I'm wondering why is it still possible to see my tar file when it is owned by root and chmoded to 600.
I have apache, and my server is ubuntu 12.04.
Any explanation of this behavior?
parent folder is owned by www-data.
Thanks!
Asked
Active
Viewed 841 times
4
-
By 'see', do you mean see the file entry in the folder, or view the contents of the file? – Darth Android Jul 10 '12 at 21:17
-
@DarthAndroid I mean I can download file via browser. – Jul 10 '12 at 21:26
3 Answers
1
You should check the user which is running the apache daemon, maybe is been ran as root.
Qri
- 11
-
-
-
@Qri I have 1 instance of apache2 as root and 3 instances of it as www-data - I'm in unknown territory now :) – Jul 10 '12 at 21:33
-
@SandroDzneladze This is normal (the root and www-data users) and if the file is actually owned by root and permissions 600, I would try checking in another browser application and see if it's not cache related. – Qri Jul 10 '12 at 21:43
-
@Qri I made sure, did sudo chown root:root countdown.tgz and sudo chmod 600 countdown.tgz and used safari to check it... still displays file in browser. – Jul 10 '12 at 21:48
0
To troubleshoot, try creating a new file that Apache shouldn't allow to get downloaded.
touch test.tgz
sudo chown root:root test.tgz
sudo chmod 600 test.tgz
If you cannot download the test file, it's just some sort of caching. The file could get cached on your client machine, on the server or on any other computer in-between.
If you cannot access the same file with a cache breaker (e.g., example.com/countdown.tgz?test), nobody else should be able to download it.
Dennis
- 49,727
0
I'm not all familiar with the way Apache internally displays the file listing, but I know how it works at the file system level.
If you would be the user www-data and you would cd to the directory where you changed the permissions and do a file listing using ls, you would still see the tar file eventhough it is 600 and owned by root.
The read permission only tells that you can read the content of the file. The file system keeps the list of file in a directory inside the directory "file". If you have read permission on the directory, you can list all the files in this directory, it does not mean you can read each file.
If you want a file to be hidden, you either name it dot-something like .myfile.tar (but Apache might be displaying hidden files too) or you move it elsewhere.
What you can do also is create a sub directory owned by root and with the group owned by the same group as www-data with the following rights 730. 3 means writeable and executable, on a directory it means you can modify its structure (create or rename a file) because you can write inside the directory "file" and you can access its sub-element (that's what the x stand for on a directory). So even www-data user could move your tar file to this subdirectory, but Apache could not list its content. And www-data could even continue editing the file as long as it remembers its name!
Huygens
- 1,459
-
Yes this is exactly the problem. Apache shows file, but doesnt let me download it. I figured it out late night yesterday :) but thanks your answer is correct one. – Jul 11 '12 at 07:28
-