File: //scripts.20110531.215904.25158/enablefileprotect
#!/usr/bin/perl
# cpanel - enablefileprotect Copyright(c) 2010 cPanel, Inc.
# All rights Reserved.
# copyright@cpanel.net http://cpanel.net
# This code is subject to the cPanel license. Unauthorized copying is prohibited
BEGIN { unshift @INC, '/usr/local/cpanel'; }
use strict;
use Cwd ();
use Cpanel::Config ();
use Cpanel::Filesys ();
use Cpanel::SafetyBits ();
use Cpanel::AccessIds ();
use Cpanel::FrontpageAdmin ();
use Cpanel::FileUtils::TouchFile ();
$| = 1;
display_help() if ( $ARGV[0] eq '--help' );
my $skip_ea3_check = $ARGV[0] eq '--skip-ea3-check';
my $cpconf_ref = Cpanel::Config::loadcpconf();
my $httpgid = ( getgrnam('nobody') )[2];
if ( !$httpgid ) {
die "Failed to fetch gid for 'nobody'";
}
my $wwwacct_ref = Cpanel::Config::loadwwwacctconf();
my $home = $wwwacct_ref->{'HOMEDIR'} || '/home';
my $homematch = $wwwacct_ref->{'HOMEMATCH'};
if ( !-e $home ) {
mkdir $home;
}
my $disks = Cpanel::Filesys::get_disk_mounts();
my $has_broken_pwd = has_broken_pwd();
if ($has_broken_pwd) {
Cpanel::FileUtils::TouchFile::touchfile('/var/cpanel/brokenpwd');
}
else {
unlink('/var/cpanel/brokenpwd');
}
my %SEEN_MOUNTS;
foreach my $mount ( values %{$disks}, $home ) {
next if ( exists $SEEN_MOUNTS{$mount} );
if ( $mount eq $home || ( $homematch && $mount =~ m/$homematch/ ) ) {
$SEEN_MOUNTS{$mount} = 1;
if ($has_broken_pwd) {
print "*** Broken /bin/pwd detected, permissions on home roots must be 0755 instead of 0711 ***\n";
print "See https://bugzilla.redhat.com/show_bug.cgi?id=448446\n";
print "Setting $mount permissions to 0755....";
chmod 0755, $mount;
print "..Done\n";
}
else {
print "Setting $mount permissions to 0711....";
chmod 0711, $mount;
print "..Done\n";
}
}
}
if ( !-e '/var/cpanel/fileprotect' ) {
if ( $skip_ea3_check || Cpanel::Config::httpd_was_built_by_ea3() ) {
# With EasyApache 3, Fileprotect can be enabled without recompiling Apache
system( 'touch', '/var/cpanel/fileprotect' );
unless ( -e '/var/cpanel/fileprotect' ) {
print "Error while creating /var/cpanel/fileprotect to enable Fileprotect support";
exit 1;
}
}
else {
print "File protection must be enabled from easy/buildapache\n";
exit 1;
}
}
print 'Setting permissions for.....';
while ( my @PW = getpwent() ) {
next if ( !$PW[0] || !-e '/var/cpanel/users/' . $PW[0] );
my $useruid = $PW[2];
my $usergid = $PW[3];
next if ( $useruid < 500 );
my $homedir = $PW[7];
if ( $homedir && -d $homedir ) {
print $PW[0] . '...';
if ( exists $cpconf_ref->{'acls'} && $cpconf_ref->{'acls'} eq '1' ) {
if ( my $pid = fork() ) {
waitpid( $pid, 0 );
}
else {
Cpanel::AccessIds::setuids( $PW[0] );
system 'setfacl', '-kb', '-m', 'group:nobody:x', '-m', 'group:mail:x', '-m', 'group:ftp:x', '-m', 'group:65535:x', '-m', 'group:cpanel:x', '-m', 'group:mailnull:x', '--', $homedir;
chmod 0750, $homedir;
exit;
}
}
if ( -d $homedir . '/public_html' && !-l $homedir . '/public_html' ) {
if ( !exists $cpconf_ref->{'acls'} || $cpconf_ref->{'acls'} ne '1' ) {
Cpanel::SafetyBits::safe_chmod( 0711, $useruid, $homedir );
}
if ( !-e $homedir . '/.htpasswds' ) {
if ( my $pid = fork() ) {
waitpid( $pid, 0 );
}
else {
Cpanel::AccessIds::setuids( $PW[0] );
mkdir( $homedir . '/.htpasswds', 0750 );
exit;
}
}
Cpanel::SafetyBits::safe_userchgid( $useruid, $httpgid, $homedir . '/public_html' ); #safe
Cpanel::SafetyBits::safe_userchgid( $useruid, $httpgid, $homedir . '/.htpasswds' ); #safe
if ( -d $homedir . '/public_html/_vti_pvt' ) {
Cpanel::FrontpageAdmin::webprotect( $homedir . '/public_html', $useruid, $httpgid );
Cpanel::FrontpageAdmin::dopassmod( $homedir . '/public_html', $useruid, $httpgid );
}
Cpanel::SafetyBits::safe_chmod( 0750, $useruid, $homedir . '/public_html' );
Cpanel::SafetyBits::safe_chmod( 0750, $useruid, $homedir . '/.htpasswds' );
}
}
}
endpwent();
print "...Done\n";
sub display_help {
print <<"EO_HELP";
Usage: $0 [--help] [--skip-ea3-check]
Protect the public_html directory of each user account so that only Apache and the user may
view its contents. Use the disablefileprotect script to reverse the process.
Options:
--help This screen
--skip-ea3-check If Apache was compiled by EasyApache 1, Fileprotect must be enabled and
disabled from EasyApache. With EasyApache 3, Fileprotect can be enabled
and disabled without recompiling. This flag will cause the script to assume
Apache was compiled by EasyApache 3 without actually checking.
EO_HELP
exit;
}
sub has_broken_pwd {
mkdir '/cpanel_enable_file_protect_test_broken_pwd', 0711;
mkdir '/cpanel_enable_file_protect_test_broken_pwd/dir', 0755;
if ( !-d '/cpanel_enable_file_protect_test_broken_pwd/dir' ) {
return 1;
}
my $ok;
my $pid = open( my $test_fh, '-|' );
if ($pid) {
$ok = readline($test_fh);
}
else {
Cpanel::AccessIds::setuids( 99, 99 );
chdir '/cpanel_enable_file_protect_test_broken_pwd/dir';
print Cwd::cwd();
exit;
}
close($test_fh);
chomp($ok);
system 'rm', '-rf', '/cpanel_enable_file_protect_test_broken_pwd';
if ( $ok eq '/cpanel_enable_file_protect_test_broken_pwd/dir' ) {
return 0;
}
return 1;
}