Page 1 of 1

Hidden files on Apache/Linux

Posted: Fri Nov 18, 2005 3:54 pm
by alex.barylski
I always thought by virtue of naming a file like: .htaccess the file is in-accessable to anyone via HTTP...

However I just named a file: .settings right inside my document root

and using something like: http://www.mydomain.com/.settings

And Viola!!! My browser returned the contents of this file...

Nothing of importance...but still...what gives...if I had an htaccess file along side .settings...would it's contents be visible also???

I thought under linux and file prefixed with a '.' was invisble...???

Is this a problem with my shared host or is this just the way things work???

Should I contact my hosting company???

Cheers :)

Posted: Fri Nov 18, 2005 4:02 pm
by Ambush Commander
Not sure, but I thought they blocked .ht* files?

Anyway, you can always restrict access using the htaccess file itself, so it's not that big.

Posted: Fri Nov 18, 2005 5:26 pm
by timvw
There is no problem whatsoever.

'ls' will list directory contents (hiding thingies that start with .)
'ls -a' will list all contents (also thingies that start with .)

Now, apache doesn't use 'ls' so in a regular configuration it will make everything available that is in your "pubwww" directory.

If apache is allowed to do so it will look for a .htaccess file to override configuration settings. By default files starting with .ht are not displayed. That also explains why you probably can't see a .htaccess file

If you want to enforce to deny access on all files starting with . you could add the following:

Code: Select all

<Files ~ "^\.">
    Order allow, deny
    Deny from all
</Files>

Posted: Sat Nov 19, 2005 10:21 am
by AGISB
I can't even imagine how many sites have an open .htaccess. You can view it by http://url/.htaccess

To avoid this you can place this insde the .htaccess

Code: Select all

<Files ~ "\.htaccess$">
order deny,allow
deny from all
</Files>

Posted: Sat Nov 19, 2005 12:21 pm
by shiflett
AGISB wrote:I can't even imagine how many sites have an open .htaccess. You can view it by http://url/.htaccess
Not many. The default httpd.conf includes the following:

Code: Select all

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

Posted: Sun Nov 20, 2005 1:30 am
by AGISB
shiflett wrote:
AGISB wrote:I can't even imagine how many sites have an open .htaccess. You can view it by http://url/.htaccess
Not many. The default httpd.conf includes the following:

Code: Select all

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>
I am not sure which apache version put this as default. I am sure that many early apaches that still run did not. I did have the problem at some time at my server.

Posted: Sun Nov 20, 2005 11:33 am
by alex.barylski
So...

only files starting with .ht apache recognizes as DO NOT SEND BACK TO USER type files???

So I could rename the file .htsettings and everything should be cool?

Thanks :)

Posted: Sun Nov 20, 2005 4:09 pm
by timvw
It all depends on your apache settings... So check them to be asolutely sure..