Child pages
  • Compiler Access
For cPanel & WHM version 74

Skip to end of metadata
Go to start of metadata

(WHM >> Home  >> Security Center >> Compiler Access)

Overview

This interface allows you to disable your users' access to the C and C++ compilers on your server. This can help you to protect your server from attacks that exploit vulnerabilities in those compilers.

Manage compiler access

To enable the compilers for all unprivileged users, click Enable Compilers. To disable the compilers for all unprivileged users, click Disable Compilers.

If you wish to grant compiler access to specific users, perform the following steps:

  1. Click Allow specific users to use the compilers.
  2. Select the desired user from the Add a user to the compiler group menu.
  3. Click Add to Group.

To remove compiler access from a user, perform the following steps:

  1. Select the appropriate user’s name from the Remove a user from the compiler group menu.
  2. Click Remove from Group.

How does this feature work?

When compiler access is enabled (default), the /usr/bin/gcc file has the following permissions: 

permissionsusergroup
-rwxr-xr-xrootroot

When you disable compiler access, cPanel changes the permissions of the /usr/bin/gcc file to:

permissionsusergroup
-rwxr-x---rootcompiler

The compiler group contains the cpanel user and any users that you add to the Allow specific users to use the compilers menu.

For more information about Linux file system permissions, visit the Wikipedia's article on File System Permissions.

Warning:

  • If a user appears in the compiler group who does not have a corresponding cPanel account, someone has edited the /etc/group file to add that user.
  • If you enable compiler access for everyone after you have disabled compiler access, the group information will not change. However, the system will grant read and execute permission for the /usr/bin/gcc file to everyone.
  • If you restrict compiler access again, examine the compiler group's membership. If no one has edited the compiler group, it will still contain users who had access to the compilers the last time that you restricted access.

Additional documentation