I've seen a lot of questions on here regarding files not being accessible due to permissions with LAMP but nothing about making files unviewable by the http client using permissions.
I have files and folders in my Apache2 root folder that I don't want people to be able to access via their browser or by other external means. I set the permissions to 770, but this doesn't seem to be enough. Do outside users access files as the apache user?
I'm running LAMP under Ubuntu Server with little modifications to the defaults, thus my apache user is www-data, group is :www-data, and the apache root is /var/www.
I have a /var/www/_private folder that has 770 permissions and the same permissions on its enclosed files. However, if I access these files through a browser, they are still viewable. Are clients accessing my files as the www-data user? If so, how do I rectify this?
I've worked on hosted setups where setting the "other" permissions to 0 was sufficient for denying outside direct access to files. Do I need to install some extra module to gain this functionality?
Note: I still need my accessible-to-the-client PHP scripts to access these files via includes, fopen, etc...
Well, right, 770 means that the owner of the file and the group can read, write and execute it. I'm going to guess the Apache is the owner of that file, thus allowing it to access it and open it to the world.
Instead of modifying the permissions on the server, and possibly causing harm to the accessibility of the file, why don't you use an .htaccess file. It will instruct Apache to take actions in certain instances, like denying access to a file. Simply create the .htaccess file in the root of the website with
<Files {your file name here}>
deny from all
</Files>
and you'll deny everyone from accessing it with Apache.
And if you want to deny an entire directory:
<Directory /var/www/_private>
Order Deny,allow
Deny from all
</Directory>
Related
Context: I have some files on linux web server for example create_db.txt. They are using in my php scripts but now everyone can watch them by the direct link
http://url/create_db.txt
What is the right way to deny access to this files and still have opportunity to wright and read informations in them from php scripts. Thanks.
If you are using Apache you could restrict access to specific files by adding an .htaccess file in the web root:
<Files create_db.txt>
Order allow, deny
Deny from all
</ Files>
The Files section above would restrict access for all users to the create_db.txt file.
Running nginx the same could be achieved by adding the following to your configuration:
location ^~ /create_db.txt {
deny all;
}
Like stated in the other answer you really should consider moving the file to a directory outside of your webroot. Of course the webserver must be able to access this folder. This can be done by setting the correct permission on the folder and perhaps by changing the owner to that of the webserver. Something like this:
mkdir -m 755 -p /path/outside/webroot
mv create_db.txt /path/outside/webroot
chown -R <user>:<group> /path/outside/webroot
The best way would be to never put files that should not be accessible into files in your web root. Just put them in a folder outside. If this is not possible, put them in a specific folder and deny access through .htaccess or whatever your webserver accepts
I have a site and I want to create a log.txt file which includes all user logs.For example a user logged in anytime and logged out. That is to say,time which users logged in and out. I can make this with database but there would many rows and I don't want it. If I put log.txt file to /logs/log.txt,any user who writes domain.com/log/log.txt to address bar will see that file. How can I prevent this. (I use PHP)
It's true that you can hide files from website visitors using .htaccess, or by putting similar rules in other Apache configuration locations. But this kind of thing is not trivial, and it's easy to make mistakes. The best way to hide files from site visitors is through the directory structure of your project. For instance:
A directory www/ to contain all files website visitors DO need to visit directly with a browser. This will the the directory used as we website root in your Apache configuration. If browsers don't need to fetch a file, it should not be here.
Other directories, like logs/ for logs, lib/ for source code that gets included in your scripts, config/ for settings and configuration files, etc. Since they're not inside of the website root (www/), users cannot point their browsers at any of these files.
If you're on shared hosting, and they only give you one folder that is your website root, then you can't do this. I wouldn't purchase a hosting account from such a company, though, because there are plenty that DO let you put files outside your web root.
Use a .htaccess with
<Files "log.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where 1.2.3.4 is your IP, if you want to be able to acces it from your browser via the site. Else remove that line, so you will only be able to access via FTP or script
You can prevent http access to your log folder by using an .htaccess file that contains
deny from all
Is it possible to scan /home/ directory with opendir and scandir. When i try to exec script it says permission denied what should i do?
<?php
$dir = '/home/';
$dirs = scandir($dir);
?>
<pre>
<?php print_r($dirs); ?>
</pre>
You can use is_readable('/home/') to check if you have permission. If not you'd need to make sure the directory has read privileges, probably 0755 (rwxr-xr-x)
For security, PHP defines a 'basedir', below which you are not allowed to access. As Aleks G says, there is also the file permissions to consider.
