1. cPanel & WHM Documentation
  2. EasyApache4
  3. Apache
  4. The EasyApache 4 FileProtect Option
ea4 security whmadvanced

The EasyApache 4 FileProtect Option

Last modified: August 30, 2024

Overview

The EasyApache FileProtect option improves the security of each cPanel user’s public_html and addon domain document root directories by allowing only Apache and the user to view their contents.

In EasyApache 4, the system enables this option by default.

Functionality

When you enable the FileProtect option, EasyApache performs the following actions:

  • Creates the /var/cpanel/fileprotect file.

    Note:
    When you disable this option, EasyApache removes this file.

  • Executes the /usr/local/cpanel/scripts/enablefileprotect script, which sets more secure permissions for each cPanel user’s /public_html directory.

  • Sets the cPanel user’s /home/username/ directory to 0711 permissions.

  • Sets all document root directories’ GroupID to the nobody user with 0750 permissions.

    Note:

    If you enable the mod_ruid2 or mod_mpm_itk Apache modules, EasyApache will set all document root directories’ GroupID to the username user.

When you disable this option, EasyApache resets permissions to their default settings, even if you have modified them elsewhere. To do this, EasyApache performs the following actions:

  • Resets the user’s /home/username/ directory to 0711 permissions.

  • Resets the user’s /home/username/public_html directory Group ID to the username user and 0711 permissions.

  • Resets each addon domain’s document root directory to 0711 permissions.

Enable or disable FileProtect

Requirements

This option does not possess any requirements.

Compatibility

This option does not possess any known compatibility issues, and works when you enable the mod_ruid2 Apache module.

Tweak Settings

You can enable or disable the FileProtect option in WHM’s Tweak Settings interface (WHM » Home » Server Configuration » Tweak Settings) with the Enable File Protect option. This option appears in the Security section and defaults to on.

Command line

To enable the FileProtect option via the command line, connect via SSH as the root user and run the following script: 

/usr/local/cpanel/scripts/enablefileprotect

To disable the FileProtect option, connect via SSH as the root user and run the following script: 

/usr/local/cpanel/scripts/disablefileprotect

For more information about these scripts, run these scripts with the --help flag.

Additional Documentation