Page 1 of 1
Restrict access to all but a few files and directories
Posted: Thu Apr 12, 2007 4:22 pm
by Luke
I've got a directory set up like this:
Code: Select all
/mm5
/5.00
/modules
/some other irrelevant stuff
/public
/images
/styles
/scripts
/graphics
/en-US
merchant.mvc
admin.mvc
sometherfiles.mvc
something_else.mvc
I want to restrict access to every file and folder except merchant.mvc, admin.mvc, and /public (as well as EVERYTHING under it). Everything else should be accessibly to eachother, but not to the general public. How do you recommend doing this?
The server is apache. I'm not sure which version, it's a shared host.
Posted: Thu Apr 12, 2007 5:07 pm
by timvw
- I'd probably write a little bash script that first gives only me (the user rights)
- then i would grant rights to apache to traverse the directories
- then i would grants rights to apache to read files (and perhaps a couple of directories for listing purposes)
eg:
Code: Select all
#!/bin/bash
BASEDIR=/somewhere/username
WEBDIR=$BASEDIR/web
# give user all rights (and remove rights from others)
chmod 700 $BASEDIR
find $BASEDIR -type d -exec chmod 700 {} \;
find $BASEDIR -type f -exec chmod 600 {} \;
# allow user to run scripts in bin
find $BASEDIR/bin -type f -exec chmod u+x {} \;
# gradually add rights so www-data can access webfiles
chmod g+x $BASEDIR
chmod g+x $WEBDIR
chmod o+x $WEBDIR/private
chmod o+r $WEBDIR/private/.htpasswd
chmod o+r $WEBDIR/private/timvwblog.php
chmod o+rx $WEBDIR/www.timvw.be
find $WEBDIR/www.timvw.be -type f -exec chmod o+r {} \;
find $WEBDIR/www.timvw.be -type d -exec chmod o+x {} \;
#chmod o+x $WEBDIR/www.timvw.be/cgi-bin
#find $WEBDIR/www.timvw.be/cgi-bin -type f -exec chmod o-r {} \;
#find $WEBDIR/www.timvw.be/cgi-bin -type d -exec chmod o-x {} \;
#find $WEBDIR/www.timvw.be/cgi-bin -type f -maxdepth 1 -exec chmod u+x {} \;
chmod u+x $WEBDIR/www.timvw.be/cgi-bin/something/blah.pl
But i would really recommend to place all this in a script (this way, you can easily re-apply the rights, possible via a cronjob...)
Posted: Thu Apr 12, 2007 5:17 pm
by Luke
even if I give a file 400 access (only read access to owner), you can still reach this file in a web browser. For some reason I just can't seem to fully grasp file permissions and who owns what and why.
EDIT: I was thinking something like:
but that won't work for specific files, will it?
hrmm... it is so frustrating being a server/apache n00b. I need a book.
Posted: Thu Apr 12, 2007 5:44 pm
by nickvd
You could always lock down everything like you said (deny from all) and then use a
<FilesMatch> directive to open up what you need.
Posted: Thu Apr 12, 2007 5:48 pm
by Luke
dude... that looks like exactly what I need. ::slaps you with a good-job fish::