How to allow apache access to a file but prevent others from viewing it?
I have several folders with Magento installations.
e.g.
www/magento1 www/magento2
All of the files/folders inside of those are owned by root:magento1 and root:magento2 respectively.
I have 3755 perms for all folders, 644 for all directories to start with. That prevents anyone but root from writing to any folder or file.
Then I add in group write permissions for folders/files devs should be able to write to. E.g. they cannot write to core files, but they can write to module/skins that are non core.
That's all fine. The only thing that's not fine is that I don't want them to be able to read the mysql database username/password from magento1/app/etc/local.xml. I don't want them to have access to the database, where sensitive information is stored. I also don't want a rogue programmer to delete a bunch of tables or what have you.
But apache needs to have read access to that same file.
Here's a "solution" that doesn't work: Remove read permissions from group but leave them for others. Why? Because that prevents devs from reading from their app/etc/local.xml, but allows them to read all the others.
What do I do?
EDIT: Yes, devs = developers and they will have SSH and FTP access.
Solution 1:
Assuming that, like under Debian, the apache runs as user www-data and group www-data, the solution is
chown www-data:www-data www/magento1/app/etc/local.xml
chmod 440 www/magento1/app/etc/local.xml
The root user can always read and write all files.