While discussing PHP permissions in the last blog, we concluded that SuPHP servers ideally needed PHP file permissions of just 600.

Out of many means to set the permission/ownership, the quickest is to set the permissions, using a script. You may set this script as a cron that runs daily or weekly, to take care of the the permissions. The script is now written for a server that has cPanel installed. Slight modifications to it, would make it work with other control panels, or even on servers that do not have any control panels.

The script also allows certain accounts to have custom PHP permissions, so that any custom application that needs specific permissions can be run, and such accounts would not be affected by the script.

The PHP permission script primarily does the following :

• 1. Changes the ownership of any PHP files(within public_html) under the ownership of nobody to the ownership of the user.

• 2. Changes permission of PHP files with 444 or 440 permission to 400.

3. Changes permission of all PHP files except those having 000 or 400 permissions to 600.

Steps to use this script :

• 1. Create /usr/local/customscripts folder

mkdir /usr/local/customscripts

• 2. Create the script file /usr/local/customscripts/php-perms.sh using your favorite editor.

vim /usr/local/customscripts/php-perms.sh

• 3. Give execute permission to the script

chmod -v 755 /usr/local/customscripts/php-perms.sh

Script given below can be used in cPanel servers which has suPHP enabled.
#!/bin/bash
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin;
cd /usr/local/customscripts/;
for i in $(cut -d " " -f 2 /etc/trueuserdomains)
do
if [ ! -f /home/$i/customperm.txt ]
then
find /home/$i/public_html -type f -user nobody -group nobody -name *.php -exec chown -v "$i":"$i" {} ;
find /home/$i/public_html -type f -perm 444 -o -perm 440 -name *.php -exec chmod -v 400 {} ;
find /home/$i/public_html -type f ! -perm 600 ! -perm 400 ! -perm 000 -name *.php -exec chmod -v 600 {} ;
fi
fi
done > php-perms-log.txt

You may add this as a cron job, as outlined in the following blog : cPanel adding cron job. This measure you take for PHP security would work only if you periodically keep setting the PHP permissions right. I would suggest to set is as a cron that runs every day, or say every 12 hours.

Script compatibility : Known issues

Some custom applications like the shopping cart Interspire has the practice of setting permissions to some uploaded files(images) to the permission set for its configuration file. Say you set 777 permission to the configuration file, it will give the permission of 777 to the uploaded images. If you set 600 permission to configuration file, it will set 600 permission to all uploaded images.

In such cases, or even other cases, where you need to have custom permissions for certain accounts, you may create a file by the name customperm.txt in the home directory of the account (like /home/cpanel_username/customperm.txt). The presence of this file will make sure that the script does not act upon PHP files within that account, and you can continue to have custom PHP permissions

Otherwise, the script works just fine in all of the production shared servers, and has helped in the overall manageability of PHP permissions and have added to the PHP file security!

About the author

Sherin George joined Bobcares in 2006, and is currently the technical support lead of a data center. He is an expert in virtualization and data center management. A quintessential geek, he spends his time reading technical articles and listening to music.

Co-authored by Sankar.H