This question talks about how to get around basedir restrictions: How can I relax PHP's open_basedir restriction?
Tom Haigh's answer copied to here:
You can also do this easily on a per-directory basis using the Apache (assuming this is your web server) configuration file (e.g. httpd.conf)
<Directory /var/www/vhosts/domain.tld/httpdocs>
php_admin_value open_basedir "/var/www/vhosts/domain.tld/httpdocs:/var/www/vhosts/domain.tld/zend"
</Directory>
you can also completely remove the restriction with
<Directory /var/www/vhosts/domain.tld/httpdocs>
php_admin_value open_basedir none
</Directory>
I'm not a PHP programmer, but I think your problem is that when PHP tries the opendir, it is running with the same user ID as apache has, which may not have permission to read your /home directory.
You could fix that by altering the permissions on /home, or adding the apache userid to whatever group has group ownership of home.
Possibly it is a problem in your Apache configuration file. Even if the filesystem permissions would permit it, your httpd.conf file may not allow access to /home. That would usually be the case if all of your HTML files are in /var/www.
The httpd.conf might be set up to allow serving files out of your users' home directories. In that case the permission would be granted for directories within /home but not for /home itself.
The answer is in your question: it's a permission problem. Most likely, the process under which Apache is running does not have permission to read /home directory (or your usernamd, if running in CLI). Manually do this in a terminal:
ls -ld /home
and check the attributes.
I have a processing file for my website's payments. It works just fine, but what I would like to do is log all the requests to this page so that if anything throws an error, the raw data is saved and I can process the transaction manually. The processing file uses fopen to write to the log file in another directory.
What I have right now is a separate folder on my root directory with permissions 755. Then a log file inside with permissions 777. The processing file that writes to the log file, in PHP if that matters, is set to 777.
This works right now, but the log file is publicly available. I know I can be doing this better and that the permissions aren't correct. How can I do this better?
Put the log file outside the document root. The PHP script that writes to it will still be able to get to it (via the full path) but Apache won't be able to serve it.
I came across this whilst searching the answer for myself. I don't believe there is a simple "permissions fix" to do what you want and perhaps the safest way is to put the log files outside of public_html directory.
However this can be a nuisance sometimes - especially if you are wanting to e.g. catch paypal ipn dump text in a log file, but not have it publicly accessible.
In such cases, you can use .htaccess file directives to allow write from script, but deny reading from public access.
For example, this works for me (Apache .htaccess in root public_html folder);
<FilesMatch "mycustom\.log">
Order allow,deny
Deny from all
</FilesMatch>
and if you have multiple logs you want to protect, use it like this, with "Pipe Separated";
<FilesMatch "mycustom\.log|ipn_errors\.log">
Order allow,deny
Deny from all
</FilesMatch>
It is worth noting that the above directives are deprecated as of apache 2.4 and you may wish to consider using more current directives instead: https://httpd.apache.org/docs/2.4/howto/access.html
Hope that helps you!
I have a script giving me error 403 Forbidden error, it's just a copy of another script but the difference in this is that both use another mysql class to access database.
My whole project is complete and this is last file so I don't want to do the whole work again for a single file.
Server logs shows that client denied by server configuration:
What should I look for?
I have tried the following:
Permissions are 644
New file with just simple echo gives 403 too
Changed name of folder
However, index.php works perfectly.
Check the permissions and also ownership of the file. Generally, 403 means that the web server doesn't have the rights to read the file and therefore can't continue the request. The permissions may be set correctly, however the file might be owned by another account on the server - an account that isn't part of the same group as the account which is running the server.
For instance, I believe* Apache is ran by default under the httpd user account, which is part of the httpd group. However, the FTP user you're logging in as (for instance ftpuser) might not be part of the httpd group. So, in copying the file you've created it under a different user account and Apache won't get execute access with 644.
* it's been a while since I've used apache, but it's similar under nginx.
This isssue occurs if you have had denied for all in .htaccess file. Changing that resolves the issue.
I had the same problem. The .htaccess file in my root folder has this code:
<Files ~ "\.(php|php5|py|jsp|cgi|sh)$">
Require all denied
</Files>
But there was a folder /example where I needed to call php files, so I created a .htaccess file in that specific folder with this content:
<Files ~ "\.(php)$">
Require all granted
</Files>
Note: I am running Apache 2.4