Use ACLs to tighten permissions on home directories
As a server owner / administrator, I'd like to more explicitly protect my users' data by removing world permissions from their home directories. To allow Apache and Exim access to the data they need, I would add a POSIX ACL for execute permissions to the user's home directory.
So ownership would remain user:user, permissions would change to 750, and new ACLs would be added for execute only, just for /home/username, nothing else.
As far as I can tell, all platforms that cPanel supports also support POSIX ACLs. This would be a great default for new setups.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
I'm all for this if we can also get a /script that can be run to fix up home directory ownership and perms/ACLs, similar to /scripts/mailperm but will fix up any of the typical files and directories found under /home/ACCOUNT/.
I'm all for this if we can also get a /script that can be run to fix up home directory ownership and perms/ACLs, similar to /scripts/mailperm but will fix up any of the typical files and directories found under /home/ACCOUNT/.
I'd support this for two reasons
1. It helps to resolve a query / common misunderstanding that comes up daily
2. It makes use of built in OS features to increase security without extra proprietary software
I'd support this for two reasons
1. It helps to resolve a query / common misunderstanding that comes up daily
2. It makes use of built in OS features to increase security without extra proprietary software
Easy Apache 3 and 4 provide FileProtect which should provide the functionality requested here:
https://documentation.cpanel.net/display/EA/Apache+Module%3A+FileProtect
To enable fileprotect simply run:
/scripts/enablefileprotect
Easy Apache 3 and 4 provide FileProtect which should provide the functionality requested here:
https://documentation.cpanel.net/display/EA/Apache+Module%3A+FileProtect
To enable fileprotect simply run:
/scripts/enablefileprotect
No, fileprotect is different. It's using Unix Discretionary Access Controls--the familiar chmod, chown, etc. What I'm asking for is POSIX ACLs, which are less widely used. (Read about getfacl and setfacl; they're very slightly more complex but if you can learn UNIX permissions, you can learn POSIX ACLs.)
A user's home directory should not be world-executable. It should be +x for the user, the web server, and the mail server--that's it. Fileprotect does not, and cannot, provide that level of protection, but POSIX ACLs could.
No, fileprotect is different. It's using Unix Discretionary Access Controls--the familiar chmod, chown, etc. What I'm asking for is POSIX ACLs, which are less widely used. (Read about getfacl and setfacl; they're very slightly more complex but if you can learn UNIX permissions, you can learn POSIX ACLs.)
A user's home directory should not be world-executable. It should be +x for the user, the web server, and the mail server--that's it. Fileprotect does not, and cannot, provide that level of protection, but POSIX ACLs could.
This is already supported by running /usr/local/cpanel/scripts/initacls.
This is already supported by running /usr/local/cpanel/scripts/initacls.
*shocked face*
This is awesome! Thanks JD!
*shocked face*
This is awesome! Thanks JD!
Replies have been locked on this page!