ansaurus

Question

Folder security?

Answer 1

+4 A:

You don't want to have those files in a web-accessible folder. Move them out of the webroot.

Once you do this, you can have a file like download.php to which you pass a file ID and it can then validate it is in fact Jim asking for his files and only then fetch the file and output it to the browser as an attachment. This is the safest/best way for security.

Paolo Bergantino 2009-04-01 03:37:58

And of course, verify if the user has access to the file corresponding to the file ID, otherwise users would still be able to retrieve files. Instead of file and directory names, they will now use file IDs.

Vineet Reynolds 2009-04-01 04:01:53

I would imagine that goes without saying, but I guess you can never be too sure. Updated :)

Paolo Bergantino 2009-04-01 04:02:55

Yep, went without saying, but a newbie might not figure that out so easily :)

Vineet Reynolds 2009-04-01 04:05:05

Answer 2

A:

Sure, you can use basic file/directory permissions in Linux. You can also set the entire tree to be denied by apache.

What platform / webserver software are you running?

Okay, linux:

If the owner of the directory is 'joe', and the group is 'apache', then:

 chmod 750 joe

This would give the directory 'joe' permissions which allow the owner (joe) full access, the group (apache) write access (and the ability to enter the directory), and nothing else.

Is this an FTP drop-box?

What are the ownerships/groups like now?

jedihawk 2009-04-01 03:38:07

Oops I duplicated... if you put the the mode I will delete.

ojblass 2009-04-01 03:41:06

I am using Apache, how do I do it?

2009-04-01 03:49:21

Xampp (winxp), Apache - that is.

2009-04-01 03:49:59

Please add that info to the question.

ojblass 2009-04-01 03:57:14

Answer 3

+1 A:

I belive file permissions of a directory +w-r+x will alow directory writes but not reads. In geeky unix terms this is %chmod 733 dirname. The directory ownership would have to be set properly using chown and chgroup. This applies to a unix environment.

ojblass 2009-04-01 03:40:17

733 actually, becouse you can't write anything in directory, unless you have the permission to enter it (eXecute bit)

vartec 2009-04-01 11:25:17

Answer 4

A:

You could use an .htaccess file to require a username and password to be entered making each folder a protected folder.

But I think the best way to do it would be to move the uploads folder outside of the webroot so that it's not directly accessible, and then create a script (PHP, ASP, etc) that serves up the requested file after authenticating the user.

Chris Thompson 2009-04-01 03:40:45

Answer 5

A:

The simplest solution is to just add an index.htm file to the folder.

Any visitors will then see this page rather than the index of files.

The page can be blank, or even better, redirect to the domain home page with a redirect.

Jon Winstanley 2009-04-01 07:59:55

Answer 6

A:

http://httpd.apache.org/docs/2.2/howto/auth.html

vartec 2009-04-01 11:31:33

ansaurus

tags:

views:

answers:

Folder security?

related questions