How to allow apache access to a file but prevent others from viewing it?

I have several folders with Magento installations.

e.g.

www/magento1 www/magento2

All of the files/folders inside of those are owned by root:magento1 and root:magento2 respectively.

I have 3755 perms for all folders, 644 for all directories to start with. That prevents anyone but root from writing to any folder or file.

Then I add in group write permissions for folders/files devs should be able to write to. E.g. they cannot write to core files, but they can write to module/skins that are non core.

That's all fine. The only thing that's not fine is that I don't want them to be able to read the mysql database username/password from magento1/app/etc/local.xml. I don't want them to have access to the database, where sensitive information is stored. I also don't want a rogue programmer to delete a bunch of tables or what have you.

But apache needs to have read access to that same file.

Here's a "solution" that doesn't work: Remove read permissions from group but leave them for others. Why? Because that prevents devs from reading from their app/etc/local.xml, but allows them to read all the others.

What do I do?

Solution 1:

Assuming that, like under Debian, the apache runs as user www-data and group www-data, the solution is

chown www-data:www-data www/magento1/app/etc/local.xml
chmod 440 www/magento1/app/etc/local.xml

The root user can always read and write all files.