Proper permissions for web directories 4

[jisoo23]

Hey everyone,

I have a website hosted on a linux server and I'm trying to figure out the proper permissions for subfolders within my public_html folder. Website visitors can get into my subfolders and peruse files via that parent directory structure page and I'd like to put a stop to it. Can anyone tell me what chmod settings would be appropriate to allow webpages to still be accessible but not the directory?

Thanks in advance,
Jisoo23

 

[sedj]

Simplest answer is : Don't put any files you don't want anyone to see under a folder which your webserver can access.

Not so simple answer is to password protect your folders. If using Apache, you can do this with a .htaccess file (see google for syntax, or ask in the Apache forum).

--------------------------------------------------
Free Java/J2EE Database Connection Pooling Software

http://www.primrose.org.uk

 

[thedaver]

I will reiterate sedj's thoughts;

Webservers almost always operate using the concept of a "webroot" folder, from which all decendants are regarded as web content.

Yes you can password protect folders with .htaccess or other security controls, but the more appropriate posture is to NOT have data under that hierarchy at all!

I'm sure you've not given us the detail as to why you're in this situation, but as far as free advice goes and given the detail you've shared, our answers are probably appropriate.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[RhythmAce]

If you are saying that vistors can see a directory index, then you can prevent this by putting an index.html in all your directories where you don't want a directory index displayed. To answer your chmod question, the usual settings are for directories to be 755 and your web pages to be set to 644. However, chmod is not the solution in this case because you would have to deny apache access to those directories. Placing a default index page such as index.html will prevent them from quessing a file name or just entering a directory name.

 

[jisoo23]

sedj and thedaver,

The files in question are website html files and graphics used in the website. The problem is that when someone simply types in the directory name (i.e.

http://www.mywebsite/subfolder)

they see a listing of the webpage filenames or graphics. I'm just trying to keep that from happening. I may try RhythmAce's suggestion although that's probably not a full-proof solution. I can see moving my graphics to a non-web accessible directory but not my html files.

 

[thedaver]

Boy, I'd swear that Apache has a "no dirlist" parameter for webroots...

Only way I know to solve it is to "touch index.htm" for every folder that doesn't have it...

This behavior hearkens back to the early days when people trusted other people on the web.... quaint thought ain't it?

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[Annihilannic]

I think you'll find sedj's solution (.htaccess) will also do the trick.

Annihilannic.

 

[jisoo23]

Thanks guys, I'll try the .htaccess method.

 

[flugh]

You need to look into the "Options" directive in Apache, something like "Options -Indexes". That will prevent directory listing on all affected directories without having to remember to make a blank index file.

----
JBR

 

[thedaver]

Thanks flugh! I was sure Apache had a no-indexes parameter!
Now I feel less insane.

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[jisoo23]

Thanks for the information flugh! Would I need to look in some sort of config file for this "Options" directive? I'm on a shared web hosting service, so I'm kind of learning how to get around through Cpanel. If I knew what file needed to be edited (if any) I'd have a better idea of where to look.

Thanks again!

 

[RhythmAce]

Apache's config file is called httpd.conf. However, You do not have access to it because any changes would require a restart of the server and you can see the foolishness in that. This is why .htaccess comes in handy. You can use virtually all the same directives.