CHMOD to protect web files from direct access?
Moderator: General Moderators
CHMOD to protect web files from direct access?
Is it possible to use CHMOD permissions to prevent web users from directly accessing files (like videos and images) but still allow your HTML/PHP pages to access them and serve them up? (Not using a script, just still using <img src="...">) So the files would be in a web-accessible path (public_html/images/pic.gif), but still not be accessible.
I've done some searching on this but didn't find any information, which probably means it's not possible.
If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?
Thanks for any information you can offer.
I've done some searching on this but didn't find any information, which probably means it's not possible.
If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?
Thanks for any information you can offer.
Re: CHMOD to protect web files from direct access?
Bingo!target wrote:If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
I'm not sure what your asking...Is it possible to use CHMOD permissions to prevent web users from directly accessing files (like videos and images) but still allow your HTML/PHP pages to access them and serve them up? (Not using a script, just still using <img src="...">) So the files would be in a web-accessible path (public_html/images/pic.gif), but still not be accessible.
Yes: You can store your files in a web accessible path and not have them ever be accessable. You simplly need to change the CHMOD READ permissions to ZERO.
No: They will not be accessible by your HTML, but they *can* be accessible by your PHP.
I have to ask, what is it exactly your are trying to accomplish?
You don't need .htaccess to protect files in your document root, you can use CHMOD but it may require some environment tweaking.
So what I'd like to do is have files like FLV Flash Videos inside a directory that is in a "web-accessible" path (http://mysite.com/protected/video.flv) but protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:
<embed src="video_player.swf?file=/protected/video.flv"></embed>
Is this possible?
<embed src="video_player.swf?file=/protected/video.flv"></embed>
Is this possible?
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
OP I'm still missing something...
Yes you can protect a file from publically being accessed...make it's read permissions ZERO. Try it!
If you need to access the file for restricted users, then you need to use PHP and run PHP under a user other than Apache. The PHP script will read the contents and return the file, but the script is still accesses via HTTP.
It's probably best to store files like that outside the document root...not because CHMOD is less secure BUT when you access a file which you cannot access you are told the file exists but is inaccessible...at least you don't get that kind of feedback when storing files in docroot.
Ideally I would say store your files in a DB...incase your on a shared host thats about the safest way to store sensitive data.
Yes you can protect a file from publically being accessed...make it's read permissions ZERO. Try it!
If you need to access the file for restricted users, then you need to use PHP and run PHP under a user other than Apache. The PHP script will read the contents and return the file, but the script is still accesses via HTTP.
It's probably best to store files like that outside the document root...not because CHMOD is less secure BUT when you access a file which you cannot access you are told the file exists but is inaccessible...at least you don't get that kind of feedback when storing files in docroot.
Ideally I would say store your files in a DB...incase your on a shared host thats about the safest way to store sensitive data.
No way!target wrote:...protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:
<embed src="video_player.swf?file=/protected/video.flv"></embed>
Is this possible?
And forget about using CHMOD - it is not meant to be used for that kind of protection.
You need an application level protection - by using PHP script like this: viewtopic.php?t=72665&highlight=.
If you are not permitted to put protected files outside web root, then protect them by using .htaccess file in their directory:
Code: Select all
<files "*.*">
Deny from All
</files>There are 10 types of people in this world, those who understand binary and those who don't
-
beyondthegrave
- Forum Newbie
- Posts: 2
- Joined: Thu Oct 18, 2007 9:46 am
I used your HTACCESS code:
Using the HTACCESS method, it also blocks the webpage from serving up the video. My "videoplayer.swf?file=myvid.flv" now can't serve the FLV video (the FLV videos are stored in the HTACCESS protected directory, while the videoplayer.swf is outside, so it is accessible.
Is there any way to tweak that HTACCESS code so the webpage can still serve up the video, but users can't just visit the video's link directly to download?
Thanks for any help you can offer.
Code: Select all
<files "*.*">
Deny from All
</files>Using the HTACCESS method, it also blocks the webpage from serving up the video. My "videoplayer.swf?file=myvid.flv" now can't serve the FLV video (the FLV videos are stored in the HTACCESS protected directory, while the videoplayer.swf is outside, so it is accessible.
Is there any way to tweak that HTACCESS code so the webpage can still serve up the video, but users can't just visit the video's link directly to download?
Thanks for any help you can offer.
-
alex.barylski
- DevNet Evangelist
- Posts: 6267
- Joined: Tue Dec 21, 2004 5:00 pm
- Location: Winnipeg
I'm curious as to why you feel this way? Other than requiring a more advanced server environment (havng PHP run under something other than Apache and not as a CGI module) I would figure that Kernel level file security is certainly better than web server level offered by Apache.And forget about using CHMOD - it is not meant to be used for that kind of protection.
If Apache was exploited would that not render .htaccess potentially useless?
I assume this happens enough to cause conern as most web server setups have Apache run under user: nobody as opposed to root.
Just curious.
1. Because I prefer to have write protection instead of *some* read protection ...
E.g.:
2. Your suggestion is not applicable (or at least not very useful) in shared hosting environment, because usually files are owned by the FTP user, not the Apache user.
E.g.:
Code: Select all
chown root:root
chmod 0644There are 10 types of people in this world, those who understand binary and those who don't