I have some inherited php code that I'm attempting to secure. However, removing execute permissions from the file upload directory throws a permissions error. Here's a quick rundown:
apache points to /root/www/ (only user on the system is root)
image uploads are saved to /files via symlink at /root/www/admin/files (I have no idea why files are saved to /)
Permissions:
drwxrwxrwx 8 root root 4096 2011-04-06 16:51 root (root home directory)
drwxr-xr-x 8 www-data www-data 4096 2011-04-01 19:34 www (folder in /root/)
lrwxrwxrwx 1 root root 21 2011-03-04 20:32 files -> /files/ (symlink)
drw------- 4 www-data www-data 61440 2011-04-06 16:12 files (folder in root directory)
-rwxrwx--- 1 www-data www-data 81 2011-04-06 15:56 .htaccess (file in /files/)
Apache Error log excerpt:
[Wed Apr 06 16:58:24 2011] [crit] [client 1.2.3.4] (13)Permission denied:
/root/www/admin/files/.htaccess pcfg_openfile: unable to check htaccess file,
ensure it is readable, referer: http://example.com
I want to change permissions on /files/ from 700 to 600. I can't figure out why .htaccess is only read-able when execute permissions are set.
Best Answer
I suspect your confusion here is stemming from a common misunderstanding of Unix-like file permissions, specifically: On a directory, "execute" does not mean "execute".
I suspect you are trying to ensure that files uploaded to the upload directory cannot be executed, correct? That's good common sense to do. However, your approach is flawed: On a directory, the "execute" bit doesn't mean "allow files in here to be executed", but rather "allow users to traverse this directory". In other words, removing the execute bit on a directory for a user/group/world removes the ability of the relevant users to reach any file or directory within it -- exactly what Apache is now complaining it can't do.
You need the upload directory to remain "executable". What you instead need in there is a umask to ensure that uploaded files are not executable. (Actually, even that isn't necessary, as files by default are not executable on *nix.)