Closed Thread Icon

Preserved Topic: Proper chmod for .htaccess and .htpasswd (Page 1 of 1) Pages that link to <a href="https://ozoneasylum.com/backlink?for=20871" title="Pages that link to Preserved Topic: Proper chmod for .htaccess and .htpasswd (Page 1 of 1)" rel="nofollow" >Preserved Topic: Proper chmod for .htaccess and .htpasswd <span class="small">(Page 1 of 1)</span>\

 
riddim
Nervous Wreck (II) Inmate

From:
Insane since: Aug 2000

posted posted 03-17-2001 20:08

I recently setup a password protected page and custom error page on my site but the problem is the htaccess and htpasswd files can be publicly viewed. Following the FAQ at http://www.panix.com/corp-web/faq/htaccess.html I set .htaccess to chmod 644 and the .htpasswd to chmod 604 but its still publicly viewable. Other combinations of chmods I've tried disable both server and user access. Any one know the right chmod mode to use for both the files so that the server will execute or view them but internet users wont be able o view the contents? I doubt it has anything to do with the host; hypermart.

riddim
Nervous Wreck (II) Inmate

From:
Insane since: Aug 2000

posted posted 03-17-2001 20:22

Also is there any particular chmod I should use for the directory or should I use the default chmod 755?

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 03-17-2001 22:59

Actually, setting file permissions is not the proper way to hide those files. Most web servers won't show files that begin with ".ht*" (Apache is configured like this by default), but since you can view those files, Hypermart probably configured their servers differently. So, my suggestion is to take a look a Hypermart's FAQ (if they have any). Also, you can try adding this to your .htaccess file:

<Files ~ "^\.ht">
&nbsp;&nbsp;&nbsp;&nbsp;Order allow,deny
&nbsp;&nbsp;&nbsp;&nbsp;Deny from all
</Files>

If you still can view those files, then something is really wrong with Hypermart (or they configred their servers very restrictive)...

Oh, as far as folders are concerned you should leave them at 755 (or you won't be able to browse them)!



[This message has been edited by mr.maX (edited 03-17-2001).]

riddim
Nervous Wreck (II) Inmate

From:
Insane since: Aug 2000

posted posted 03-18-2001 04:49

Thanks. I tried it and it works perfectly without a flaw. I really appreciate your help.

GenericPlayer
Nervous Wreck (II) Inmate

From: Ontario
Insane since: Mar 2001

posted posted 03-25-2001 02:22

There's actually two problems here. The first was what max said, to prevent people from viewing the files through apache. You can't stop that by changing the file permissions, because apache has to be able to read those files, and if apache can read them, everyone on the web can. So, max solved your problem with internet users seeing those files, problem being, everyone still has permissions on those files, and therefore anyone else with an account on that server can look at them. You should chown your .htpasswd and .htaccess to you.apache, where you is your username and apache is the group apache is running as, then chmod 740 it. Very basic permissions lesson for you, the first number is the owners permission, the second number is the groups permission and the third number is everyone else on the system's permissions. You want to make you have full permissions, apache's group have only read permissions, and everyone else have nothing.

mr.maX
Maniac (V) Mad Scientist

From: Belgrade, Serbia
Insane since: Sep 2000

posted posted 03-25-2001 06:18

GenericPlayer, if I remember correctly Hypermart doesn't give you high control over your domain (it's a free host), so I'm not really sure that he can issue chown command (I don't even think that he has telnet/ssh access)...

« BackwardsOnwards »

Show Forum Drop Down Menu