Preventing web access to certain files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Preventing web access to certain files

From: Gunnar Hjalmarsson <mailbox@gunnar.cc>
To: ringlinklist@gunnar.cc
Date: Wed, 25 Oct 2000 01:53:52 +0200

Graham P Collins wrote:
> 
> >Also, have you considered suggestion number 2) at
> >http://rachelle.net/ringlink/miscellany.html#7 ?
> 
> I think you mean #8, option (2). No, my understanding is that
> permissions are handled in a different manner on NT. For the perl
> script to access the items in the lib and data directories, they
> must be accessible (perhaps only to clever and nosy people, but
> nonetheless accessible) to general users.
Please note that the option (2) solution is not about file permissions
at all, but it is about letting the web document root be a subdirectory
to the root of the webhosting account.
I just tested this solution on a Unix server, and basically this is the
set-up:
The path to the root of "my" space on the server is:
        /usr/.../htdocs/gunnar
and I'm free to create any subdirectories under that directory. But the
URL to my homepage - we can call it http://www.domain.com/gunnar/ -
refers to
        /usr/.../htdocs/gunnar/web
Accordingly, any document I want to be readable from the web has to be
saved in /usr/.../htdocs/gunnar/web or in a subdirectory to that
directory.
As regards Ringlink, I uploaded the *.pl files in
        /usr/.../htdocs/gunnar/web/cgi-bin/ringlink
while the 'lib' and 'data' directories were located as follows:
        /usr/.../htdocs/gunnar/ringlink/lib
                                       /data
This means that the files in these directories are not accessible from
the web, not because of file permission settings or .htaccess
arrangements, but for the simple reason that no URL refers to them.
Nevertheless, the files can be read by the scripts (the *.pl files).
A variant to this solution, if you can't make your provider refer the
URL to a subdirectory, is to locate the 'lib' and 'data' directories in
a directory with an "unlikely" name, like:
        /usr/.../htdocs/gunnar/web/cXPrt59/lib
                                          /data
and make sure that /usr/.../htdocs/gunnar/web includes an index.html
file in order to prevent people from listing the files.
Note that the above locations of the 'lib' directory presuppose that the
second line of all the *.pl files includes the full path to the 'lib'
directory.
As far as I understand, these ways of preventing people from viewing the
information in rlconfig.pm, ring.db and sites.db should work as good on
NT servers as on Unix/Linux servers.
We had a large discussion thread about the .htaccess solution; now I'd
appreciate your comments on these solutions too.
/ Gunnar

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]