Linux – .htaccess and linux permissions

.htaccessapache-2.2linuxpermissions

I have some inherited php code that I'm attempting to secure. However, removing execute permissions from the file upload directory throws a permissions error. Here's a quick rundown:

apache points to /root/www/ (only user on the system is root)

image uploads are saved to /files via symlink at /root/www/admin/files (I have no idea why files are saved to /)

Permissions:

drwxrwxrwx  8 root     root      4096 2011-04-06 16:51 root  (root home directory)
drwxr-xr-x  8 www-data www-data     4096 2011-04-01 19:34 www   (folder in /root/)
lrwxrwxrwx  1 root     root        21 2011-03-04 20:32 files -> /files/  (symlink)

 drw-------  4 www-data www-data 61440 2011-04-06 16:12 files   (folder in root directory)
-rwxrwx---  1 www-data www-data      81 2011-04-06 15:56 .htaccess (file in /files/)

Apache Error log excerpt:

[Wed Apr 06 16:58:24 2011] [crit] [client 1.2.3.4] (13)Permission denied: 
/root/www/admin/files/.htaccess pcfg_openfile: unable to check htaccess file,
ensure it is readable, referer: http://example.com

I want to change permissions on /files/ from 700 to 600. I can't figure out why .htaccess is only read-able when execute permissions are set.

Best Answer

I suspect your confusion here is stemming from a common misunderstanding of Unix-like file permissions, specifically: On a directory, "execute" does not mean "execute".

I suspect you are trying to ensure that files uploaded to the upload directory cannot be executed, correct? That's good common sense to do. However, your approach is flawed: On a directory, the "execute" bit doesn't mean "allow files in here to be executed", but rather "allow users to traverse this directory". In other words, removing the execute bit on a directory for a user/group/world removes the ability of the relevant users to reach any file or directory within it -- exactly what Apache is now complaining it can't do.

You need the upload directory to remain "executable". What you instead need in there is a umask to ensure that uploaded files are not executable. (Actually, even that isn't necessary, as files by default are not executable on *nix.)

Related Topic