funwithlinux blog

How to Recursively Find Non-Publicly Readable Files in public_html: Quick Bash Command for Linux Apache Servers

For anyone managing a Linux-based Apache web server, the public_html directory is the heart of your web content. It’s where HTML, CSS, JavaScript, images, and other assets live—files that need to be accessible to visitors. However, misconfigured file permissions in public_html can lead to frustrating issues like "403 Forbidden" errors (if files are too restrictive) or security vulnerabilities (if files are too permissive).

One critical task is ensuring all publicly served files in public_html are readable by the "other" user category (i.e., the general public, including Apache). In this blog, we’ll break down how to recursively find non-publicly readable files in public_html using a simple Bash command, why this matters, and how to fix problematic files.

2025-11

Table of Contents#

  1. Understanding File Permissions in public_html
  2. Why Non-Publicly Readable Files Matter
  3. The Quick Bash Command Explained
  4. Step-by-Step Guide to Using the Command
  5. Interpreting the Results
  6. Fixing Non-Publicly Readable Files
  7. Advanced: Automating the Check
  8. Conclusion
  9. References

1. Understanding File Permissions in public_html#

Before diving into the command, let’s recap Linux file permissions. Every file/directory has three permission categories:

  • User (u): The owner of the file.
  • Group (g): Members of the file’s group.
  • Others (o): All other users (including the Apache web server, in most cases).

Each category has three permissions: read (r), write (w), and execute (x). Permissions are represented numerically (e.g., 644) or symbolically (e.g., rw-r--r--).

For public_html files to be accessible to website visitors, the "others" category must have read (r) permission. Without it, Apache (acting as "others") can’t serve the file, leading to 403 errors.

2. Why Non-Publicly Readable Files Matter#

  • Broken Website Functionality: Critical assets like CSS, JavaScript, or images without "others read" permission will fail to load, breaking your site’s layout or functionality.
  • Security Risks: Overly permissive files (e.g., 777) expose sensitive data, while overly restrictive files (e.g., 600) break access. Striking the right balance is key.
  • Compliance: Many security standards (e.g., PCI-DSS) require strict permission controls to protect data.

3. The Quick Bash Command Explained#

To recursively find all files in public_html that lack "others read" permission, use this command:

find /path/to/public_html -type f ! -perm -o=r

Breakdown of the Command:#

  • find: The Linux command to search for files/directories.
  • /path/to/public_html: Replace with your actual public_html path (e.g., /home/username/public_html or /var/www/html).
  • -type f: Restrict results to files (excludes directories).
  • !: Negates the following condition (i.e., "not matching").
  • -perm -o=r: Checks if "others" have read (r) permission. The - prefix ensures we check for at least this permission (ignoring higher permissions like write/execute).

4. Step-by-Step Guide to Using the Command#

Step 1: Locate Your public_html Directory#

Common paths include:

  • cPanel/Plesk servers: /home/username/public_html
  • Dedicated/VPS servers: /var/www/html (or /var/www/yourdomain.com/public_html)

Verify the path with:

ls -ld /path/to/public_html  # Replace with your path

Step 2: Run the Find Command#

Replace /path/to/public_html with your actual path and run:

find /home/username/public_html -type f ! -perm -o=r

Example Output:#

/home/username/public_html/css/style.css
/home/username/public_html/js/app.js
/home/username/public_html/secret-data.txt

This output lists files that do not allow "others" to read them.

5. Interpreting the Results#

Use ls -l on a listed file to check its current permissions:

ls -l /home/username/public_html/css/style.css

Example output:

-rw-r----- 1 username username 1234 May 20 10:00 /home/username/public_html/css/style.css

Here, rw-r----- means:

  • User: rw (read/write)
  • Group: r (read)
  • Others: --- (no permissions) → No "others read" permission (problematic!).

6. Fixing Non-Publicly Readable Files#

To grant "others read" permission to a single file:

chmod o+r /path/to/file

Bulk Fix (Recursive):#

To fix all non-readable files in public_html at once:

find /path/to/public_html -type f ! -perm -o=r -exec chmod o+r {} +

Warning:#

Always review the list of files with the find command before running the bulk chmod! Accidentally adding read permission to sensitive files (e.g., .env, config.php) could expose data. For sensitive files, restrict permissions to 600 (user-only read/write) and ensure Apache doesn’t need access to them.

7. Advanced: Automating the Check#

To avoid manual checks, automate the process with a cron job. For example, run the check weekly and email results:

Step 1: Create a Script (check_permissions.sh)#

#!/bin/bash
LOG_FILE="/tmp/public_html_permissions.log"
PUBLIC_HTML="/path/to/public_html"
 
# Run the find command and save results
find "$PUBLIC_HTML" -type f ! -perm -o=r > "$LOG_FILE"
 
# If results exist, email them; else, send "all good"
if [ -s "$LOG_FILE" ]; then
  mail -s "Non-Publicly Readable Files Found" [email protected] < "$LOG_FILE"
else
  mail -s "Public HTML Permissions: All Good" [email protected] <<< "No non-readable files found."
fi

Step 2: Make the Script Executable#

chmod +x check_permissions.sh

Step 3: Add a Cron Job#

Run crontab -e and add:

0 0 * * 0 /path/to/check_permissions.sh  # Runs weekly at midnight on Sunday

8. Conclusion#

Maintaining proper file permissions in public_html is critical for a functional and secure website. The find command above quickly identifies non-publicly readable files, and with careful bulk fixes or automation, you can ensure visitors never encounter 403 errors again. Always validate permissions before making bulk changes, and prioritize security for sensitive files.

9. References#