TL:DR Will permission 444 on a folder restrict access for a web user and browser?
I have a webserver with a root catalog that is accessible from the web. I can't access any folders higher up in the hiearchy, I only have control of the root folder and down.
Lets say I have the following folder structure:
includes
includes\database.php
admin
admin\index.php
I want the includes folder to follow these rules:
Accessible from within the server, so "admin/index.php" can include "includes/database.php"
Accessible via FTP, so I can access and edit the folder and files.
NOT Accessible by a user from the web.
Can I solve this by setting "includes" and all subfolders/files with permission 444? If so, is there a known way to bypass this access-rule or is it safe to use?
If you want to keep assets safe from web access you need to move them outside of your web root. Typically one level below your web root is used. This way they are still accessible via FTP and your code but not to web requests.
Related
I'd like to know how i can go about denying direct web access to configuration files of application whilst allowing php to access them.
I know most answers would suggest to put the includes outside the public_html directory. But I really don't think it's that efficient.
Thanks.
PHP just uses the file system to access files where web users usually go through apache and that verifies a .htaccess file. So just place that file that contains deny from all into that directory and voilla.
I have a server hosted by Altervista. Now since I don't want a file that I manage to be accessed by visitors, I wanted to put it outside of the root directory. I thought /var/www/ would work but it doesn't, or maybe I can't access at it.
Do you know how I can avoid users to access this file?
You could protect files in a subdirectory of your /var/www with a password via .htaccess and .htpasswd files in the subdirectory (procedure described here https://davidwalsh.name/password-protect-directory-using-htaccess, e.g.).
In CI user guide there is such line:
You'll need a destination folder for your uploaded images. Create a
folder at the root of your CodeIgniter installation called uploads and
set its file permissions to 777.
How secure is it when I am developing real web application? For example: social network and I want to upload user's profile pictures. I think I will have privacy problems when user's will want to upload private pictures.
depending on the level of security you want, 777 might not be the best option (it's the simplest). The user the webserver runs as much have rwx to the folder, and if you want to be truly secure, the folder should not be under your webroot.
That means, if the web files are in /home/mysite/ ( eg /home/mysite/index.html maps to http://mydomain.com/index.html ) then the upload folder should be /home/uploads .
You application can use code to access the files via the system path ( /home/uploads ) but noone from the internet can directly access it that way.
Alternatively, if you cannot do the above ( eg because you're on a shared host ) you can use .htaccess (placed in the upload folder) for the same effect, by placing these rules :
Deny from all
Options None
Options +FollowSymLinks
( note that again, your app will need to use the system path, since Apache wont be able to serve these files directly ).
You could also use .htaccess to deny access to folders except those that you permit. At least I did same with mine and directories that are not listed for access in the .htaccess are not available to users.
Another safe way is to use a folder outside /public_html/
Directories outside this folder can hardly be accessed externally.
Sorry if this is a trivial question.
I am a kind of new to PHP and I'm creating a project from scratch. I need to store my application logs (generated using log4php) as files, and I don't want them to be public.
They are now stored in a subfolder under my PHP application folder, (/myAppFolder/logs) so they are served by Apache.
Where shall I store them, or what shall I do to keep them away from being served as content by Apache?
You can either have them in a directory above the root, or, if you're on shared host/ can't have the files above the root for whatever reason, you can have them in a directory that denies all HTTP access.
So you could have a folder called "secret_files" with a .htaccess file sitting inside:
.htaccess:
deny from all
Which will prevent HTTP access to files/subfolders in that folder.
Somewhere not under the public root!?
This is more a server config question as it depends on your server, but in apache you could use the custom log directives to set the location, so if you have
/www/myapp
Create
/www/log
and put them there instead. You need control over the config to do this so look up your web hosts docs to find out how.
See an example here: http://mattpotts.com/portal/
I put an includeme.htm in each directory on the required path to find the point of failure. It works fine on my local machine (windows) with the same directory structure but fails on my remote (linux) server.
Directory structure:
+-firefli/ drwx--x--x
+-private_html/ drwx------
+-foo/ drwxr-xr-x
+-bar/ drwxr-xr-x
+-portal/ drwxr-wr-w
+-public_html/ drwxr-wr-w
+-foo/ drwxr-wr-w
+-portal/ drwxr-wr-w
The permissions confirm that it's the private_html directory causing the trouble. Hopefully you can see the purpose of the directory structure, I don't know if it's a common way of doing things but it works for me. Well, until now.
I've gone a very long way around asking it but my question is simply this: is there anything wrong with setting private_html to be drwxr-xr-x? Given that I do not want it to be accessible via the web. But the permissions shouldn't do that should they? Because it's apache making the public_html directory accessible via http.
You shouldn't need to block out web users with folder/file permissions on private_html, as it's outside the web root. As you say, web users can only get to stuff in public_html
For future debugging speed, if you have a relative web path you can convert it to a real path using realpath:
$path = realpath('../../private_html');
// $path is now /public_html/foo/private.html or whatever
Well, if you have set up your DocumentRoot correctly to point to public_html, it won't be accessible from the web, no matter what permissions you put on it.
The Private HTMl is not accessible from the web without you putting in a .htaccess file that would redirect it. If you don't know what that means/how to do that, you are safe.
You should be fine setting these permissions to whatever your script needs.
what are the user:group for private_html? The web server needs to be either a member of the group or the owner of the file. In order to read the directory contents the dirctory needs to have the execute permission for the webserver to open it. Essentially they should have the same user:group as public_html. You just want to disallow the write permission. tot he webserver. If you have set your document root to public_html private_html is not accessible via the web no matter what the permissions. Also, i always use realpath on the path arguments to and file operation.