I am on a Linux server with unlimited FTP accounts.
This is great but I need to know what the security implications are of allowing others access to a sub folder of my web space.
Ideally I would like to prevent FTP upload of certain files or at least prevent scripts from running that might be used to hack my main site.
I have tried using .htaccess files in the parent folder to ban specific file types (so that PHP files won't work in the users FTP area) The problem is that user can just put another .htaccess file in the sub folder.
Does anyone have any idea what the risks are and how to secure specific directories in a way that will prevent users from getting access to my site.
Thanks
Chris.
Full Version: Fun with Security
Please have a look at the following tip:
CODE
AllowOverride directive
Syntax: AllowOverride All|None|directive-type [directive-type] ...
Default: AllowOverride All
Context: directory
Status: core
When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information.
Note: AllowOverride is only valid in <Directory> sections, not in <Location> or <Files> sections, as implied by the Context section above.
When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.
When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.
The directive-type can be one of the following groupings of directives.
AuthConfig
Allow use of the authorization directives (AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthDigestRealmSeed, AuthType, AuthUserFile, Require, etc.).
FileInfo
Allow use of the directives controlling document types (AddEncoding, AddLanguage, AddType, DefaultType, ErrorDocument, LanguagePriority, etc.).
Indexes
Allow use of the directives controlling directory indexing (AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, etc.).
Limit
Allow use of the directives controlling host access (Allow, Deny and Order).
Options
Allow use of the directives controlling specific directory features (Options and XBitHack).
Example:
AllowOverride AuthConfig Indexes
See Also: AccessFileName and Configuration Files
Syntax: AllowOverride All|None|directive-type [directive-type] ...
Default: AllowOverride All
Context: directory
Status: core
When the server finds an .htaccess file (as specified by AccessFileName) it needs to know which directives declared in that file can override earlier access information.
Note: AllowOverride is only valid in <Directory> sections, not in <Location> or <Files> sections, as implied by the Context section above.
When this directive is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem.
When this directive is set to All, then any directive which has the .htaccess Context is allowed in .htaccess files.
The directive-type can be one of the following groupings of directives.
AuthConfig
Allow use of the authorization directives (AuthDBMGroupFile, AuthDBMUserFile, AuthGroupFile, AuthName, AuthDigestRealmSeed, AuthType, AuthUserFile, Require, etc.).
FileInfo
Allow use of the directives controlling document types (AddEncoding, AddLanguage, AddType, DefaultType, ErrorDocument, LanguagePriority, etc.).
Indexes
Allow use of the directives controlling directory indexing (AddDescription, AddIcon, AddIconByEncoding, AddIconByType, DefaultIcon, DirectoryIndex, FancyIndexing, HeaderName, IndexIgnore, IndexOptions, ReadmeName, etc.).
Limit
Allow use of the directives controlling host access (Allow, Deny and Order).
Options
Allow use of the directives controlling specific directory features (Options and XBitHack).
Example:
AllowOverride AuthConfig Indexes
See Also: AccessFileName and Configuration Files
Thanks for that,
I have already looked at the 'AllowOverride Deny All ' directive
The examples specify something like this.
<Directory />
AllowOverride Deny All
</Directory>
They seem to suggest that this should be added to a file called httpd.conf.
I am on shared hosting so I don't think I have access to this file.
Any specific examples that will work with .htaccess would be helpful.
Thanks
Chris.
I have already looked at the 'AllowOverride Deny All ' directive
The examples specify something like this.
<Directory />
AllowOverride Deny All
</Directory>
They seem to suggest that this should be added to a file called httpd.conf.
I am on shared hosting so I don't think I have access to this file.
Any specific examples that will work with .htaccess would be helpful.
Thanks
Chris.
You should add these directives into the .htaccess file.
You can find it in your public_html directory.
I think this link will be useful for you:
http://httpd.apache.org/docs-2.0/howto/htaccess.html
You can find it in your public_html directory.
I think this link will be useful for you:
http://httpd.apache.org/docs-2.0/howto/htaccess.html
I dont think I can use .htaccess to override sub folder settings. In the documentation 'AllowOverride' is only available in the <directory> section. The directory section has context of Server Config.
