Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Index of /... to "Access denied" >> Permissions

Status
Not open for further replies.
LocoPollo

LocoPollo

Programmer
Jun 6, 2005
48
DK
I have made a little perl script that creates some folders (and files). It creates the folders as owner 'www' (not as my ordinary username 'hotguy' - and I guess 'apache' is set to 'The permissions are chmod to '0700' (I only want my scripts to be able to see what is in the folders - I have made a little login/password thingy)

However when I enter the URL for the folders in a browser, then I get a complete list of the folder that has been created!? that wasn't the meaning, it should be secret! :) maybe get a "Access denied" thingy or something.

I guess its because apache (' owns the files and folders that is generated by the scripts, so it also shows folders that apache owns when someone ask for it.

How do I advoid this? I could just copy an empty "index.html" file into the created folders, but still it's not the "correct" way of doing it. (someone could just try with different folders and file, names until they hit the right names)

Can I somehow get a "Access denied" without having to desturb the guy who has the server?
 
Sort by date Sort by votes
LocoPollo,

You could set up a .htaccess file that denies requests unless they come from specific IP addresses. You could also change the configuration so that specific directories don't list their contents.



Wishdiak
A+, Network+, Security+, MCSA: Security 2003
 
Upvote 0 Downvote
My new question is below the ---- line

Thanks! But geeez! I spend days on figuring out how to deal with that .htaccess file.
1. I had to place it in a folder that is 'owned' by apache, so had to make a lil script for that
2. It's invisible struggled for hours before I figured that out.
3. And had a hard time finding what to write in it

Anyway, I made it work this way:
made a file called '.htaccess'
wrote just 1 line:
'deny from all'
... and now I get this 403 Forbidden message then I try to see the content of the folders in a browser.

My script can still for some strange reason see the files and read them. They shouldn't be able to, but they can, so thats OK. I tried this to make it "correct" though:
Code: 
order deny,allow
allow from 195.140.xxx.xxx
deny from all
...but then I get a internal server error.

----------

Last thing now:
Is it possible to do something so that people cant even see what folders excist?? I have been a bit stupid and named all my folder after the usernames, so it would be possible to see what users I had, by trying.

Just being a bit paranoid, but if its possible to show the '403 forbidden' message no matter what people enter in a browser, even folders that doesn't excist ...then it could be nice.

I was also suggested to move the folder out of apaches area "../../mysecretfolder", is that the best way, or can htaccess do it?

Thanks! :)
 
Upvote 0 Downvote
LocoPollo,

For your .htacess file
Code: 
order deny,allow
allow from 195.140.xxx.xxx
deny from all

Notice that the order directive places deny before allow. It's best practice to list the most restrictive directive first, so change it to

Code: 
order allow,deny
allow from 195.140.xxx.xxx
deny from all

As far as files and folders, your DocumentRoot can be any directory anywhere. You might consider creating a new directory to place your files into.

And just to be thorough, your scripts (if they are executable CGI files) don't process the .htaccess file or any directives within.

Wishdiak
A+, Network+, Security+, MCSA: Security 2003
 
Upvote 0 Downvote
Thanks!
Ohh, I thought the order, was to tell apache what to read first:
1. first I want to deny access for everyone
2. then allow a SINGLE IP.

I will try swap the order.

"And just to be thorough..." what do you mean? :) I only used the little script to be able to write the htaccess to a folder that is owned my "apache". I dont think I'm processing htaccess in them in generel, or am I?? if there is something I dont know about, let me know. If its just the little script, then I will remove it from the server right now. :)

And if anyone have some links to good tutorials on htaccess, please let me know.
I found this one for newbies myself:
... but I think there is ALOT more.

Thanks again!
 
Upvote 0 Downvote
LocoPollo,

Since you don't mention the version of Apache you are using, here are links to .htaccess files for both 1.x and 2.x.


I dont think I'm processing htaccess in them in generel, or am I??
Click to expand...

Only the Apache webserver processes .htaccess files, if configured to do so. Other programs, and many executable scripts, will not.

Wishdiak
A+, Network+, Security+, MCSA: Security 2003
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kristiandg
  • Locked
  • Question
Linux, "port mirror" between two boxes...
Replies
0
Views
255
kristiandg
kristiandg
gregor weertman
  • Locked
  • Question
set samba "template shell" dependent on group
Replies
0
Views
141
gregor weertman
gregor weertman
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
353
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
165
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
219
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top