2
1
I have several folders with Magento installations.
e.g.
www/magento1 www/magento2
All of the files/folders inside of those are owned by root:magento1 and root:magento2 respectively.
I have 3755 perms for all folders, 644 for all directories to start with. That prevents anyone but root from writing to any folder or file.
Then I add in group write permissions for folders/files devs should be able to write to. E.g. they cannot write to core files, but they can write to module/skins that are non core.
That's all fine. The only thing that's not fine is that I don't want them to be able to read the mysql database username/password from magento1/app/etc/local.xml. I don't want them to have access to the database, where sensitive information is stored. I also don't want a rogue programmer to delete a bunch of tables or what have you.
But apache needs to have read access to that same file.
Here's a "solution" that doesn't work: Remove read permissions from group but leave them for others. Why? Because that prevents devs from reading from their app/etc/local.xml, but allows them to read all the others.
What do I do?
EDIT: Yes, devs = developers and they will have SSH and FTP access.
Its really simple. If a file is marked as being read by an user, then they can view the contents of the file, the answer is make the user that runs apache different then any other user account. Place the user in its own group since you also don't wnat that user to have the same rights as root but more then simple read access in some cases. – Ramhound – 2012-09-14T11:08:15.823