Paper Lantern for cPanel accounts is being retired this year. Find out more »
cPanel & WHM Version 102 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

Use ACLs to tighten permissions on home directories

cPDavidNielson shared this idea 8 years ago
Open Discussion

As a server owner / administrator, I'd like to more explicitly protect my users' data by removing world permissions from their home directories. To allow Apache and Exim access to the data they need, I would add a POSIX ACL for execute permissions to the user's home directory.


So ownership would remain user:user, permissions would change to 750, and new ACLs would be added for execute only, just for /home/username, nothing else.


As far as I can tell, all platforms that cPanel supports also support POSIX ACLs. This would be a great default for new setups.

Replies (6)

photo
3

I'm all for this if we can also get a /script that can be run to fix up home directory ownership and perms/ACLs, similar to /scripts/mailperm but will fix up any of the typical files and directories found under /home/ACCOUNT/.

photo
1

I'd support this for two reasons


1. It helps to resolve a query / common misunderstanding that comes up daily

2. It makes use of built in OS features to increase security without extra proprietary software

photo
1

Easy Apache 3 and 4 provide FileProtect which should provide the functionality requested here:

https://documentation.cpanel.net/display/EA/Apache+Module%3A+FileProtect


To enable fileprotect simply run:

/scripts/enablefileprotect

photo
1

No, fileprotect is different. It's using Unix Discretionary Access Controls--the familiar chmod, chown, etc. What I'm asking for is POSIX ACLs, which are less widely used. (Read about getfacl and setfacl; they're very slightly more complex but if you can learn UNIX permissions, you can learn POSIX ACLs.)


A user's home directory should not be world-executable. It should be +x for the user, the web server, and the mail server--that's it. Fileprotect does not, and cannot, provide that level of protection, but POSIX ACLs could.

photo
2

This is already supported by running /usr/local/cpanel/scripts/initacls.

photo
1

*shocked face*


This is awesome! Thanks JD!

Leave a Comment
 
Attach a file