What can change directory ownership settings?

Question

What can change directory ownership settings?

Answer

Inside cPanel's EasyApache 4, there is a function known as FileProtect. FileProtect is a function that aims to secure each cPanel user's document root by setting secure permissions and ownership of each user's home and public_html directories. By default, EasyApache 4 enables this option.

If you have enabled the FileProtect option, then each time EasyApache performs an update, it is going to make the following changes:

• EasyApache will create the /var/cpanel/fileprotect file

• The system will execute the script:

  # /usr/local/cpanel/scripts/enablefileprotect

• This sets the user's home directory (/home/$username) to 0711 permissions
• This sets all document root directories' (For example, /home/$username/public_html) groups to the username user, and 0750 permissions

It is worth mentioning that group ownership of /home/$username/public_html will vary depending on what modules you have installed for Apache. If your server does not have scripts executing as the user, then the group ownership will change to be owned by "nobody."

Note: For the most optimal security, we advise that scripts be run as the user and not as root. More information on this can be found here:
What's the importance of running scripts as the user?

While this feature is beneficial, some site owners have intentionally set specific permissions and ownership for their sites to work. If you have specific directory permissions and ownership that are required for your site, FileProtect is going to revert them every time an Apache update is run. If you must disable FileProtect, you can do so by running the following command:

# /usr/local/cpanel/scripts/disablefileprotect

Additional Information

The EasyApache 4 FileProtect Option | cPanel & WHM Documentation