-1

I'm trying to apply permissions of 600 to certain files on my web server, but they are still accessible to the world (I can access them by navigating to direct link in browser e.g. domain.com/test.txt)!

The owner of these files is www-data:www-data. Even when I set permissions to 000, the files are still accessible to the world (akin to permissions 777)!

The only way I can make files inaccessible to the world is to apply chown root:root these files, but then www-data can't access them!

How can I make Nginx respect file permissions?

I'm using Nginx 1.8.1 and PHP 5.6.17.

Pamela
  • 187
  • 2
  • 13
  • 1
    Why do you say they are "accessible to the world"? – Michael Hampton Feb 03 '16 at 16:53
  • @MichaelHampton, I can access them in the browser. – Pamela Feb 03 '16 at 16:56
  • 4
    If they are owned by www-data, then that is normal! What are you trying to accomplish? – Michael Hampton Feb 03 '16 at 16:57
  • 1
    As a general rule, don't rely on UNIX permissions for security of files inside the wwwroot. Just don't put anything in the wwwroot that should be kept hidden! – ItalyPaleAle Feb 03 '16 at 17:01
  • @MichaelHampton, there are two situations. 1) I have a file, `log.txt` that records the number of visitors via `file_put_contents` (called from `sript.php`)--I don't want someone to be able to access `log.txt` via the browser. 2) I have a different file, `cron.php`, which is run hourly via cron--I don't want someone to be able to access `cron.php` via the browser. – Pamela Feb 03 '16 at 17:24

1 Answers1

4

Nginx is respecting file permissions. Nginx is running as www-data and Linux is enforcing the file permissions. The issue here is two goals that conflict. Expectations need to be changed.

  1. First, you want the files to "inaccessible to the world" via the web browser. This implies that they can't be readable and accessible by the www-data user.
  2. Second, you observe that "www-data can't access them!" This conflicts with the first goal.
Mark Stosberg
  • 3,901
  • 24
  • 28
  • I did not know that (I'm more use to Apache). There are two situations. 1) I have a file, `log.txt` that records the number of visitors via `file_put_contents` (called from `script.php`)--I don't want someone to be able to access `log.txt` via the browser. 2) I have a different file, `cron.php`, which is run hourly via cron--I don't want someone to be able to access `cron.php` via the browser. – Pamela Feb 03 '16 at 17:38
  • 1
    @Pamela, Apache permissions work the same way. You can store `log.txt` outside the web root in a location the `www-data` user can access. Also store `cron.php` outside the web root...unless you are using a faux-cron solution like Wordpress that makes HTTP calls back to a Cron-PHP scripts. If that's the case, *do* store cron.php in the web root and configure Nginx to only allow calls to cron.php from 127.0.0.1. – Mark Stosberg Feb 03 '16 at 17:48
  • How about files like `wp-config.php`? Anything special I need to do in order to protect this file and other such configuration files? – Pamela Feb 03 '16 at 17:52
  • 1
    @Pamela check out the official security documentation for Wordpress, which has a section on securing wp-config.php: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php – Mark Stosberg Feb 03 '16 at 19:33
  • Thanks, I never knew `wp-config.php` can be stored one directory level above the WordPress installation. I'll go ahead and store my files outside the web root. – Pamela Feb 03 '16 at 20:09