Page 1 of 1

Restrict access to all but a few files and directories

Posted: Thu Apr 12, 2007 4:22 pm
by Luke
I've got a directory set up like this:

Code: Select all

/mm5
    /5.00
        /modules
        /some other irrelevant stuff
    /public
        /images
        /styles
        /scripts
        /graphics
            /en-US
    merchant.mvc
    admin.mvc
    sometherfiles.mvc
    something_else.mvc
I want to restrict access to every file and folder except merchant.mvc, admin.mvc, and /public (as well as EVERYTHING under it). Everything else should be accessibly to eachother, but not to the general public. How do you recommend doing this?

The server is apache. I'm not sure which version, it's a shared host.

Posted: Thu Apr 12, 2007 5:07 pm
by timvw
- I'd probably write a little bash script that first gives only me (the user rights)
- then i would grant rights to apache to traverse the directories
- then i would grants rights to apache to read files (and perhaps a couple of directories for listing purposes)

eg:

Code: Select all

#!/bin/bash
BASEDIR=/somewhere/username
WEBDIR=$BASEDIR/web

# give user all rights (and remove rights from others)
chmod 700 $BASEDIR
find $BASEDIR -type d -exec chmod 700 {} \;
find $BASEDIR -type f -exec chmod 600 {} \;

# allow user to run scripts in bin
find $BASEDIR/bin -type f -exec chmod u+x {} \;

# gradually add rights so www-data can access webfiles
chmod g+x $BASEDIR
chmod g+x $WEBDIR
chmod o+x $WEBDIR/private
chmod o+r $WEBDIR/private/.htpasswd
chmod o+r $WEBDIR/private/timvwblog.php
chmod o+rx $WEBDIR/www.timvw.be
find $WEBDIR/www.timvw.be -type f -exec chmod o+r {} \;
find $WEBDIR/www.timvw.be -type d -exec chmod o+x {} \;

#chmod o+x $WEBDIR/www.timvw.be/cgi-bin
#find $WEBDIR/www.timvw.be/cgi-bin -type f -exec chmod o-r {} \;
#find $WEBDIR/www.timvw.be/cgi-bin -type d -exec chmod o-x {} \;
#find $WEBDIR/www.timvw.be/cgi-bin -type f -maxdepth 1 -exec chmod u+x {} \;
chmod u+x $WEBDIR/www.timvw.be/cgi-bin/something/blah.pl
But i would really recommend to place all this in a script (this way, you can easily re-apply the rights, possible via a cronjob...)

Posted: Thu Apr 12, 2007 5:17 pm
by Luke
even if I give a file 400 access (only read access to owner), you can still reach this file in a web browser. For some reason I just can't seem to fully grasp file permissions and who owns what and why. :(

EDIT: I was thinking something like:

Code: Select all

deny from all
but that won't work for specific files, will it?

hrmm... it is so frustrating being a server/apache n00b. I need a book.

Posted: Thu Apr 12, 2007 5:44 pm
by nickvd
You could always lock down everything like you said (deny from all) and then use a <FilesMatch> directive to open up what you need.

Posted: Thu Apr 12, 2007 5:48 pm
by Luke
dude... that looks like exactly what I need. ::slaps you with a good-job fish::