1

I've seen a lot of questions on here regarding files not being accessible due to permissions with LAMP but nothing about making files unviewable by the http client using permissions.

I have files and folders in my Apache2 root folder that I don't want people to be able to access via their browser or by other external means. I set the permissions to 770, but this doesn't seem to be enough. Do outside users access files as the apache user? I'm running LAMP under Ubuntu Server with little modifications to the defaults, thus my apache user is www-data, group is :www-data, and the apache root is /var/www.

I have a /var/www/_private folder that has 770 permissions and the same permissions on its enclosed files. However, if I access these files through a browser, they are still viewable. Are clients accessing my files as the www-data user? If so, how do I rectify this?

I've worked on hosted setups where setting the "other" permissions to 0 was sufficient for denying outside direct access to files. Do I need to install some extra module to gain this functionality?

Note: I still need my accessible-to-the-client PHP scripts to access these files via includes, fopen, etc...

user2376132
  • 23
  • 1
  • 4

1 Answers1

1

Well, right, 770 means that the owner of the file and the group can read, write and execute it. I'm going to guess the Apache is the owner of that file, thus allowing it to access it and open it to the world.

Instead of modifying the permissions on the server, and possibly causing harm to the accessibility of the file, why don't you use an .htaccess file. It will instruct Apache to take actions in certain instances, like denying access to a file. Simply create the .htaccess file in the root of the website with 

<Files {your file name here}>
deny from all
</Files>

and you'll deny everyone from accessing it with Apache.

And if you want to deny an entire directory:

<Directory /var/www/_private>
   Order Deny,allow
   Deny from all
</Directory>
Steven V
  • 16,357
  • 3
  • 63
  • 76
  • Just tried the Directory portion, restarted apache service, and can still access files within _private from my browser. I'm a bit new to .htaccess files. Do I need to put anything else in the file? Also, what permissions should the .htaccess file have? I set the owner to www-data. I assume apache should not have write access to the file, so that outside users cannot overwrite it? – user2376132 May 13 '13 at 02:33
  • 1
    The permissions on the server are for other users of the server, not through Apache. You probably don't have a need to modify them too much. There could be other factors preventing the htaccess from not functioning correctly, take a look at http://stackoverflow.com/questions/12202387/htaccess-not-working-apache which has some pointers on where to look. – Steven V May 13 '13 at 02:35
  • OK, I got it working. I added the line to my apache2.conf rather than using .htaccess. My AllowOverride must be off, which is probably for the better seeing as I'm the sole user of the server and have access to the apache2.conf. This will take some getting used to though. When I used a hosted cPanel service, apache basically emulated the linux permissions on the server, treating http clients as "others", but running server-side operations(i.e. PHP) as the apache user. – user2376132 May 13 '13 at 02:46
  • Yep, the `apache2.conf` is another location it would in, and since you're the only user could work in the long term. And, the best way to show appreciation on Stack Overflow is to upvote and/or accept the answer! – Steven V May 13 '13 at 02:53
  • I accepted, apparently my reputation isn't high enough to upvote :( But thank you much for your help. – user2376132 May 13 '13 at 02:56
  • Actually, I should offer extra thanks. Until now I've been lurking stackoverflow via google for answers on things, and I recognize your name from previous solutions I've come accross. You sir, are very profilic. So thank you thank you thank you. – user2376132 May 13 '13 at 03:10
  • Wow! Steven that resolves the issue. I also used with regular expression to do not allow access to particular file type/extension. One upvote from me.. Thanks @StevenV – Anidhya Bhatnagar Jan 01 '19 at 08:28