CHMOD to protect web files from direct access?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

target
Forum Newbie
Posts: 7
Joined: Thu Oct 18, 2007 9:47 am

CHMOD to protect web files from direct access?

Post by target »

Is it possible to use CHMOD permissions to prevent web users from directly accessing files (like videos and images) but still allow your HTML/PHP pages to access them and serve them up? (Not using a script, just still using <img src="...">) So the files would be in a web-accessible path (public_html/images/pic.gif), but still not be accessible.

I've done some searching on this but didn't find any information, which probably means it's not possible.

If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?

Thanks for any information you can offer.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: CHMOD to protect web files from direct access?

Post by s.dot »

target wrote:If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?
Bingo! :)
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You can also use .htaccess to block access to the protected directory. However, I'd go with "Bingo" ;)
target
Forum Newbie
Posts: 7
Joined: Thu Oct 18, 2007 9:47 am

Post by target »

But if I use .htaccess to protect that directory, would my HTML/PHP pages be able to reference protected files through normal <img src="/protected/image.jpg" /> tags?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

I think Jcart suggests to use .htaccess file instead of moving the protected media outside web root. You still need to use scottayy's "Bingo" :)
There are 10 types of people in this world, those who understand binary and those who don't
target
Forum Newbie
Posts: 7
Joined: Thu Oct 18, 2007 9:47 am

Post by target »

But the question is, if I use .htaccess to protect some images, will HTML pages outside that directory be able to call those images? Or will it prompt them for the login?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Is it possible to use CHMOD permissions to prevent web users from directly accessing files (like videos and images) but still allow your HTML/PHP pages to access them and serve them up? (Not using a script, just still using <img src="...">) So the files would be in a web-accessible path (public_html/images/pic.gif), but still not be accessible.
I'm not sure what your asking...

Yes: You can store your files in a web accessible path and not have them ever be accessable. You simplly need to change the CHMOD READ permissions to ZERO.

No: They will not be accessible by your HTML, but they *can* be accessible by your PHP.

I have to ask, what is it exactly your are trying to accomplish?

You don't need .htaccess to protect files in your document root, you can use CHMOD but it may require some environment tweaking.
target
Forum Newbie
Posts: 7
Joined: Thu Oct 18, 2007 9:47 am

Post by target »

So what I'd like to do is have files like FLV Flash Videos inside a directory that is in a "web-accessible" path (http://mysite.com/protected/video.flv) but protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:

<embed src="video_player.swf?file=/protected/video.flv"></embed>

Is this possible?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Only if you go through a script to control access.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

OP I'm still missing something...

Yes you can protect a file from publically being accessed...make it's read permissions ZERO. Try it!

If you need to access the file for restricted users, then you need to use PHP and run PHP under a user other than Apache. The PHP script will read the contents and return the file, but the script is still accesses via HTTP.

It's probably best to store files like that outside the document root...not because CHMOD is less secure BUT when you access a file which you cannot access you are told the file exists but is inaccessible...at least you don't get that kind of feedback when storing files in docroot.

Ideally I would say store your files in a DB...incase your on a shared host thats about the safest way to store sensitive data.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

target wrote:...protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:

<embed src="video_player.swf?file=/protected/video.flv"></embed>

Is this possible?
No way!

And forget about using CHMOD - it is not meant to be used for that kind of protection.
You need an application level protection - by using PHP script like this: viewtopic.php?t=72665&highlight=.
If you are not permitted to put protected files outside web root, then protect them by using .htaccess file in their directory:

Code: Select all

<files "*.*">
Deny from All
</files>
There are 10 types of people in this world, those who understand binary and those who don't
beyondthegrave
Forum Newbie
Posts: 2
Joined: Thu Oct 18, 2007 9:46 am

Post by beyondthegrave »

I used your HTACCESS code:

Code: Select all

<files "*.*">
Deny from All
</files>

Using the HTACCESS method, it also blocks the webpage from serving up the video. My "videoplayer.swf?file=myvid.flv" now can't serve the FLV video (the FLV videos are stored in the HTACCESS protected directory, while the videoplayer.swf is outside, so it is accessible.

Is there any way to tweak that HTACCESS code so the webpage can still serve up the video, but users can't just visit the video's link directly to download?

Thanks for any help you can offer.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

No. As has been said multiple times you will need to use an intermediate script to handle the security. You can no longer directly request the files in Flash or anything else that isn't on the server. Yes, Flash is not running off the server.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

And forget about using CHMOD - it is not meant to be used for that kind of protection.
I'm curious as to why you feel this way? Other than requiring a more advanced server environment (havng PHP run under something other than Apache and not as a CGI module) I would figure that Kernel level file security is certainly better than web server level offered by Apache.

If Apache was exploited would that not render .htaccess potentially useless?

I assume this happens enough to cause conern as most web server setups have Apache run under user: nobody as opposed to root.

Just curious.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Post by VladSun »

1. Because I prefer to have write protection instead of *some* read protection ...

E.g.:

Code: Select all

chown root:root
chmod 0644
2. Your suggestion is not applicable (or at least not very useful) in shared hosting environment, because usually files are owned by the FTP user, not the Apache user.
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply