Restrict access to all but a few files and directories

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Restrict access to all but a few files and directories

Post by Luke »

I've got a directory set up like this:

Code: Select all

/mm5
    /5.00
        /modules
        /some other irrelevant stuff
    /public
        /images
        /styles
        /scripts
        /graphics
            /en-US
    merchant.mvc
    admin.mvc
    sometherfiles.mvc
    something_else.mvc
I want to restrict access to every file and folder except merchant.mvc, admin.mvc, and /public (as well as EVERYTHING under it). Everything else should be accessibly to eachother, but not to the general public. How do you recommend doing this?

The server is apache. I'm not sure which version, it's a shared host.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

- I'd probably write a little bash script that first gives only me (the user rights)
- then i would grant rights to apache to traverse the directories
- then i would grants rights to apache to read files (and perhaps a couple of directories for listing purposes)

eg:

Code: Select all

#!/bin/bash
BASEDIR=/somewhere/username
WEBDIR=$BASEDIR/web

# give user all rights (and remove rights from others)
chmod 700 $BASEDIR
find $BASEDIR -type d -exec chmod 700 {} \;
find $BASEDIR -type f -exec chmod 600 {} \;

# allow user to run scripts in bin
find $BASEDIR/bin -type f -exec chmod u+x {} \;

# gradually add rights so www-data can access webfiles
chmod g+x $BASEDIR
chmod g+x $WEBDIR
chmod o+x $WEBDIR/private
chmod o+r $WEBDIR/private/.htpasswd
chmod o+r $WEBDIR/private/timvwblog.php
chmod o+rx $WEBDIR/www.timvw.be
find $WEBDIR/www.timvw.be -type f -exec chmod o+r {} \;
find $WEBDIR/www.timvw.be -type d -exec chmod o+x {} \;

#chmod o+x $WEBDIR/www.timvw.be/cgi-bin
#find $WEBDIR/www.timvw.be/cgi-bin -type f -exec chmod o-r {} \;
#find $WEBDIR/www.timvw.be/cgi-bin -type d -exec chmod o-x {} \;
#find $WEBDIR/www.timvw.be/cgi-bin -type f -maxdepth 1 -exec chmod u+x {} \;
chmod u+x $WEBDIR/www.timvw.be/cgi-bin/something/blah.pl
But i would really recommend to place all this in a script (this way, you can easily re-apply the rights, possible via a cronjob...)
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

even if I give a file 400 access (only read access to owner), you can still reach this file in a web browser. For some reason I just can't seem to fully grasp file permissions and who owns what and why. :(

EDIT: I was thinking something like:

Code: Select all

deny from all
but that won't work for specific files, will it?

hrmm... it is so frustrating being a server/apache n00b. I need a book.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

You could always lock down everything like you said (deny from all) and then use a <FilesMatch> directive to open up what you need.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

dude... that looks like exactly what I need. ::slaps you with a good-job fish::
Post Reply