homepage Welcome to WebmasterWorld Guest from 184.73.87.85
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
.htaccess security question
Scooter24




msg:1524864
 10:42 pm on Sep 13, 2002 (gmt 0)

If I set the permissions of .htaccess to 666 will other users be able to read/write to it? The file contains this directive (among others):

<Files .htaccess>
order allow,deny
deny from all
</Files>

I tried setting .htaccess to 666 then typed www.mydomain.com/.htaccess in the browser and got 'permission denied'. I even tried removing the deny from all directive and I still couldn't read .htaccess with a browser. Does this mean that .htaccess would be safe with permissions set to 666 and the deny from all directive?

 

amoore




msg:1524865
 11:00 pm on Sep 13, 2002 (gmt 0)

There are 2 things going on here. One is permission for people to pull up that file in their browsers (really, that's permission for your webserver to serve that page), and the other is permission for other people logged in to that machine to read and write that file.

The first is probably prohibited in the server configuration. It's pretty common for people to put something in apache configuration files to prohibit from serving any file that starts with ".ht". In fact, I think that's default in a lot of setups. That may be why you can't pull the page even when you don't specifically deny it in your .htaccess. I think you're alright here.

The other kind of security needs a little work. I recommend a permission setting of 644 on your .htacess. The first digit is for permissions of the owner of the file. 6 is 4+2. The 4 is for reading, and the 2 is for writing. (and the 1 that's not there is for executing). the second digit is for people in the group that owns the file. You may as well give this 4 for read access. The third digit is for all others. You need to give this a 4 so that the user that runs the webserver process (probably 'nobody')can read the file in order to determine what special stuff you're doing in it.

That's a pretty quick summary, but you can search google for more on unix file permissions and use of chmod.

Scooter24




msg:1524866
 11:32 pm on Sep 13, 2002 (gmt 0)

Thanks for the reply. What happens if I set .htaccess to 666? How can this compromise my security?
At the moment I'm using .htaccess to block some IP addresses, some user agents and to prevent image leeching.

andreasfriedrich




msg:1524867
 11:40 pm on Sep 13, 2002 (gmt 0)

If your file is world writable then anybody (a script running on the system) logged into the system can change your .htaccess file. This is a risk if you share a server with other people. They could write such a script and have it mess with your files.

There was a nice article [heise.de] about this in the German computer magazine c't. So if you took German in High School now is a good time to refresh your knowledge.

Scooter24




msg:1524868
 2:33 am on Sep 14, 2002 (gmt 0)

Thanks for the article (am fluent in German).

Coming back to my problem, I need to write a PHP script which adds a 'deny from IP-address' line to .htaccess when called. The idea is to prevent people from downloading my entire site.

How to do all this when PHP is installed as 'others' on my provider's server?

There seem to be only two options:
1. set the permissions of .htaccess to 666 (and then according to the article somebody could modify my .htaccess)
2. let the PHP script connect in FTP mode with user-id and password (and store user-id and password in the script). In this case somebody who gets the script's code also gets my user Id and password.

What is the lesser evil? Having somebody mess up my .htaccess or having somebody get my user-id or password?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved