I have a server hosted by Altervista. Now since I don't want a file that I manage to be accessed by visitors, I wanted to put it outside of the root directory. I thought /var/www/ would work but it doesn't, or maybe I can't access at it.
Do you know how I can avoid users to access this file?
You could protect files in a subdirectory of your /var/www with a password via .htaccess and .htpasswd files in the subdirectory (procedure described here https://davidwalsh.name/password-protect-directory-using-htaccess, e.g.).
Related
I am running my server on cPanel.
I have two users accounts:
/home/user1
/home/user2
From user2 I need to include /home/user1/public_html/config.php.
Is their anyway to apply this?
It is fully possible to access php files located in other parts of the hard drive than where the site is run. However, this depends on two things. First of, the web user needs read permissions for the file, and you need to define the root folder where that php file is located as a accessable folder for the website.
Setting file permissions for the file can be done with:
chmod +R 775 /home/user1/public_html/config.php
Defining the accessible folders for PHP depends on wether you are running Apache or Nginx.
In Nginx for example:
fastcgi_param PHP_ADMIN_VALUE "open_basedir =$document_root:/tmp:/usr/local/lib/php:/var/www/vhosts/yourdomain/httpdocs/:/home/user1/public_html";
In Apache:
Apache readme
Now you should be able to require the file like you normally would require any file:
require('/home/user1/public_html/config.php');
Why not just copy paste the /home/user1/public_html/config.php file to /home/user2/public_html/? If you don't have permissions to access or do any operation on the file, then you are simply not authorized to attempt this.
I'd like to know how i can go about denying direct web access to configuration files of application whilst allowing php to access them.
I know most answers would suggest to put the includes outside the public_html directory. But I really don't think it's that efficient.
Thanks.
PHP just uses the file system to access files where web users usually go through apache and that verifies a .htaccess file. So just place that file that contains deny from all into that directory and voilla.
TL:DR Will permission 444 on a folder restrict access for a web user and browser?
I have a webserver with a root catalog that is accessible from the web. I can't access any folders higher up in the hiearchy, I only have control of the root folder and down.
Lets say I have the following folder structure:
includes
includes\database.php
admin
admin\index.php
I want the includes folder to follow these rules:
Accessible from within the server, so "admin/index.php" can include "includes/database.php"
Accessible via FTP, so I can access and edit the folder and files.
NOT Accessible by a user from the web.
Can I solve this by setting "includes" and all subfolders/files with permission 444? If so, is there a known way to bypass this access-rule or is it safe to use?
If you want to keep assets safe from web access you need to move them outside of your web root. Typically one level below your web root is used. This way they are still accessible via FTP and your code but not to web requests.
In CI user guide there is such line:
You'll need a destination folder for your uploaded images. Create a
folder at the root of your CodeIgniter installation called uploads and
set its file permissions to 777.
How secure is it when I am developing real web application? For example: social network and I want to upload user's profile pictures. I think I will have privacy problems when user's will want to upload private pictures.
depending on the level of security you want, 777 might not be the best option (it's the simplest). The user the webserver runs as much have rwx to the folder, and if you want to be truly secure, the folder should not be under your webroot.
That means, if the web files are in /home/mysite/ ( eg /home/mysite/index.html maps to http://mydomain.com/index.html ) then the upload folder should be /home/uploads .
You application can use code to access the files via the system path ( /home/uploads ) but noone from the internet can directly access it that way.
Alternatively, if you cannot do the above ( eg because you're on a shared host ) you can use .htaccess (placed in the upload folder) for the same effect, by placing these rules :
Deny from all
Options None
Options +FollowSymLinks
( note that again, your app will need to use the system path, since Apache wont be able to serve these files directly ).
You could also use .htaccess to deny access to folders except those that you permit. At least I did same with mine and directories that are not listed for access in the .htaccess are not available to users.
Another safe way is to use a folder outside /public_html/
Directories outside this folder can hardly be accessed externally.
See an example here: http://mattpotts.com/portal/
I put an includeme.htm in each directory on the required path to find the point of failure. It works fine on my local machine (windows) with the same directory structure but fails on my remote (linux) server.
Directory structure:
+-firefli/ drwx--x--x
+-private_html/ drwx------
+-foo/ drwxr-xr-x
+-bar/ drwxr-xr-x
+-portal/ drwxr-wr-w
+-public_html/ drwxr-wr-w
+-foo/ drwxr-wr-w
+-portal/ drwxr-wr-w
The permissions confirm that it's the private_html directory causing the trouble. Hopefully you can see the purpose of the directory structure, I don't know if it's a common way of doing things but it works for me. Well, until now.
I've gone a very long way around asking it but my question is simply this: is there anything wrong with setting private_html to be drwxr-xr-x? Given that I do not want it to be accessible via the web. But the permissions shouldn't do that should they? Because it's apache making the public_html directory accessible via http.
You shouldn't need to block out web users with folder/file permissions on private_html, as it's outside the web root. As you say, web users can only get to stuff in public_html
For future debugging speed, if you have a relative web path you can convert it to a real path using realpath:
$path = realpath('../../private_html');
// $path is now /public_html/foo/private.html or whatever
Well, if you have set up your DocumentRoot correctly to point to public_html, it won't be accessible from the web, no matter what permissions you put on it.
The Private HTMl is not accessible from the web without you putting in a .htaccess file that would redirect it. If you don't know what that means/how to do that, you are safe.
You should be fine setting these permissions to whatever your script needs.
what are the user:group for private_html? The web server needs to be either a member of the group or the owner of the file. In order to read the directory contents the dirctory needs to have the execute permission for the webserver to open it. Essentially they should have the same user:group as public_html. You just want to disallow the write permission. tot he webserver. If you have set your document root to public_html private_html is not accessible via the web no matter what the permissions. Also, i always use realpath on the path arguments to and file operation.