Very Computer

Dealing with a new Server that came pre-installed with Apache.

Directory Indexing is turned on - thats fine.

We utilize specific system directories such as : logs, cgi-local, stats,
cgiemail, and errors. For these directories, we don't want users to be
able to list their contents in a Web Based FTP format, so in the
access.conf, each of these directories has their own <Directory>
section.

Document Root is /web and each domain is in a separate sub-directory
such as /web/mydomain

From access.conf:

# Errors Directory

<Directory /web/*/errors>
Options None
AllowOverride None

<Limit GET>
order allow,deny
allow from all
</Limit>
</Directory>

The above works great to keep the Web visitors from listing the contents
of the "errors" directory and if they try to do so, the appropriate 403
Error Page is displayed.

However, if a user knows the name of a file inside of the "errors"
directory, Apache will gladly serve that file up and display it.
Example:

/web/myserver/errors
/web/myserver/errors/myfile.txt

They can't list the directory, but if they know the name of myfile.txt,
they can type in:

http://www.myserver.com/errors/myfile.txt

and Apache will display the file.

How on earth do you keep Apache from doing this other than making the
directory a "Script Alias" directory (which so far seems to be the only
thing that prevents users from viewing files, but it also produces an
error log entry saying that the file is not executible)?

Any feedback will be most appreciated.

Kenny

: Dealing with a new Server that came pre-installed with Apache.

: Directory Indexing is turned on - thats fine.

: We utilize specific system directories such as : logs, cgi-local, stats,
: cgiemail, and errors. For these directories, we don't want users to be
: able to list their contents in a Web Based FTP format, so in the
: access.conf, each of these directories has their own <Directory>
: section.

: Document Root is /web and each domain is in a separate sub-directory
: such as /web/mydomain

: From access.conf:

: # Errors Directory

: <Directory /web/*/errors>
: Options None
: AllowOverride None

: <Limit GET>
: order allow,deny
: allow from all
: </Limit>
: </Directory>

: The above works great to keep the Web visitors from listing the contents
: of the "errors" directory and if they try to do so, the appropriate 403
: Error Page is displayed.

: However, if a user knows the name of a file inside of the "errors"
: directory, Apache will gladly serve that file up and display it.

You're making my head hurt.  Why, on earth, don't you just have

 <Directory /web/*/errors>
 Options None
 AllowOverride None
 order deny,allow
 deny from all
 </Directory>

Don't use <Limit> if you want to limit all methods.  And don't use
"allow from all" when you mean "deny from all".  If this doesn't solve
your problem, then you need to better specify who you want to be able
to access the directory using what methods.

--
Joshua Slive

http://finance.commerce.ubc.ca/~slive/

Joshua,

If your head hurts, imagine how mine feels!

<Directory /web/*/errors>
 Options None
 AllowOverride None
 order deny,allow
 deny from all
</Directory>

Unfortunately that denies all access.

Hopefully this is a better explanation

I modified cgiemail so that a single directory is used to store the
Templates, the HTML pages, and the text files that it writes to.

I need to turn off Directory Indexing and prevent individual access to
the files in the cgiemail directory, but still allow the HTML forms to
be loaded in the browser.

So, if you have this:

cgiemail
  test.html
  test_thanks.html
  test.txt
  test.dat

test.txt is a template file and test.dat is a CSV file that is written
to and which contains the info from the test.html Form. I don't want
people to be able to view the contents of test.txt and especially
test.dat, but they obviously must be able to "get" the 2 HTML files.

I know I can use per file access methods, but I have no control over
what users will name their files (ie, they don't have to use a .txt
extension).

The program (cgiemail) sets the permissions on the test.dat file to
0600, but users can still browse the file. Shouldn't they be denied
access to the file since it doesn't have Read permissions?

I'm trying to learn all of this so be nice to me <g>.

Kenny

Joshua,

This works fine:

<Directory /web/*/cgiemail>
Options None
AllowOverride None

<Files "*">
deny from all
</Files>

<Files "*.ht*">
allow from all
</Files>

</Directory>

Thanks for your feedback.

I'm still confused, though, why Apache lets browsers have a text file
even though its permission prevent group and other access. Did the
server somehow get configured to run with my permissions or is this just
the way "things work"?

Kenny

: Joshua,

: This works fine:

: <Directory /web/*/cgiemail>
: Options None
: AllowOverride None

: <Files "*">
: deny from all
: </Files>

: <Files "*.ht*">
: allow from all
: </Files>

: </Directory>

: Thanks for your feedback.

: I'm still confused, though, why Apache lets browsers have a text file
: even though its permission prevent group and other access. Did the
: server somehow get configured to run with my permissions or is this just
: the way "things work"?

The unix file permssions that apply to apache when serving files are
determined by the user that the web server is running under -- see the
User directive in the apache configuration files.  Chances are that
the file in question is owned by the user mentioned in the User
directive.  This is necessary in order that your CGI scripts are able
to write to it (unless you use suexec).  So, the proper solution is
either to place the files outside the document root (which seems
inconvenient in your case) or to use apache access restrictions as you
are now doing.

--
Joshua Slive

http://finance.commerce.ubc.ca/~slive/