Page 1 of 2

CHMOD to protect web files from direct access?

Posted: Thu Oct 18, 2007 9:55 am
by target
Is it possible to use CHMOD permissions to prevent web users from directly accessing files (like videos and images) but still allow your HTML/PHP pages to access them and serve them up? (Not using a script, just still using <img src="...">) So the files would be in a web-accessible path (public_html/images/pic.gif), but still not be accessible.

I've done some searching on this but didn't find any information, which probably means it's not possible.

If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?

Thanks for any information you can offer.

Re: CHMOD to protect web files from direct access?

Posted: Thu Oct 18, 2007 10:13 am
by s.dot
target wrote:If this is true, then is the only other option to have the files outside of the web-accessible path, and call it from a PHP script?
Bingo! :)

Posted: Thu Oct 18, 2007 12:05 pm
by John Cartwright
You can also use .htaccess to block access to the protected directory. However, I'd go with "Bingo" ;)

Posted: Mon Oct 22, 2007 8:37 am
by target
But if I use .htaccess to protect that directory, would my HTML/PHP pages be able to reference protected files through normal <img src="/protected/image.jpg" /> tags?

Posted: Mon Oct 22, 2007 9:56 am
by VladSun
I think Jcart suggests to use .htaccess file instead of moving the protected media outside web root. You still need to use scottayy's "Bingo" :)

Posted: Wed Oct 24, 2007 10:03 am
by target
But the question is, if I use .htaccess to protect some images, will HTML pages outside that directory be able to call those images? Or will it prompt them for the login?

Posted: Wed Oct 24, 2007 11:33 am
by alex.barylski
Is it possible to use CHMOD permissions to prevent web users from directly accessing files (like videos and images) but still allow your HTML/PHP pages to access them and serve them up? (Not using a script, just still using <img src="...">) So the files would be in a web-accessible path (public_html/images/pic.gif), but still not be accessible.
I'm not sure what your asking...

Yes: You can store your files in a web accessible path and not have them ever be accessable. You simplly need to change the CHMOD READ permissions to ZERO.

No: They will not be accessible by your HTML, but they *can* be accessible by your PHP.

I have to ask, what is it exactly your are trying to accomplish?

You don't need .htaccess to protect files in your document root, you can use CHMOD but it may require some environment tweaking.

Posted: Wed Oct 24, 2007 3:33 pm
by target
So what I'd like to do is have files like FLV Flash Videos inside a directory that is in a "web-accessible" path (http://mysite.com/protected/video.flv) but protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:

<embed src="video_player.swf?file=/protected/video.flv"></embed>

Is this possible?

Posted: Wed Oct 24, 2007 4:48 pm
by feyd
Only if you go through a script to control access.

Posted: Wed Oct 24, 2007 5:39 pm
by alex.barylski
OP I'm still missing something...

Yes you can protect a file from publically being accessed...make it's read permissions ZERO. Try it!

If you need to access the file for restricted users, then you need to use PHP and run PHP under a user other than Apache. The PHP script will read the contents and return the file, but the script is still accesses via HTTP.

It's probably best to store files like that outside the document root...not because CHMOD is less secure BUT when you access a file which you cannot access you are told the file exists but is inaccessible...at least you don't get that kind of feedback when storing files in docroot.

Ideally I would say store your files in a DB...incase your on a shared host thats about the safest way to store sensitive data.

Posted: Thu Oct 25, 2007 4:06 am
by VladSun
target wrote:...protected by CHMOD or .htaccess so people can't directly download by just going to the URL, but they can access it from a webpage by straight HTML:

<embed src="video_player.swf?file=/protected/video.flv"></embed>

Is this possible?
No way!

And forget about using CHMOD - it is not meant to be used for that kind of protection.
You need an application level protection - by using PHP script like this: viewtopic.php?t=72665&highlight=.
If you are not permitted to put protected files outside web root, then protect them by using .htaccess file in their directory:

Code: Select all

<files "*.*">
Deny from All
</files>

Posted: Fri Oct 26, 2007 9:11 am
by beyondthegrave
I used your HTACCESS code:

Code: Select all

<files "*.*">
Deny from All
</files>

Using the HTACCESS method, it also blocks the webpage from serving up the video. My "videoplayer.swf?file=myvid.flv" now can't serve the FLV video (the FLV videos are stored in the HTACCESS protected directory, while the videoplayer.swf is outside, so it is accessible.

Is there any way to tweak that HTACCESS code so the webpage can still serve up the video, but users can't just visit the video's link directly to download?

Thanks for any help you can offer.

Posted: Fri Oct 26, 2007 9:33 am
by feyd
No. As has been said multiple times you will need to use an intermediate script to handle the security. You can no longer directly request the files in Flash or anything else that isn't on the server. Yes, Flash is not running off the server.

Posted: Fri Oct 26, 2007 12:51 pm
by alex.barylski
And forget about using CHMOD - it is not meant to be used for that kind of protection.
I'm curious as to why you feel this way? Other than requiring a more advanced server environment (havng PHP run under something other than Apache and not as a CGI module) I would figure that Kernel level file security is certainly better than web server level offered by Apache.

If Apache was exploited would that not render .htaccess potentially useless?

I assume this happens enough to cause conern as most web server setups have Apache run under user: nobody as opposed to root.

Just curious.

Posted: Fri Oct 26, 2007 2:09 pm
by VladSun
1. Because I prefer to have write protection instead of *some* read protection ...

E.g.:

Code: Select all

chown root:root
chmod 0644
2. Your suggestion is not applicable (or at least not very useful) in shared hosting environment, because usually files are owned by the FTP user, not the Apache user.