chmod 700 permission question

[coffeeboyuk]

Hi,

I just realized that when I set a file permission to chmod 700 everyone can still download and read the file. I would have thought 700 means only the owner have read, write, and execute permission, and group and other is anybody. Is there a setting on cpanel or WHM I need to configure for this to work?

Note: When I set the chmod permission to 70 then nobody can download the file. This is pretty much what I'm trying to achieve but then again, it doesn't allow me (the owner) to read or write the file.

Please advise.

Regards,

L

 

[GOT]

You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user.

 

[coffeeboyuk]

You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user.

Ahh... sorry. Just a simple text file .txt extension. How do I seperate user from owner? There are some files I want to protect from public access, so I like the ability to turn access on and off when needed for convenience.

 

[GOT]

Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root.

 

[coffeeboyuk]

Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root.

I have tried. Chown doesn't work. I get the following error:

chown: changing ownership of ‘xtest.txt’: Operation not permitted

 

[coffeeboyuk]

Hi,

I think I know a solution which is to get apache to execute files based on group or other permission settings instead of owner. Is it possible to configure apache this way, and if yes how? This will solve the problem when I change file permission to owner since apache will no longer serve the file. I use to had this working under cpanel but it doesn't work anymore for some impractical reason.

 

[sparek-3]

If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed.

 

[coffeeboyuk]

If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed.

Well, this is the default settings on CPANEL. Shouldn't CPANEL by now have preconfigured all this to work properly under the correct file groups?

Can someone provide some help?

 

[sparek-3]

What specifically are you doing to duplicate this?

Who owns the file?

Who owns the process that is allegedly accessing the file that shouldn't be accessing the file?

 

[coffeeboyuk]

What specifically are you doing to duplicate this?

Who owns the file?

Who owns the process that is allegedly accessing the file that shouldn't be accessing the file?

Well, I chmod 700 the file I can still browse to the file at:

public_html/test1.txt

I check the permission via SSH and the permission is as follows:

-rwx------. 1 myusername myusername 5 Mar 3 02:49 test1.txt

There something awfully wrong here. Apache is reading the file.

 

[GOT]

Apache runs as myusernamewhen reading the files which is why it can still read it. This is normal and expected and desirable.

 

[coffeeboyuk]

Apache runs as myusernamewhen reading the files which is why it can still read it. This is normal and expected and desirable.

It's not that desirable. It means my chmod permissions are made redundant. I can no longer protect my files should should I choose too. Are there complications in changing/correcting it?

Also, I might want to protect certain files but permit script access. With this setup I can't actually do this without exposing sensitive files.

 

[sparek-3]

Apache is reading the file.

What specifically is reading the file?

If you go to http://domainnamethatreferstomyusernamepublichtmldirectory.tld/test1.txt are you saying it shows the contents of the test1.txt file?

Are you running Apache with mod_ruid2?

 

[coffeeboyuk]

Hi,

I got a response from CPANEL today. Apparently mod_ruid2 is running as user. I have been advise to uninstall it.

Yes. http://domainnamethatreferstomyusernamepublichtmldirectory.tld/test1.txt allows apache to read it regardless of chmod permission 700.

I just read up that mod_ruid2 has better security and better speed. In terms of security it's not that secure because it disables my permissions. Why can't they make mod_ruid2 to keep the chmod permissions? I will never know.

 

[sparek-3]

It is keeping the permissions.

It's working exactly like it's suppose to. You just need to understand how it works.

mod_ruid2 will run each VirtualHost as that user.

So if the VirtualHost for domainnamethatreferstomyusernamepublichtmldirectory.tld is owned by myusername - then any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld is going to run on the server as myusername.

This means any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700.

This is the way it works.

 

[coffeeboyuk]

It is keeping the permissions.

It's working exactly like it's suppose to. You just need to understand how it works.

mod_ruid2 will run each VirtualHost as that user.

So if the VirtualHost for domainnamethatreferstomyusernamepublichtmldirectory.tld is owned by myusername - then any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld is going to run on the server as myusername.

This means any web access hit to domainnamethatreferstomyusernamepublichtmldirectory.tld will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700.

This is the way it works.

I understand that part. But it means I can't manage the permission so only I can access the file. Whatever I can access everyone can access. It makes chmod redundant. I think this setup is design for novinces.

 

[GOT]

Well, for most people this makes sense. A web site is genberall world-available.

If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place.

When you are browsing the web page, the server doesn't know its YOU versus anyone else.

 

[coffeeboyuk]

Well, for most people this makes sense. A web site is genberall world-available.

If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place.

When you are browsing the web page, the server doesn't know its YOU versus anyone else.

Does that generate the .htaccess file?

What if I have a script that requires access to the file? Will the script be able to access the file without username and password since it resides on the server?

 

[GOT]

Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls

 

[coffeeboyuk]

Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls

Thanks for this. I will make a note of this in future.

I've made my decision, and I've come to realize it's better to uninstall mod_ruid2. It's so easy. If I want to enable it I can always re-install it. Considering my needs, my server doesn't make good use of apache so there's no point having mod_ruid2. I might change my mind in the future dependent on needs. Feeling relieved at last that my files are now access denied, and only I, and I alone can access my files basd on my permission group.