If you follow the logic from the documentation (see below) looking at the bold sections you get to the last line 'It is not allowed in .htaccess files at all.'
It appears I need to add a directory section to my server configuration files with the AllowOverride directive.
I cannot do this as the files are not visible to me however, at least I don't see any in my file area. Am I missing something or is this correct?
AllowOverride
Only available in <Directory> sections
AllowOverride is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.
------------------------------------------------------------------------------------
<Directory> Directive
Syntax: <Directory directory-path> ... </Directory>
Context: server config, virtual host
------------------------------------------------------------------------------------
server config
This means that the directive may be used in the server configuration files (e.g., httpd.conf), but not within any <VirtualHost> or <Directory> containers. It is not allowed in .htaccess files at all.
If you follow the logic from the documentation (see below) looking at the bold sections you get to the last line 'It is not allowed in .htaccess files at all.'
It appears I need to add a directory section to my server configuration files with the AllowOverride directive.
I cannot do this as the files are not visible to me however, at least I don't see any in my file area. Am I missing something or is this correct?
AllowOverride
Only available in <Directory> sections
AllowOverride is valid only in <Directory> sections specified without regular expressions, not in <Location>, <DirectoryMatch> or <Files> sections.
------------------------------------------------------------------------------------
<Directory> Directive
Syntax: <Directory directory-path> ... </Directory>
Context: server config, virtual host
------------------------------------------------------------------------------------
server config
This means that the directive may be used in the server configuration files (e.g., httpd.conf), but not within any <VirtualHost> or <Directory> containers. It is not allowed in .htaccess files at all.
.htaccess file
The .htaccess file can be placed in one or more of your directories.
For instance, public_html
When a request for a web page is made, the web server first checks for an .htaccess file. The server begins this check by looking for .htaccess in the root of the current web directory, and on down the directory tree until it reaches the directory where the requested file resides. Since the placement of the .htaccess file determines when it is executed, this fact can be used to restrict access only in certain subdirectories.
Functions:
Restrict access to directories using passwords
Redirect hits onto another webpage
Control and set the messages generated for various error conditions
Edit Mime-types
Activate and deactivate various server features
To create an .htaccess file, make a text file, name it .htaccess (without any extenstion) and upload it.
Except for the first feature, described below, the following features will only work for a .htaccess file placed in your domain-www folder. Add all features you want to the same file.
----------------------------------------
Restricting Access: Password Protection
The directory you want protected must have a .htaccess file in it that looks like the following (do not put the comments in the actual .htaccess file [comments begin with #]):
AuthUserFile /home/user/.passwd
AuthGroupFile /home/user/.group
AuthName "Protected Space"
AuthType Basic
<Limit GET>
require group $users #users, is the group of users that you give access to
#require user $user #if there is only one user in the group, you can substitute this line; remove the #.
</Limit>
(Other possible groups are administrators, etc)
Groups and users are stored in the .group file, and passwords are stored in .passwd. The .htaccess file looks for these files in the /home/$user directory. Do not attempt to edit these manually! Alabanza has a special script you can use to manage your .group and .passwd files (the "webmister" script). Ask support to install it for you.
-----------------------------------------
Redirects
Redirecting allows you to send the user to, for example, new.html when they attempt to access old.html. To see this example in practice, simply add the following line to the .htaccess file:
Redirect /directory/old.html http://domain.com/directory/new.html
------------------------------------------
Error Documents
There are two main styles of error messages you may encounter. The first is the standard form, which looks something like:
File Not found
The requested URL http://domain.com/file.html was not found on this server.The second type comes in a variety of forms, and is customized by the webmaster.
For example:
We're sorry, but the requested URL does not exist. Please e-mail support@$domain.com if you need further assistance.Such messages are called error documents, and are web pages designed to give a polite explanation for error conditions. These error conditions generate numbers which are used to refer to the appropriate error condition. Some of the most common messages are as follows:
Error in Client
400 Bad syntax
401 Unauthorized
402 Not Used (Payment Granted)
403 Forbidden
404 Not Found
Error in Server
500 Internal Error
501 Not Implemented
502 Overloaded
503 Gateway Timeout
How to Customize Error Messages for Your Site:
First, create the HTML page you want to use as your error message.
