I have a website based on a CMS, running on Apache 2.4/PHP7.4. The CMS has an admin interface and changes you make there are written to config files inside the web root (/var/www/html/...). As a crude security measure, I thought I'd prevent writing to these files by changing file permission and ownership.
Apache runs as the www-data user, and the normal permissions for the files are 644 www-data:www-data. If I chmod and chown the files to 444 otheruser:otheruser and click "save" inside the CMS, the file is still written and it is also changed back to 644 www-data:www-data.
The containing directory has 777 otheruser:otheruser (for some reason). otheruser is member of the sudo group, if that somehow matters.
Is my approach doomed? What gives Apache/PHP the power to control these files regardless of ownership and permissions? Does it have to do with the fact that one of the many apache2 processes runs as root?
