chmod 700 permission question
Hi,
I just realized that when I set a file permission to chmod 700 everyone can still download and read the file. I would have thought 700 means only the owner have read, write, and execute permission, and group and other is anybody. Is there a setting on cpanel or WHM I need to configure for this to work?
Note: When I set the chmod permission to 70 then nobody can download the file. This is pretty much what I'm trying to achieve but then again, it doesn't allow me (the owner) to read or write the file.
Please advise.
Regards,
L
-
You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user. 0 -
You don't say what kind of file this is, however, php in most people's cases runs as the user, so even at 700, the user has full access to the file and therefor the php process can read it, because it runs as the user.
Ahh... sorry. Just a simple text file .txt extension. How do I seperate user from owner? There are some files I want to protect from public access, so I like the ability to turn access on and off when needed for convenience.0 -
Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root. 0 -
Well, the same principle applies for apache processes as well. You cal validate this by chowning it to a user other than the account user (like root) for example) and setting it to 700. Then it will throw an error because the apache processes running as the user cannot read the 700 file owned by root.
I have tried. Chown doesn't work. I get the following error: chown: changing ownership of "xtest.txt": Operation not permitted0 -
Hi, I think I know a solution which is to get apache to execute files based on group or other permission settings instead of owner. Is it possible to configure apache this way, and if yes how? This will solve the problem when I change file permission to owner since apache will no longer serve the file. I use to had this working under cpanel but it doesn't work anymore for some impractical reason. 0 -
If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed. 0 -
If somebody other than the file owner is able to read, write, or execute a file with 700 permissions, then you have an issue that needs to be addressed.
Well, this is the default settings on CPANEL. Shouldn't CPANEL by now have preconfigured all this to work properly under the correct file groups? Can someone provide some help?0 -
What specifically are you doing to duplicate this? Who owns the file? Who owns the process that is allegedly accessing the file that shouldn't be accessing the file? 0 -
What specifically are you doing to duplicate this? Who owns the file? Who owns the process that is allegedly accessing the file that shouldn't be accessing the file?
Well, I chmod 700 the file I can still browse to the file at: public_html/test1.txt I check the permission via SSH and the permission is as follows: -rwx------. 1 myusername myusername 5 Mar 3 02:49 test1.txt There something awfully wrong here. Apache is reading the file.0 -
Apache runs as myusernamewhen reading the files which is why it can still read it. This is normal and expected and desirable. 0 -
Apache runs as myusernamewhen reading the files which is why it can still read it. This is normal and expected and desirable.
It's not that desirable. It means my chmod permissions are made redundant. I can no longer protect my files should should I choose too. Are there complications in changing/correcting it? Also, I might want to protect certain files but permit script access. With this setup I can't actually do this without exposing sensitive files.0 -
Apache is reading the file.
What specifically is reading the file? If you go to [plain]http://domainnamethatreferstomyusernamepublichtmldirectory.tld/test1.txt[/plain] are you saying it shows the contents of the test1.txt file? Are you running Apache with mod_ruid2?0 -
It is keeping the permissions. It's working exactly like it's suppose to. You just need to understand how it works. mod_ruid2 will run each VirtualHost as that user. So if the VirtualHost for [plain]domainnamethatreferstomyusernamepublichtmldirectory.tld[/plain] is owned by myusername - then any web access hit to [plain]domainnamethatreferstomyusernamepublichtmldirectory.tld[/plain] is going to run on the server as myusername. This means any web access hit to [plain]domainnamethatreferstomyusernamepublichtmldirectory.tld[/plain] will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700. This is the way it works. 0 -
It is keeping the permissions. It's working exactly like it's suppose to. You just need to understand how it works. mod_ruid2 will run each VirtualHost as that user. So if the VirtualHost for [plain]domainnamethatreferstomyusernamepublichtmldirectory.tld[/plain] is owned by myusername - then any web access hit to [plain]domainnamethatreferstomyusernamepublichtmldirectory.tld[/plain] is going to run on the server as myusername. This means any web access hit to [plain]domainnamethatreferstomyusernamepublichtmldirectory.tld[/plain] will have read/write/execute privileges to ANY file that is owned by myusername and has permissions of 700. This is the way it works.
I understand that part. But it means I can't manage the permission so only I can access the file. Whatever I can access everyone can access. It makes chmod redundant. I think this setup is design for novinces.0 -
Well, for most people this makes sense. A web site is genberall world-available. If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place. When you are browsing the web page, the server doesn't know its YOU versus anyone else. 0 -
Well, for most people this makes sense. A web site is genberall world-available. If you have files that you want only YOU to be able to see, put them in a separate folder and use the Direcotyry Privacy option in cPanel to put a user and password in place. When you are browsing the web page, the server doesn't know its YOU versus anyone else.
Does that generate the .htaccess file? What if I have a script that requires access to the file? Will the script be able to access the file without username and password since it resides on the server?0 -
Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls 0 -
Yes it would use the htaccess to do that. Scripts that use methods like includes would not be impacted. As long as it doesn't have http in front of it. Htaccess onlymipacts files re release d through Apache. Not file system calls
Thanks for this. I will make a note of this in future. I've made my decision, and I've come to realize it's better to uninstall mod_ruid2. It's so easy. If I want to enable it I can always re-install it. Considering my needs, my server doesn't make good use of apache so there's no point having mod_ruid2. I might change my mind in the future dependent on needs. Feeling relieved at last that my files are now access denied, and only I, and I alone can access my files basd on my permission group. :-D0 -
Hello @coffeeboyuk, It's generally recommended to keeps files outside of the public_html directory (or whichever path is configured as the document root) if you don't want them accessible to the public. Can you share a little more information about the specific script you are using and how it interacts with said file(s)? Thank you. 0 -
Hello @coffeeboyuk, It's generally recommended to keeps files outside of the public_html directory (or whichever path is configured as the document root) if you don't want them accessible to the public. Can you share a little more information about the specific script you are using and how it interacts with said file(s)? Thank you.
Hi, I didn't realize they were protected that way. I will consider that in future. Generally, I write a few perl scripts that monitors a number of files and then automatically email me the results. The files are all kept in the cgi-bin (most of them). By the way, if I leave the files using the default permissons can anyone access the text files? I notice when I try to browse the files myself the cgi directory doesn't allow it. But then, I wonder if someone knew the filename of the file could they potentially write a script to read the file from the cgi bin directory?0 -
Generally, I write a few perl scripts that monitors a number of files and then automatically email me the results. The files are all kept in the cgi-bin (most of them).
You could store the Perl scripts outside of the /home directory (e.g. /root/new-directory) and then execute the scripts via the command line or via cron jobs. There's no need to store them in an account's cgi-bin directory unless you need to execute the scripts via a web browser. Thank you.0 -
You could store the Perl scripts outside of the /home directory (e.g. /root/new-directory) and then execute the scripts via the command line or via cron jobs. There's no need to store them in an account's cgi-bin directory unless you need to execute the scripts via a web browser. Thank you.
It never occured to me that area was protected. I use to think that area was unsafe because back in the days of univ I had a student looking in my personal space with the tilda. I never knew until the boffin told me people could see all my stuff including my coursework materials. He even told me about the permission stuff when we was on unix that everyones personal unix space could be accessed. Amazing. I guess it's different on the cpanel server though since I own the whole server. Thanks. By the way, I just tried creating a a directory under home/username/testdirectory and ran some of my php scripts. It works the same. I will start making use of this from now on. And yes, a lot of my scripts are executed via the command line. I think it rather pointless to use the public. Thanks.0
Please sign in to leave a comment.
Comments
23 comments