permission with lighttpd, linux permission...
i am running lighttpd on linux fedora server
and my problem is i have index.php that access a file call hit.txt it's just a text counter problem is you can go to mydomain.com/hit.txt to access this text file, and i don't want to do this i can restrict url in lighttpd config but what if i have a thousand files like this? typing in file name would be tedious current permission -rw-rw---- 1 root lighttpd 2 2011-04-13 21:27 hit.txt -rwxrw---- 1 root lighttpd 1211 2011-04-02 12:05 index.php lighttpd user is lighttpd, if i want lighttpd to read and write from hit.txt then outside user can guess and display hit.txt (slim chance at name but the main point of fixing this wierd thing) i've searched and read a lot of apache server permission and cannot find an answer to this |
Hi,
In apache you can forbid access to .txt files using FilesMatch, or mod_rewrite, so the same goes for lighttpd. I'm not very familiar with lighttpd rewrite, so here is the equivalent of FilesMatch: Code:
$HTTP["url"] =~"(.*)\.txt$" { |
i realize that
but say i have 1000 files?? like hit .txt but all diff extension?? i don't have time to restrict every extension........ any other fix? |
I assume if you restrict the directory that those files are in it will restrict access to any relevant subdirectories.
This is only an assumption, however, so beware. |
@OP
File permissions is not going to work, because if a file with read permissions exists in the docroot, apache can serve it to the client. You could forbid access to any file except php, html, images (.jpg .png) and others I cannot think at the moment. Or using rewrite, forbid everything unless the referrer is a php file. Another way is to move those files outside document-root, in a directory that lighttpd has write permissions. But this implies changes in the php code of the php files that rely on those files |
Usually when you do not allow public read access like you did :
-rw-rw---- 1 root lighttpd 2 2011-04-13 21:27 hit.txt -rwxrw---- 1 root lighttpd 1211 2011-04-02 12:05 index.php This means that only the user/group members will be able to read this file, you do not have public read permissions set on these files, so they should not be able to be open by a browser, you should get an error. Forbidden You don't have permission to access /hit.txt on this server. |
Quote:
when user access mydomain.com the linux user is "lighttpd" thus it's in group therefore u can do mydomain.com/hit.txt i've tested a quite a few times and got annoyed with it, so i remember it very clearly xD |
All times are GMT -5. The time now is 07:19 AM. |