770 permissions on file in apache root, still viewable

Question

I've seen a lot of questions on here regarding files not being accessible due to permissions with LAMP but nothing about making files unviewable by the http client using permissions.

I have files and folders in my Apache2 root folder that I don't want people to be able to access via their browser or by other external means. I set the permissions to 770, but this doesn't seem to be enough. Do outside users access files as the apache user? I'm running LAMP under Ubuntu Server with little modifications to the defaults, thus my apache user is www-data, group is :www-data, and the apache root is /var/www.

I have a /var/www/_private folder that has 770 permissions and the same permissions on its enclosed files. However, if I access these files through a browser, they are still viewable. Are clients accessing my files as the www-data user? If so, how do I rectify this?

I've worked on hosted setups where setting the "other" permissions to 0 was sufficient for denying outside direct access to files. Do I need to install some extra module to gain this functionality?

Note: I still need my accessible-to-the-client PHP scripts to access these files via includes, fopen, etc...

Answer 1

Well, right, 770 means that the owner of the file and the group can read, write and execute it. I'm going to guess the Apache is the owner of that file, thus allowing it to access it and open it to the world.

Instead of modifying the permissions on the server, and possibly causing harm to the accessibility of the file, why don't you use an .htaccess file. It will instruct Apache to take actions in certain instances, like denying access to a file. Simply create the .htaccess file in the root of the website with

<Files {your file name here}>
deny from all
</Files>

and you'll deny everyone from accessing it with Apache.

And if you want to deny an entire directory:

<Directory /var/www/_private>
   Order Deny,allow
   Deny from all
</Directory>