1. cPanel & WHM Documentation
  2. EasyApache4
  3. Apache
  4. The EasyApache 4 FileProtect Option
ea4 security whmadvanced

The EasyApache 4 FileProtect Option

Last modified: December 23, 2020

Overview

The EasyApache FileProtect option improves the security of each user’s public_html directory. In EasyApache 4, the system enables this option by default.

Usage

Use this option to set permissions for each cPanel account user’s public_html directory and each addon domain’s document root directory. This allows only Apache and the user to view its contents.

When you enable this option, EasyApache performs the following actions:

  • Creates the /var/cpanel/fileprotect file.

    Note:
    When you disable this option, EasyApache removes this file.

  • Executes the /usr/local/cpanel/scripts/enablefileprotect script, which sets more secure permissions for each user’s /public_html directory.

  • Sets the user’s /home/username/ directory to 0711 permissions.

  • Sets all document root directories’ GroupID to the nobody user and 0750 permissions.

    Note:

    If you enable the mod_ruid2 or mod_mpm_itk Apache modules, EasyApache will set all document root directories’ GroupID to the username user.

When you disable this option, EasyApache resets the permissions to their default settings. To do this, EasyApache performs the following actions:

  • Sets the user’s /home/username/ directory to 0711 permissions.

  • Sets the user’s /home/username/public_html directory Group ID to the username user and 0711 permissions.

  • Sets each addon domain’s document root directory to 0711 permissions.

Requirements

This option does not possess any requirements.

Compatibility

  • This option works when you enable the mod_ruid2 Apache module.

  • This option does not possess any known compatibility issues.

Enable or Disable FileProtect

In the interface

You can enable or disable the FileProtect option with the Enable File Protect option in the Security section of WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings).

This option defaults to on.

On the command line

To enable the FileProtect option, run the following script: 

/usr/local/cpanel/scripts/enablefileprotect

To disable the FileProtect option, run the following script: 

/usr/local/cpanel/scripts/disablefileprotect

For more information about these scripts, run these scripts with the --help flag.

Additional Documentation