How to protect a directory from files getting uploaded into it - .htaccess

I want to prevent uploading files to a specific directory,
as I already have some php and html files in this directory.
I was trying .htacess:
Options -Indexes
<Files *>
deny from all
</Files>
This is working, but makes me unable to open any files from the folder.
I then tried with this:
<Files *.php>
deny from all
</Files>
But then I cannot start index.php in this folder...
Can anyone help me?

If you're on Linux, use the chmod command to disable uploads, but still leave browsing enabled.
Use it like this: chmod 755 directory_path or chmod 555 directory_path. You may need to become root in order to make these changes, depending on your setup.
The first chmod command in this example allows only the directory owner to upload files, others can only read the directory contents. The second chmod command doesn't allow anyone to write to this directory. For more information, use man chmod inside your shell.

Related

Why not able to start SSH shell though permissions are set?

Due to a recent hack of my servers I am in some kind of ultimate restriction taste and thus wanted to limit the permissions of all the root folders like so:
chmod o-x /*
To enable login for other users again, I do:
chmod o+x /home
Now, I have another user which is not root and which should be the only one allowed to login, but it cant - the SSH authentication itself works but then this error appears:
/bin/sh: Permission denied
Seems easy to grant permissions to the bin folder like so:
chmod o+x /bin
But I still get the same Permission denied message.
Whats going on here?
The execute bit (x) on directories allows an user to go into that directory. If you remove the x bit from the root directory (/), then it is not possible to go into that directory and get the details of its contents. But in order to get the details of the bin directory under the / directory, that is necessary.
The same is true for /home and what is in it, by the way.
You might argue that you can do an ls / and list it's contents. That is because the contents itself are in the inode of the listed folder. But try to get a detailed listing with ls -l / and you will see that the permissions can not be listed. This is because the permissions are in the inode of the bin directory, but without the x permission, you are not allowed to enter the root directory in order to look at that inode.
Removing the x permission bits from the root directory is going to cause lots of problems. Don't do it! Better to learn concepts like SELinux or similar.

Redirecting a user with htaccess when viewing a directory with 770 permissions

I have a directory called "files" that contains an .htaccess file with the following rule:
RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ /assets/secure.php?f=$1 [NC,L]
So when a user tries to view any file within the files directory they are redirected to /assets/secure.php file. This file is meant to check permission on the user but to simplify it all it does now is prints the file name that the user tried to access.
secure.php code
$f = $_GET['f'];
echo 'file Name: '.$f;
The "files" directory contains other directories with chmod permissions of 770. Now if i try and view a file in one of these 770 directories I get a 404 file not found. I've I make it world executable then it echos out the file name as expected.
This set up was working fine on another set up so guessing it's down to ownership or something. But they all seem to have same group and owner.
The server is apache with cpanel installed.
Any ideas?

Protect specific directories with .htaccess

Is it possible to protect specific directories with a single .htaccess and .htpasswd file?
I can only seam to find the ability to protect single files, or an entire directory (and it's sub directories)?
E.g .htpasswd in /public_html/myfolder
and protect
/public_html/myfolder/secret
/public_html/myfolder/admin
but not
/public_html/myfolder/mypublicfiles
htaccess files are a per directory options, it's sort of like a <Directory> block but defined by where you put the htaccess file. So you can't arbitrarily setup HTTP authentication on a directory other than the directory that the htaccess file is in.

CHMOD setting to hide directory

Just wondering what the most common CHMOD setting used to hide a directory and it's contents inside a public_html folder of a Linux server. Basically just so the public can't access the files at all. Thanks.
On directories, to hide the contents, executable permission is what allows people to view the contents of the directory. So if you want the owner and group to be able to read it, then permission should look like this: drwxr-x--- (chmod 750 the_dir).

Apache and linux file permissions can't browse file or directories

I just copied my magento site over to a local server running CentOS 5.4. The browser said it can't locate the location of the stylesheets. The stylesheets are within /skin/frontend/my_new_interface/design2/css. I tried to view in the browser and I can't view any of the files within the css directory. I verified a million times that I'm typing in the correct location. I can view files within /skin/frontend/my_new_interface/design2. Can't browse directories within browser however.
I typed in ls -l css
and get:
-rwxr-xr-x 1 apache apache
listed for all the files
I tried chmod -R 755 and the directories
I changed the apache conf Options Indexes
But still when I browse the directories I get Forbidden. However, in another fresh installation of magento in the same www dir, I am able to browse directories. As far as I can tell both installations have same ownership and permissions.
I also tried
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
which was recommended in the magento wiki
I've just run out of ideas.
You'll need to add Options +Indexes to your httpd.conf or in a .htaccess file in the css/ folder to view the folder contents through the browser. This is bad ju-ju though. Do you really need to switch this on, or can you keep doing it through the ssh session?
On the CSS file note, can you type pwd when in the CSS directory? That'll help us confirm you've got the correct location. Do you get "Forbidden" when you try to view the CSS file directory, or just when you try to view the directory contents?
The file permission were set up correctly. I figured out that the .htaccess had a rewrite rule set for the css directory that was causing the problem. I inherited this site and am still not aware of all the little modifications done throughout.

Resources