Stopping file access

Forum Moderators: phranque

Message Too Old, No Replies

Stopping file access

Stopping user's access to a directories files

Sosthenes

3:55 pm on Dec 22, 2005 (gmt 0)

Hi all. Is it possible to configure a directory to stop users from trying to guess the file names in the directory, and then accessing them.

If I do:

<Directory "/srv/test/PHP/">
Options None
Order deny,allow
Deny from all
</Directory>

This will give me a:

Forbidden

You don't have permission to access /test/PHP/ on this server. Apache/2.0 Server at www.example.net Port 80

message.

As I know the name of a file in that directory, I can still access the file contents, by appending the filename to the forbidden directory.

I want to be able to restrict access to the directory's file content as well. Is this possible?

TIA

[edited by: jdMorgan at 4:17 pm (utc) on Dec. 22, 2005]
[edit reason] Example.com [/edit]

jdMorgan

4:20 pm on Dec 22, 2005 (gmt 0)

Try using <Location> or <LocationMatch> instead of <Directory>.

I assume it is your intent to block all HTTP access to this directory and its contents, and that the files within that directory will only be accessed by being *included* server-side in other pages.

Jim

Sosthenes

9:29 pm on Dec 22, 2005 (gmt 0)

What I'm trying to do is this Jim.

This is a test directory under DocumentRoot that
I want to access with full listings from localhost, and my laptop on 10.0.0.3, via my 4 port router's LAN.

I do not want to make this directory visible to external users on the net. All other access I want to block completely - no listings and no access to guessed file name content.

I have tried blocking 10.0.0.3 for testing purposes, as if it was an external machine, but I can still access files under the directory that is forbidden.

Here is the Directory container syntax:

# access for localhost and 10.0.0.3 only with directory listings

<Directory "/srv/test/PHP/">
Options None
Options Indexes
Order deny,allow
Deny from All
Allow from localhost
# Allow from 10.0.0.3 // disabled for testing
</Directory>

So how do I allow full directory listings for localhost, but forbid external users to get access to the directory listing, or access to the file contents by guessing the filenames please?

jdMorgan

10:25 pm on Dec 22, 2005 (gmt 0)

Actually, it looks like it should work.

Have you tried this without the trailing slash and quotes?


<Directory /srv/test/PHP>

Did you restart the server?
Did you flush your browser cache?

Jim

Sosthenes

7:00 am on Dec 23, 2005 (gmt 0)

I have removed localhost from the Allow list, and still get the problem of being able to access a php test file in the forbidden directory.

Here is the httpd.conf config section:

#<Directory /srv/test>
# Options None
# Options Indexes
# Order deny,allow
# Deny from All
# Allow from localhost
# Allow from 10.0.0.3
#</Directory>

<Directory /srv/test/PHP>
Options None
Order deny,allow
Deny from all
</Directory>

Doing a quick test from localhost gives the following:

Removing the quotes and trailing slash stops the directory from being listed, and gives me the forbidden access message when I try to access /srv/test/PHP/. However I can still access a php file using /srv/test/PHP/get_vars.php in the forbidden directory.

I have restarted apache with /etc/init.d/apache2 stop then starting it again.

I have closed my browser, then started a different one to clear the cache.

One other problem I have noticed is if I try to access any directory without the trailing "/" at the end of the directory name nothing happens - the request does not work, and the browser loading icon keeps on running. Is this normal as well?