1

It seems that Apache needs at least read and execute permission to all the sub-directories of a path in order to serve the files in the directory.

Does anyone have a script or one-liner that could verify this?

I was thinking perhaps a bash script that will su - apache and then attempt to navigate to each directory in the path. I'm going to try some things out and I'll post if I come up with something that works.

Belmin Fernandez
  • 10,799
  • 27
  • 84
  • 148

4 Answers4

6

For Debian:

sudo -u www-data test -r /path/to/file && echo ok
Luis Bruno
  • 480
  • 3
  • 9
1

Consider:

#!/bin/bash
# testperms.sh

if [ -r $1 ];
   then echo "Can read file!";
else
   echo "Cannot read file!";
fi

Usage:

 shultzc@lithium:~$ ./testperms.sh /etc/ssl
 Can read file!
 shultzc@lithium:~$ ./testperms.sh /etc/ssl/private
 Cannot read file!

You should be able to adapt that code to your needs. In combination with sudo it can be used easily to test accessibility of files within directories with +x permissions only (such as many home directories), e.g.:

 shultzc@lithium:~$ sudo -u www-data ./testperms.sh /home/shultzc/testperms.sh
 Can read file!
 shultzc@lithium:~$ sudo -u www-data ./testperms.sh /home/shultzc
 Cannot read file!
Conrad Shultz
  • 131
  • 3
0

This is what I got (must be run as a user that could su - <test user>:

#!/bin/bash

IFS='/'
CWD='/'

for dir in $2; do

   # Set directory to test
   if [[ $CWD == '/' ]]
   then
      CWD="/$dir"
   else
      CWD="${CWD}/${dir}"
   fi

   # Test if user has access
   if !(su - $1 -c "cd $CWD" 2> /dev/null)
   then
      echo "$CWD - No access for $1"
      exit -1
   fi
done

echo "Access for $1 all the way through $2"
Belmin Fernandez
  • 10,799
  • 27
  • 84
  • 148
0

The following find commands should be run as root, or at least a user that has full access to the directory tree. You will need an additional check to verify access to the paths used in the find commands. This can be accomplished by running the command as the target user. Failures when running as a non-root user should be dealt with appropriately.

Replace /srv/www with the appropriate directory or directories for your requirements. Change the user and group appropriately for other users. If the user belongs to multiple groups, you will need to add additional tests for the secondary groups. (In many cases just flagging files owned by the secondary groups may be sufficient.)

For a system where apache runs as www-data:www-data the following will find files which can't be read. 

find /srv/www ! -type d ! \( -user www-data -perm -400 \) -a ! \( -group www-data -perm -040 \) -a ! -perm -004

The equivalent for accessible directories is:

find /srv/www -type d ! \( -user www-data -perm -500 \) -a ! \( -group www-data -perm -050 \) -a ! -perm -005

For directories that don't need to be listed use 1 instead of 5 in the above. Files with known names will be accessible, but auto-index generation won't be.

You may also want to ensure only a few files or directories can be written to. The following finds files and directories that can be written too.

find -L /srv/www \( -user www-data -perm -200 \) -o \( -group www-data -perm -020 \) -a -perm -002
BillThor
  • 27,737
  • 3
  • 37
  • 69