003
    Messages:
    83
    Likes Received:
    0
    Trophy Points:
    6
    No you can't. Try it. Doesn't happen.

    And think about it. What programmer would go out of their way to make a script change file ownership to root. The links given mentioned nothing about root ownership. All they said is that the templates can only be removed or changed from within the joomla script and cannot be modified or removed via ftp. If you have root owned files being created on your system there IS a problem.
     
Loading...

Share This Page