Tuesday, 29 October 2019

permissions - How to allow apache access to a file but prevent others from viewing it?


I have several folders with Magento installations.


e.g.


www/magento1 www/magento2


All of the files/folders inside of those are owned by root:magento1 and root:magento2 respectively.


I have 3755 perms for all folders, 644 for all directories to start with. That prevents anyone but root from writing to any folder or file.


Then I add in group write permissions for folders/files devs should be able to write to. E.g. they cannot write to core files, but they can write to module/skins that are non core.


That's all fine. The only thing that's not fine is that I don't want them to be able to read the mysql database username/password from magento1/app/etc/local.xml. I don't want them to have access to the database, where sensitive information is stored. I also don't want a rogue programmer to delete a bunch of tables or what have you.


But apache needs to have read access to that same file.


Here's a "solution" that doesn't work: Remove read permissions from group but leave them for others. Why? Because that prevents devs from reading from their app/etc/local.xml, but allows them to read all the others.


What do I do?




EDIT: Yes, devs = developers and they will have SSH and FTP access.

Answer



Assuming that, like under Debian, the apache runs as user www-data and group www-data, the solution is


chown www-data:www-data www/magento1/app/etc/local.xml
chmod 440 www/magento1/app/etc/local.xml

The root user can always read and write all files.


No comments:

Post a Comment

How can I VLOOKUP in multiple Excel documents?

I am trying to VLOOKUP reference data with around 400 seperate Excel files. Is it possible to do this in a quick way rather than doing it m...