How to Restrict Permissions on Files Used by cron
1. Restrict the permissions on the primary system crontab file.
# chown root:root /etc/crontab
# chmod 600 /etc/crontab
2. If anacron has not been removed, restrict the permissions on its primary configuration.
# chown root:root /etc/anacrontab
# chmod 600 /etc/anacrontab
3. Restrict the permission on all system crontab directories:
# cd /etc
# chown -R root:root cron.hourly cron.daily cron.weekly cron.monthly cron.d
# chmod -R go-rwx cron.hourly cron.daily cron.weekly cron.monthly cron.d
4. Restrict the permissions on the spool directory for user crontab files.
# chown root:root /var/spool/cron
# chmod -R go-rwx /var/spool/cron
Cron and anacron make use of a number of configuration and directories. The system crontabs need only be edited by root, and user crontabs are edited using the setuid root crontab command. If unprivileged users can modify system configuration, they may be able to gain elevated privileges, so all unnecessary access to these files should be disabled.
How to confirm Existence and Permissions of System Log Files
For each log file LOGFILE referenced in /etc/syslog.conf or /etc/rsyslog.conf, run the commands:
# touch LOGFILE
# chown root:root LOGFILE
# chmod 0600 LOGFILE
Syslog will refuse to log to a file which does not exist. All messages intended for that file will be silently discarded, so it is important to verify that all log files exist. Some logs may contain sensitive information, so it is better to restrict permissions so that only administrative users can read or write logfiles.
Cron permissions
The following two files play an important role:
/etc/cron.allow - If this file exists, then you must be listed therein (your username must be listed) in order to be allowed to use cron jobs.
/etc/cron.deny - If the cron.allow file does not exist but the /etc/cron.deny file does exist, then you must not be listed in the /etc/cron.deny file in order to use cron jobs.
Please note that if neither of these files exists, then depending on site-dependent configuration parameters, only the super user will be allowed to use cron jobs, or all users will be able to use cron jobs.
How to fix Cpanel Account Permissions
Fixing file and directory permission.
find /home/*/public_html/* -type f -exec chmod 644 {} \;
find /home/*/public_html/* -type d -exec chmod 755 {} \;
we can specify user by replace * with usename
To fix the permission for all the websites.
for i in `ls /var/cpanel/users` ; do chown -R $i.$i /home/$i/public_html/* ; done
Umask and file permissions
The umask is set when you log in, and is usually set in one of the default shell config files (like /etc/profile). You can override the umask for a particular user by setting their umask in the user’s shell profile, usually in “~/.bashrc”. The setting looks something like:
In the example above, the “2″ set for “group” and “other” means, instead of adding write permission to the created file, everything except write permission is added for those two categories. The “0″ means all permissions are set for the file owner.
The umask octal value is kind of the reverse of chmod permissions — you set it with an octal value, but instead of specifying the permissions you want the created file to have, you specify what you don’t want it to have.
You will sometimes see the umask expressed as four digits, like “0022“. Both styles work. That first digit is for setting some special permissions.
