[SOLVED] Preventing Users from Downloading Files from the Sever By Typing the URL
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Since it is not recognized by the web browser so it is downloaded on the system. That way, what the script does is exposed to the outside world.
Okay, I usually keep such scripts in ../cgi-bin/. But for files (text files, in the example) which are being uploaded by a user should not be downloaded by another user.
Distribution: On my PC I use RHEL, at office AIX, Solaris, HP-UX, RHEL.
Posts: 254
Original Poster
Rep:
Quote:
Originally Posted by bathory
Code:
<FilesMatch "\.(cal|sh|txt)>
Deny from all
</FilesMatch>
Code:
RewriteEngine on
RewriteRule \.[cal|sh|txt] - [F]
I tried both of them one by one and then both of them together:
Code:
-bash-2.05b# pwd
/var/www/html
-bash-2.05b# cat .htaccess
<FilesMatch "\.(cal|sh|txt)>
Deny from all
</FilesMatch>
RewriteEngine on
RewriteRule \.[cal|sh|txt] - [F]
-bash-2.05b#
I restarted the apache / httpd service:
Code:
service httpd restart
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
-bash-2.05b#
Code:
and then accessed the file:
http://host-6-12.linuxzoo.net/year.cal
September 2010
Su Mo Tu We Th Fr Sa
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30
I guess the .htaccess is not read by the web server.
You must make sure your have
Code:
AllowOverride All
in httpd.conf, in order for apache to read .htaccess files.
Quote:
But I didn't get the 1st option:
Quote:
1. You can create an index.html page to hide the contents of the webserver directory.
I mean that if you have an index.html in the directory containing the files you want to protect, then the directory contents will not be listed and someone has to know the exact filename of the file to be able to download it.
Distribution: On my PC I use RHEL, at office AIX, Solaris, HP-UX, RHEL.
Posts: 254
Original Poster
Rep:
[QUOTE=bathory;4102515]
I guess the .htaccess is not read by the web server.
You must make sure your have
Code:
AllowOverride All
in httpd.conf, in order for apache to read .htaccess files.
Code:
# AllowOverride controls what directives may be placed in .htaccess files.
AllowOverride All
Code:
service httpd restart
Code:
http://host-6-10.linuxzoo.net/year.cal
Forbidden
You don't have permission to access /year.cal on this server.
--------------------------------------------------------------------------------
Apache/2.0.51 (Fedora) Server at host-6-10.linuxzoo.net Port 80
In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.
.htaccess files should be used in a case where the content providers need to make configuration changes to the server on a per-directory basis, but do not have root access on the server system. In the event that the server administrator is not willing to make frequent configuration changes, it might be desirable to permit individual users to make these changes in .htaccess files for themselves. This is particularly true, for example, in cases where ISPs are hosting multiple user sites on a single machine, and want their users to be able to alter their configuration.
However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a <Directory> section in your main server configuration file.
There are two main reasons to avoid the use of .htaccess files.
The first of these is performance. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! Also, the .htaccess file is loaded every time a document is requested.
Further note that Apache must look for .htaccess files in all higher-level directories, in order to have a full complement of directives that it must apply. (See section on how directives are applied.) Thus, if a file is requested out of a directory /www/htdocs/example, Apache must look for the following files:
And so, for each file access out of that directory, there are 4 additional file-system accesses, even if none of those files are present. (Note that this would only be the case if .htaccess files were enabled for /, which is not usually the case.)
The second consideration is one of security. You are permitting users to modify server configuration, which may result in changes over which you have no control. Carefully consider whether you want to give your users this privilege.
Note that it is completely equivalent to put a .htaccess file in a directory /www/htdocs/example containing a directive, and to put that same directive in a Directory section <Directory /www/htdocs/example> in your main server configuration:
However, putting this configuration in your server configuration file will result in less of a performance hit, as the configuration is loaded once when Apache starts, rather than every time a file is requested.
The use of .htaccess files can be disabled completely by setting the AllowOverride directive to "none"
If you don't want to use .htaccess, you can put the same FilesMatch or mod_rewrite directives in httpd.conf.
The good thing with .htaccess is that you don't have to restart apache every time you want to change something.
If you think your question is answered, you can mark the thread "Solved", using the "Thread Tools" on top of the page.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Here is your fees... 
