Inside of cPanel's EasyApache, there is a function known as FileProtect. FileProtect is a function that aims to secure each cPanel user's document root. This is done by securing permissions and ownership of each user's home and public_html directories. By default, EasyApache4 enables this option.
Also, please note that for the most optimal security we advise that scripts are run as the user and not as root. More information on this can be found here: What's the importance of running scripts as the user?
If you have enabled the FileProtect option, then each time EasyApache performs an update it is going to make the following changes:
- EasyApache will create the /var/cpanel/fileprotect file
- The system will execute the script "/usr/local/cpanel/scripts/enablefileprotect"
- This sets the user's home directory (/home/$username) to 0711 Permissions.
- This sets all document root directories’ (For example, /home/$username/public_html) group to the username user, and 0750 permissions
It is worth mentioning that group ownership of /home/$username/public_html will vary depending on what modules you have installed for Apache. If your server is not using the module, Mod_ruid2, or mpm_itk_module, then the group ownership will change to be owned by "nobody."
While this feature is beneficial, some site owners have intentionally set specific permissions and ownership for their sites to work. If you have specific directory permissions and ownership that is required for your site, FileProtect is going to revert them every time an Apache update is run. If you must disable FileProtect, you can do so from WHM's Home »Server Configuration »Tweak Settings.
You can also enable and disable FileProtect from the command line. To enable the FileProtect option, run the following script:
/usr/local/cpanel/scripts/enablefileprotect
To disable the FileProtect option, run the following script:
/usr/local/cpanel/scripts/disablefileprotect
For more information, you can review the documentation on this feature, here: cPanel Documentation - The EasyApache 4 FileProtect Option