Viewing Web Directories

[Mr. Anderson]

Or better yet, what do I do to keep people from viewing the directory if there isn't a index.html

D

 

[edesignuk]

Is the server Apache? If so, just pop a .htaccess file in the dir with this in it.

Options All -Indexes

 

[Mr. Anderson]

Is the server Apache? If so, just pop a .htaccess file in the dir with this in it.

Options All -Indexes

what permissions do I set on that file?

and do I need to put it in every directory? I was hoping for something global.

D

 

[whocares]

<ignore>Permissions should be 744 I guess (all-read-read), maybe 755.</ignore>

.htaccess files are inherited. Put one in your root directory, and all directories will be 'protected'. 🙂
You may of course over-write the inherited .htaccess parameters for a given directory with a new .htaccess file. In turn, this new file will cascade down to all sub-directories.

 

[belvdr]

Permissions should be 744 I guess (all-read-read), maybe 755.

.htaccess files are inherited. Put one in your root directory, and all directories will be 'protected'. 🙂
You may of course over-write the inherited .htaccess parameters for a given directory with a new .htaccess file. In turn, this new file will cascade down to all sub-directories.

Or you can edit the httpd.conf file. For the DocumentRoot, you will see a <Directory> directive. Simply put -Indexes in the Options tag. Be sure to check throughout the file. The Apache default is to make the DocumentRoot very strict, then loosen the perms later on.

I personally prefer this method over .htaccess files, just for the cleanliness of the web directories. Also, it eliminates any file permission security holes that may pop up.

EDIT: If you choose .htaccess files, do _not_ use 744 or 755. You want these to be 644, maximum.

 

[whocares]

EDIT: If you choose .htaccess files, do _not_ use 744 or 755. You want these to be 644, maximum.

Would you care to elaborate on this, and its security implications?

Also, if you modify your httpd.conf file (which *is* the best method, but rarely available in shared hosting environments), don't forget to restart Apache 😉

 

[belvdr]

Would you care to elaborate on this, and its security implications?

Also, if you modify your httpd.conf file (which *is* the best method, but rarely available in shared hosting environments), don't forget to restart Apache 😉

If the file is writable, it depends on the user who owns it. If it is writable by the user running the web server, someone might be able to write a shell script into that file. Now that it has execute privileges, it's not that far of a stretch to get it to execute.

A good rule of thumb is don't give any more permissions than are necessary. If it only needs to be readable, then there's no reason to give write or execute privileges. Many security incidents happen due to lax security. Don't be one of them.

Also, you're right on with the shared server piece. I didn't recognize that the original question was concerning a shared web server.

 

[Mr. Anderson]

i'm not hosting the stuff myself, so I'm going to go with the .htaccess file route.

Thanks for all the help - this is great 😀

It works great, and the standard permissions are 644, so that wasn't an issue. Now I need to set up an error page - what error number is that?


D

 

[belvdr]

i'm not hosting the stuff myself, so I'm going to go with the .htaccess file route.

Thanks for all the help - this is great 😀

It works great, and the standard permissions are 644, so that wasn't an issue. Now I need to set up an error page - what error number is that?


D

Error page for what? A 404 (file not found)?