You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Tomas Larsson <to...@tlec.se> on 2008/01/06 02:23:07 UTC

[users@httpd] File permissions in an Apache enviroment

Trying to lock down a special folder.
Now I cant use .htaccess + .htpasswd for some reason.

The directory must be executable for the server (php-script).
I dont want anyone outside to be able get anything from the dir.
The script is run from a normal url, i.e http://mysite/scriptdir/script.php
The url is initiated from the server-bos itself throuh some sort of
CRON-Mechanism (cant explain it better)
I have no access to the server-config, only through .htaccess
the only working way I've found out, so far, is to set the permissions on
the dir to 100.

Anyone that has better solutions or ideas.

With best regards

Tomas Larsson
Sweden
http://www.tlec.se
http://www.ebaman.com

Verus Amicus Est Tamquam Alter Idem


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] File permissions in an Apache enviroment

Posted by Tomas Larsson <to...@tlec.se>.

> -----Original Message-----
> From: jslive@gmail.com [mailto:jslive@gmail.com] On Behalf Of 
> Joshua Slive
> Sent: Sunday, January 06, 2008 4:13 PM
> To: users@httpd.apache.org; tomas@tlec.se
> Subject: Re: [users@httpd] File permissions in an Apache enviroment
> 
> On Jan 6, 2008 3:04 AM, Tomas Larsson <to...@tlec.se> wrote:
> > Well, the problem is I cant put the username and the 
> password in the 
> > url, http://user:passw@mydomain/scriptdir/script is not 
> allowed, thats 
> > the reason why I cant use .htpasswd to protect the dir.
> 
> That's a client restriction and has nothing to do with apache.

Yes I know, it's the way may hosts "CRON-job" implementation works.


> 
> > If it wasn't for this restriction I would be able to use 
> .htpasswd w/o 
> > any problem.
> > so-far Ive put 100 on the dir, and I have done some simple checks, 
> > like I cant wget anything from the dir, if I wget an 
> existing filename 
> > I get 0 bytes.
> 
> You can use Order/Allow/Deny to restrict by IP address. Other 
> than that, you need to specify how you expect to 
> differentiate between you authorized and unauthorized users.
> 
> Joshua.
Basically it is a MySQL backup-script written in PHP.
It is called by the "CRON-implementation" my host has.
It works by calling my virtual server with the url to the directory with the
script and the script itself, ie http://mydomain/scriptlocation/script.php
Obviously, doing it this way it is sort of open for the "general public"
provided that they know what to look for.
So obviously I don't want anyone else to go into it.
It should only be accessible for the Cron-command.
I guess that I need to implement some sort of password-control in the script
itself, but I want the directory totaly safe from anybody else.

With best regards

Tomas Larsson
Sweden
http://www.tlec.se
http://www.ebaman.com

Verus Amicus Est Tamquam Alter Idem


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] File permissions in an Apache enviroment

Posted by Joshua Slive <jo...@slive.ca>.

On Jan 6, 2008 3:04 AM, Tomas Larsson <to...@tlec.se> wrote:
> Well, the problem is I cant put the username and the password in the url,
> http://user:passw@mydomain/scriptdir/script is not allowed, thats the reason
> why I cant use .htpasswd to protect the dir.

That's a client restriction and has nothing to do with apache.

> If it wasn't for this restriction I would be able to use .htpasswd w/o any
> problem.
> so-far Ive put 100 on the dir, and I have done some simple checks, like I
> cant wget anything from the dir, if I wget an existing filename I get 0
> bytes.

You can use Order/Allow/Deny to restrict by IP address. Other than
that, you need to specify how you expect to differentiate between you
authorized and unauthorized users.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] File permissions in an Apache enviroment

Posted by Tomas Larsson <to...@tlec.se>.

Well, the problem is I cant put the username and the password in the url,
http://user:passw@mydomain/scriptdir/script is not allowed, thats the reason
why I cant use .htpasswd to protect the dir.
If it wasn't for this restriction I would be able to use .htpasswd w/o any
problem.
so-far Ive put 100 on the dir, and I have done some simple checks, like I
cant wget anything from the dir, if I wget an existing filename I get 0
bytes.

With best regards

Tomas Larsson
Sweden
http://www.tlec.se
http://www.ebaman.com

Verus Amicus Est Tamquam Alter Idem 

> -----Original Message-----
> From: jslive@gmail.com [mailto:jslive@gmail.com] On Behalf Of 
> Joshua Slive
> Sent: Sunday, January 06, 2008 5:08 AM
> To: users@httpd.apache.org; tomas@tlec.se
> Subject: Re: [users@httpd] File permissions in an Apache enviroment
> 
> On Jan 5, 2008 8:23 PM, Tomas Larsson <to...@tlec.se> wrote:
> > Trying to lock down a special folder.
> > Now I cant use .htaccess + .htpasswd for some reason.
> >
> > The directory must be executable for the server (php-script).
> > I dont want anyone outside to be able get anything from the dir.
> > The script is run from a normal url, i.e 
> > http://mysite/scriptdir/script.php
> > The url is initiated from the server-bos itself throuh some sort of 
> > CRON-Mechanism (cant explain it better) I have no access to the 
> > server-config, only through .htaccess the only working way 
> I've found 
> > out, so far, is to set the permissions on the dir to 100.
> >
> > Anyone that has better solutions or ideas.
> 
> Is .htaccess enabled in that directory (with AllowOverride in 
> httpd.conf)? If not, you can't do anything. You can test this 
> by putting an obvious syntax error in .htaccess and 
> requesting the page.
> If you don't get a 500 error, you don't have the rights to 
> use .htaccess.
> 
> Joshua.
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] File permissions in an Apache enviroment

Posted by Joshua Slive <jo...@slive.ca>.

On Jan 5, 2008 8:23 PM, Tomas Larsson <to...@tlec.se> wrote:
> Trying to lock down a special folder.
> Now I cant use .htaccess + .htpasswd for some reason.
>
> The directory must be executable for the server (php-script).
> I dont want anyone outside to be able get anything from the dir.
> The script is run from a normal url, i.e http://mysite/scriptdir/script.php
> The url is initiated from the server-bos itself throuh some sort of
> CRON-Mechanism (cant explain it better)
> I have no access to the server-config, only through .htaccess
> the only working way I've found out, so far, is to set the permissions on
> the dir to 100.
>
> Anyone that has better solutions or ideas.

Is .htaccess enabled in that directory (with AllowOverride in
httpd.conf)? If not, you can't do anything. You can test this by
putting an obvious syntax error in .htaccess and requesting the page.
If you don't get a 500 error, you don't have the rights to use
.htaccess.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org