How to allow apache access to a file but prevent others from viewing it?

2

1

I have several folders with Magento installations.

e.g.

www/magento1 www/magento2

All of the files/folders inside of those are owned by root:magento1 and root:magento2 respectively.

I have 3755 perms for all folders, 644 for all directories to start with. That prevents anyone but root from writing to any folder or file.

Then I add in group write permissions for folders/files devs should be able to write to. E.g. they cannot write to core files, but they can write to module/skins that are non core.

That's all fine. The only thing that's not fine is that I don't want them to be able to read the mysql database username/password from magento1/app/etc/local.xml. I don't want them to have access to the database, where sensitive information is stored. I also don't want a rogue programmer to delete a bunch of tables or what have you.

But apache needs to have read access to that same file.

Here's a "solution" that doesn't work: Remove read permissions from group but leave them for others. Why? Because that prevents devs from reading from their app/etc/local.xml, but allows them to read all the others.

What do I do?

EDIT: Yes, devs = developers and they will have SSH and FTP access.

Buttle Butkus

Posted 2012-09-14T02:44:36.493

Reputation: 309

Its really simple. If a file is marked as being read by an user, then they can view the contents of the file, the answer is make the user that runs apache different then any other user account. Place the user in its own group since you also don't wnat that user to have the same rights as root but more then simple read access in some cases. – Ramhound – 2012-09-14T11:08:15.823

Answers

3

Assuming that, like under Debian, the apache runs as user www-data and group www-data, the solution is 

chown www-data:www-data www/magento1/app/etc/local.xml
chmod 440 www/magento1/app/etc/local.xml

The root user can always read and write all files.

Stefan Seidel

Posted 2012-09-14T02:44:36.493

Reputation: 8 812

What about the case where two users need to host stuff and you don't want them to see each others passwords? – jozxyqk – 2015-05-14T13:37:45.940

@jozxyqk For the case where "two users need to host stuff and you don't want them to see each others'" stuff, I've come up with a more complex solution. I keep all users files owner/group as the username, and do not give ANY permissions to "others", and only read/execute to group. E.g. 750 for folders 640 for files. That prevents users from seeing each others' files. Then I add the apache user (www-data, or apache, or whatever) to each user's group, so that apache can only have read access. You can give group write permissions where apache needs them (e.g. in Magento's var folder). – Buttle Butkus – 2015-05-26T19:42:51.970

@ButtleButkus aah, that makes sense. Although if apache runs a user's script, that script will then be able to see others' files. Is there any way to prevent this? I asked this here and was pointed to "directory blocks" but couldn't figure out how to use them to prevent inter-user access. This also shifts security to apache and away from the OS.

– jozxyqk – 2015-05-27T06:38:18.613

@jozxyqk good point about apache being able to see others' files. But if you are using PHP, and use suPHP (or something like it), then "Apache will execute PHP scripts with the permissions of their owners", which means those PHP scripts will not be able to see/modify other users' files. By the way, if you are in a cPanel environment then I think your host would take care of the problem anyway (can you see/modify other users' files ?) with some system-wide settings. – Buttle Butkus – 2015-05-27T07:38:05.077

1@ButtleButkus thanks! that sounds like a proper solution. Yes, I've come across servers in which I can write php scripts that are run as the apache user and have access. This made me interested in how it should actually be set up. I just found suEXEC too. – jozxyqk – 2015-05-27T08:26:44.630

That's is basically the solution I've ended up using. – Buttle Butkus – 2012-09-18T06:32:12.320

0

Assuming devs=developers...

Whats not explained in which way devs are accessing the system - ssh? ftp?

if it is only ftp access you could possibly exclude config file from serving/showing via ftp.

Alternatively you could possibly run apache under certain username (usually it is setup to work as nobody, sometimes as user holding account). If you allow "others"/"world" to read it everyone can read it. So you go other way - make it readable only to user, and set user ownership to apache user, and completely close group and other's access. In this way apache is happy reading it while noone other user can (save root). You'd need though to mimic yourself to that user if you want to make intervention on a file. E.g. su - username

ljgww

Posted 2012-09-14T02:44:36.493

Reputation: 259

ia apache is running as "root" (which is btw considered bad practice for apache config) then database config file shall be owned by root and only readable to root user (go-rwx or 400) theoretically if apache is running as root you could also set 000 because root shall be able to read it anyway. – ljgww – 2012-09-14T04:41:38.920

no apache is not running as root. It's running as apache:apache (user:group) – Buttle Butkus – 2012-09-18T06:30:30.963

then make file readable by apache:apache only chown apache:apache local.xml and then chmod 400 local.xml to be readable by apache only. Ahh I see someone already have said that. :) – ljgww – 2012-09-18T20:07:09.520

Asked: 2012-09-14T02:44:36.493

Viewed: 3 904 times

Active: 2012-09-17T14:17:43.220