I've got a folder where I'm storing a bunch of confidential documents and I authenticate the user when they log in, but I only want them to be able to download a specific file.
How can I retrieve the file using apache/php or something else, preferably to give them a download link for the file without moving the folder into the webroot, storing the files in a database or reading in PHP the file and then spitting it back out to them which seems like a waste of CPU time?
Here is something to think about as a framework like method to implement. Your goal: "Prove someone the ability to download a file only meant for them." Quick solution that can be created into some form of framework: "sha checksums of a specific where a file is created based on pre-defined criteria." In practice:
sh-3.2# cd /var/www
sh-3.2# mkdir `echo "Clientname" | shasum5.16 | tail -n 1 | awk '{print $1}'`
sh-3.2# ls
2acdddd6c15cf298f6b4f0f74050524842dbeff9
sh-3.2# cd 2acdddd6c15cf298f6b4f0f74050524842dbeff9/
sh-3.2# mkdir `echo "John Doe" | shasum5.16 | tail -n 1 | awk '{print $1}'`
sh-3.2# mkdir `echo "Jane Doe" | shasum5.16 | tail -n 1 | awk '{print $1}'`
sh-3.2# ls
732979cbd4216928eba0a46c51df458687d949b4 77b39a39ca4e50b5c36014dc99aa46237fc4c064
In the first line, we go to our webroot directory. Second line, we make a checksum of the company we are holding files for. (Could be any company including our own.) Third line, we go into that directory. Now, we create specific directories for users in that company. We could store information for a specific person without ever having to worry about them guessing another directory. It's simple and effective without having to jump through hoops and hurdles on permissions, groups, etc.
It sounds like your primary concern is serving files to the correct authorized user. To do this, look into X-Sendfile for Apache or X-Accel-Redirect for Nginx. This will allow files in a certain directory to be accessed only if the application provides the webserver with the correct header on response.