LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   permission with lighttpd, linux permission... (https://www.linuxquestions.org/questions/linux-newbie-8/permission-with-lighttpd-linux-permission-875037/)

evermore 04-14-2011 12:37 PM
permission with lighttpd, linux permission...
 
i am running lighttpd on linux fedora server

and my problem is

i have index.php that access a file call hit.txt

it's just a text counter

problem is you can go to mydomain.com/hit.txt

to access this text file, and i don't want to do this

i can restrict url in lighttpd config but what if i have a thousand files like this? typing in file name would be tedious

current permission
-rw-rw---- 1 root lighttpd 2 2011-04-13 21:27 hit.txt
-rwxrw---- 1 root lighttpd 1211 2011-04-02 12:05 index.php


lighttpd user is lighttpd, if i want lighttpd to read and write from hit.txt then outside user can guess and display hit.txt (slim chance at name but the main point of fixing this wierd thing)
i've searched and read a lot of apache server permission and cannot find an answer to this

bathory 04-14-2011 04:53 PM
Hi,

In apache you can forbid access to .txt files using FilesMatch, or mod_rewrite, so the same goes for lighttpd.
I'm not very familiar with lighttpd rewrite, so here is the equivalent of FilesMatch:
Code:
$HTTP["url"] =~"(.*)\.txt$" {
url.access-deny = ("")
}
Regards

evermore 04-14-2011 11:11 PM
i realize that

but say i have 1000 files?? like hit .txt
but all diff extension??

i don't have time to restrict every extension........


any other fix?

lupusarcanus 04-14-2011 11:13 PM
I assume if you restrict the directory that those files are in it will restrict access to any relevant subdirectories.

This is only an assumption, however, so beware.

bathory 04-15-2011 12:42 AM
@OP

File permissions is not going to work, because if a file with read permissions exists in the docroot, apache can serve it to the client.

You could forbid access to any file except php, html, images (.jpg .png) and others I cannot think at the moment.
Or using rewrite, forbid everything unless the referrer is a php file.

Another way is to move those files outside document-root, in a directory that lighttpd has write permissions. But this implies changes in the php code of the php files that rely on those files

Bodi 04-15-2011 11:23 AM
Usually when you do not allow public read access like you did :
-rw-rw---- 1 root lighttpd 2 2011-04-13 21:27 hit.txt
-rwxrw---- 1 root lighttpd 1211 2011-04-02 12:05 index.php

This means that only the user/group members will be able to read this file, you do not have public read permissions set on these files, so they should not be able to be open by a browser, you should get an error.

Forbidden

You don't have permission to access /hit.txt on this server.

evermore 04-16-2011 12:34 AM
Quote:
Originally Posted by Bodi (Post 4325617)
Usually when you do not allow public read access like you did :
-rw-rw---- 1 root lighttpd 2 2011-04-13 21:27 hit.txt
-rwxrw---- 1 root lighttpd 1211 2011-04-02 12:05 index.php

This means that only the user/group members will be able to read this file, you do not have public read permissions set on these files, so they should not be able to be open by a browser, you should get an error.

Forbidden

You don't have permission to access /hit.txt on this server.

when user access mydomain.com the linux user is "lighttpd" thus it's in group therefore u can do mydomain.com/hit.txt

i've tested a quite a few times and got annoyed with it, so i remember it very clearly xD


All times are GMT -5. The time now is 07:19 AM.