In a web application I have an upload folder where all users’ files are stored, I need to eliminate the possibility of executing them.
As seen in Wikipedia:
chmod -R a-x+X directory
remove the execute permission on all files in a directory tree, while allowing for directory browsing.
But after successfully applying this to upload folder all the enclosed php, perl and python scripts that I’ve placed there for test purposes (and I suspect all the other types of executable files) do get executed when I print their addresses in browser.
Why is this happening and what can I do to fix this?
The perl, php, and python interpreters will happily execute input files passed to them, whether the execute permission bit for their input files is turned on or not. (On
the other hand, if the file has a shebang line specifying which interpreter to use,
the execute permission will be respected. But that is probably not the case for
your situation.)
You’ll have to address this issue by configuring your web server (restricting
the directories that it considers executable), rather than at the filesystem level.
If you’re using Apache, you’ll probably want to look at the ScriptAlias directive,
either in the global configuration or local .htaccess files, as described here.