Second, upload it to your web directory [/home/$user/$domain-www].
Third, go into your .htaccess file (or create one) and add lines which specify the substitution.
Here are three examples of specifying error documents which will be called for a given error condition (note you can use relative or absolute addressing):
ErrorDocument 401 http://$domain.com/nopasswd.html
ErrorDocument 403 /forbidden.html
ErrorDocument 404 http://www.$domain.com/nofile.html
-----------------------------------------
Mime Types
You can add mime types to your .htaccess file with a line like:
AddType text/html .txt
You can allow access from defined IP:
order allow deny
deny from all
allow from 70.126.12.199
The .htaccess file can be placed in one or more of your directories.
For instance, public_html
When a request for a web page is made, the web server first checks for an .htaccess file. The server begins this check by looking for .htaccess in the root of the current web directory, and on down the directory tree until it reaches the directory where the requested file resides. Since the placement of the .htaccess file determines when it is executed, this fact can be used to restrict access only in certain subdirectories.
Functions:
Restrict access to directories using passwords
Redirect hits onto another webpage
Control and set the messages generated for various error conditions
Edit Mime-types
Activate and deactivate various server features
To create an .htaccess file, make a text file, name it .htaccess (without any extenstion) and upload it.
Except for the first feature, described below, the following features will only work for a .htaccess file placed in your domain-www folder. Add all features you want to the same file.
----------------------------------------
Restricting Access: Password Protection
The directory you want protected must have a .htaccess file in it that looks like the following (do not put the comments in the actual .htaccess file [comments begin with #]):
AuthUserFile /home/user/.passwd
AuthGroupFile /home/user/.group
AuthName "Protected Space"
AuthType Basic
<Limit GET>
require group $users #users, is the group of users that you give access to
#require user $user #if there is only one user in the group, you can substitute this line; remove the #.
</Limit>
(Other possible groups are administrators, etc)
Groups and users are stored in the .group file, and passwords are stored in .passwd. The .htaccess file looks for these files in the /home/$user directory. Do not attempt to edit these manually! Alabanza has a special script you can use to manage your .group and .passwd files (the "webmister" script). Ask support to install it for you.
-----------------------------------------
Redirects
Redirecting allows you to send the user to, for example, new.html when they attempt to access old.html. To see this example in practice, simply add the following line to the .htaccess file:
Redirect /directory/old.html http://domain.com/directory/new.html
------------------------------------------
Error Documents
There are two main styles of error messages you may encounter. The first is the standard form, which looks something like:
File Not found
The requested URL http://domain.com/file.html was not found on this server.The second type comes in a variety of forms, and is customized by the webmaster.
For example:
We're sorry, but the requested URL does not exist. Please e-mail support@$domain.com if you need further assistance.Such messages are called error documents, and are web pages designed to give a polite explanation for error conditions. These error conditions generate numbers which are used to refer to the appropriate error condition. Some of the most common messages are as follows:
Error in Client
400 Bad syntax
401 Unauthorized
402 Not Used (Payment Granted)
403 Forbidden
404 Not Found
Error in Server
500 Internal Error
501 Not Implemented
502 Overloaded
503 Gateway Timeout
How to Customize Error Messages for Your Site:
First, create the HTML page you want to use as your error message.
Second, upload it to your web directory [/home/$user/$domain-www].
Third, go into your .htaccess file (or create one) and add lines which specify the substitution.
Here are three examples of specifying error documents which will be called for a given error condition (note you can use relative or absolute addressing):
ErrorDocument 401 http://$domain.com/nopasswd.html
ErrorDocument 403 /forbidden.html
ErrorDocument 404 http://www.$domain.com/nofile.html
-----------------------------------------
Mime Types
You can add mime types to your .htaccess file with a line like:
AddType text/html .txt
You can allow access from defined IP:
order allow deny
deny from all
allow from 70.126.12.199
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.