Edit File: enablefileprotect
#!/usr/local/cpanel/3rdparty/bin/perl # cpanel - scripts/enablefileprotect Copyright 2016 cPanel, Inc. # All rights Reserved. # copyright@cpanel.net http://cpanel.net # This code is subject to the cPanel license. Unauthorized copying is prohibited use strict; use Cwd (); use Cpanel::Config (); use Cpanel::Config::Httpd::EA4 (); use Cpanel::Filesys (); use Cpanel::AccessIds (); use Cpanel::FileUtils::TouchFile (); use Cpanel::FileProtect (); use Cpanel::FileProtect::Sync (); use Cpanel::LoginDefs (); use Cpanel::Config::LoadCpConf (); use Cpanel::Config::LoadWwwAcctConf (); use Try::Tiny; $| = 1; display_help() if ( $ARGV[0] eq '--help' ); # For ea4 systems, don't perform ea3 checks my $skip_ea3_check = Cpanel::Config::Httpd::EA4::is_ea4() || ( $ARGV[0] eq '--skip-ea3-check' ); my $cpconf_ref = Cpanel::Config::LoadCpConf::loadcpconf(); my $httpgid = ( getgrnam('nobody') )[2]; if ( !$httpgid ) { die "Failed to fetch gid for 'nobody'"; } my $wwwacct_ref = Cpanel::Config::LoadWwwAcctConf::loadwwwacctconf(); my $home = $wwwacct_ref->{'HOMEDIR'} || '/home'; my $homematch = $wwwacct_ref->{'HOMEMATCH'}; if ( !-e $home ) { mkdir $home; } my $disks = Cpanel::Filesys::get_disk_mounts(); my $has_broken_pwd = has_broken_pwd(); if ($has_broken_pwd) { Cpanel::FileUtils::TouchFile::touchfile('/var/cpanel/brokenpwd'); } else { unlink('/var/cpanel/brokenpwd'); } my %SEEN_MOUNTS; foreach my $mount ( values %{$disks}, $home ) { next if ( exists $SEEN_MOUNTS{$mount} ); if ( $mount eq $home || ( $homematch && $mount =~ m/$homematch/ ) ) { $SEEN_MOUNTS{$mount} = 1; if ($has_broken_pwd) { print "*** Broken /bin/pwd detected, permissions on home roots must be 0755 instead of 0711 ***\n"; print "See https://bugzilla.redhat.com/show_bug.cgi?id=448446\n"; print "Setting $mount permissions to 0755...."; chmod 0755, $mount; print "..Done\n"; } else { print "Setting $mount permissions to 0711...."; chmod 0711, $mount; print "..Done\n"; } } } if ( !Cpanel::FileProtect->is_on() ) { # With EasyApache 3, Fileprotect can be enabled without recompiling Apache if ( $skip_ea3_check || Cpanel::Config::httpd_was_built_by_ea3() ) { Cpanel::FileProtect->set_on() or do { die "Error while setting Fileprotect flag to on: $!"; }; } else { die "File protection must be enabled from easy/buildapache.\n"; } } print 'Setting permissions for.....'; while ( my @PW = getpwent() ) { next if ( !$PW[0] || !-e '/var/cpanel/users/' . $PW[0] ); my $useruid = $PW[2]; my $usergid = $PW[3]; next if ( $useruid < Cpanel::LoginDefs::get_uid_min() ); my $homedir = $PW[7]; next if !$homedir || !-d $homedir; print "$PW[0] …\n"; try { warn $_->to_string() for Cpanel::FileProtect::Sync::sync_user_homedir( $PW[0] ); } catch { print "Skipping $PW[0] because of an error: $_\n"; }; } endpwent(); print "...Done\n"; sub display_help { print <<"EO_HELP"; Usage: $0 [--help] [--skip-ea3-check] Protect the public_html directory of each user account so that only Apache and the user may view its contents. Use the disablefileprotect script to reverse the process. Options: --help This screen --skip-ea3-check If Apache was compiled by EasyApache 1, Fileprotect must be enabled and disabled from EasyApache. With EasyApache 3, Fileprotect can be enabled and disabled without recompiling. This flag will cause the script to assume Apache was compiled by EasyApache 3 without actually checking. If you used Easyapache 4 to install Apache then this flag performs no action and the system will enable FileProtect. EO_HELP exit; } sub has_broken_pwd { mkdir '/cpanel_enable_file_protect_test_broken_pwd', 0711; mkdir '/cpanel_enable_file_protect_test_broken_pwd/dir', 0755; if ( !-d '/cpanel_enable_file_protect_test_broken_pwd/dir' ) { return 1; } my $ok; my $child_dir = Cpanel::AccessIds::do_as_user( 'nobody', sub { chdir '/cpanel_enable_file_protect_test_broken_pwd/dir'; return Cwd::cwd(); }, ); chomp($child_dir); system 'rm', '-rf', '/cpanel_enable_file_protect_test_broken_pwd'; if ( $child_dir eq '/cpanel_enable_file_protect_test_broken_pwd/dir' ) { return 0; } return 1; }