Page 1 of 1

Hiding files

Posted: Sat May 21, 2005 8:19 pm
by jaymoore_299
What is the most secure way to make a file accessible to myself only?
If the filename of the file in question is easily obtainable, but I set permissions on the file to owner only and use sessions with php, is there still a risk of the file being read/written?

Posted: Sat May 21, 2005 10:03 pm
by php_wiz_kid
Well, what kind of server are you running? You can set up some security so people can't read/write a file using .htpasswd, .htaccess, .htgroup. These run under Apache I think. I'm not sure if IIS supports this or not. Anyways, here's how to do it.

Create a .htaccess file. The first two lines tell where .htpasswd and .htgroup are located and the third line is the title that will be in the password box that pops up to prompt users for their login, user-list is just the name of the group that has access its just a generic term.

Code: Select all

AuthUserFile /home/folder/.htpasswd
AuthGroupFile /home/folder/.htgroup
AuthName Graceland_Visitors
AuthType Basic
<Limit GET>

require group user-list

</Limit>

Save this file, call it .htaccess and then ftp it up to the directory that you want to protect.

Create a .htgroup file. This file tells who is in the group "user-list" the syntax is simple user-list: with a space between each of the user's names.

user-list: john joe dick harry jane spot ryan manos
elvis

Save this file, call it .htgroup and ftp it up to the /home/folder directory.

Create a .htpasswd file. All of the passwords are encrypted so you have to use a program called htpasswd to generate them. There are two ways to do this, one if you have a shell and know how to use it your can telnet to inch.com, login and do the deed from your shell account by typing: htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again. You will not see the password when entering it here but it will appear in this syntax in the .htpasswd file and your will not have to use the -c flag when writing subsequent passwords since that creates the file .htpasswd, you can now ftp it up to the /home/folder directory.

If all this was gibberish to you proceed directly to STEP 4.

john:aRrw1zmSpdF9A
joe:xz/mhQzOO8.XI
dick:c0slBI3MevFaU
harry:KH8j2fHBVgFRU
jane:NfCH.9wsNc78I
spot:cQc9EGC.gD1Og
ryan:itlv3jZYGvj7s
manos:jEYnEJ3lX3j0Y elvis:MpU4S/Lvr8KlE

Generate your passwords the easy way using the Inch Password Generator. Go to the password generator page and use it to make as many passwords as you need then cut and paste them into a text file. GO NOW

After you've finished cutting and pasting your file should look something like the file you see above. Now ftp it up to the /home/elvis directory where your .htgroup file is located. Now you can give it a try. Go to the URL of the directory and this window should pop up:

Now if everything was done correctly then you should be immediately authenticated and allowed to enter the site. If it refuses you, you probably made a mistake, most likely in the path to the .htpasswd and .htgroup file in your .htaccess file.

If you want to remove a user then simply use the text editor you assembled your .ht.passwd file with to remove that user and his password.

I hope this helps

Posted: Sat May 21, 2005 11:22 pm
by hongco
you can setup login/password via control panel, I know cpanel has it.

Posted: Sun May 22, 2005 12:07 am
by php_wiz_kid
But if you're wanting to distribute your script over several servers then you can't rely on CPanel or any other admin panel system.

Re: Hiding files

Posted: Sun May 22, 2005 6:52 am
by timvw
jaymoore_299 wrote:What is the most secure way to make a file accessible to myself only?
If the filename of the file in question is easily obtainable, but I set permissions on the file to owner only and use sessions with php, is there still a risk of the file being read/written?
Assuming the webserver/php is not running under the same uid as you, nobody but you (and root/uid=0) should be able to read/write/execute the file.