logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 



Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



About Locking htdocs folder

 
Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner



View previous topic :: View next topic  
Author Message
peacemaker



Joined: 23 May 2008
Posts: 80

PostPosted: Wed 24 Nov '10 16:59    Post subject: About Locking htdocs folder Reply with quote

Hi i just need advice regarding one thing. If i made a web based software using php & mysql. How can i stop user from viewing htdocs folder, how can i lock that folder as..if i install that software on localhost..then all the files will be visible to user or any other person can copy those files. So i want to lock those files. how should i do that..
thanks in advance.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Nov '10 17:01    Post subject: Reply with quote

You cant to secure the php code from beeing viewed or secure the htdocs folder?
Back to top
peacemaker



Joined: 23 May 2008
Posts: 80

PostPosted: Wed 24 Nov '10 17:05    Post subject: About Locking htdocs folder Reply with quote

Hi james thanks for the instant reply...sorry to say but i didnt got wat u were saying...do you want to say..we cannt lock htdocs folders..is that wat you wanted to sugges..then wat is the solution for that....else how can i do password protection to that folder..
thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Wed 24 Nov '10 17:14    Post subject: Reply with quote

You want to password protect that folder from the web? Than take a look at http://httpd.apache.org/docs/2.2/howto/auth.html

A tip how to generate passwords: http://www.apachelounge.com/viewtopic.php?t=1877

if you still have a question please ask again!
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Wed 24 Nov '10 17:36    Post subject: Reply with quote

I think what I am reading is he wants anything run in htdocs not to be able to look over the entire computer but only allowed access to the stuff in htdocs itself. Am I correct?
Back to top
peacemaker



Joined: 23 May 2008
Posts: 80

PostPosted: Thu 25 Nov '10 11:29    Post subject: About Locking htdocs folder Reply with quote

Hi thanks for both replying...
Ya Smith you are right. What i want is.. i want to make a software which will run on local network using mysql. For running php code i will need apache server. i can get all this things using XAMPP. In that i will have to store all my files(php,CSS,Js) in htdocs folder. so if anyone who knows about these tings can easily copy that stuff and db . so i want to protect that folder or the whole XAMPP folder. so no one will be able to copy that stuff. i can put password to phpmyadmin. But how to protect that folder..Thanks in advance..
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Thu 25 Nov '10 21:10    Post subject: Reply with quote

Well,

If Apache HAS to read it, Apache MUST have access to it. However, since we are talking mysql here, databases are stored in the mysql/data folder are they not?

I am not sure how php's mysql connector works exactly, but there may be a possibility that you can deny Apache access to the mysql folder, to keep at the least the DB from being copied. But unless there is a big gaping hole in Apache, it should not be able to access it anyway unless you specifically configured Apache access to it.

A PHP/CGI/etc script however on Windoze, can because the service is running under a user that is real close to *nix's "root" and can get to anything on the computer. This however can be dealt with running Apache under a different, and limited user. It's called "Jailing Apache."

You can deny this user access to anything you do not want Apache, or any script running under Apache, to get it's hands on using permissions much in the same way as *nix.

Right click on any folder in Windows Explorer and the select the "Security" tab, you will start to get the picture.

So things to keep in mind. Let's say we are running apache as user xampp (yes you will have to create this user like all others). We can then start allowing or denying that user to locations on the file system. Apache HAS to be able to read & execute itself and all DLLs, so you cannot really deny all access to c:\xampp. You can can give it read only, as long it never tries to write a log or pid file to xampp/logs! You tell it to drop these elsewhere where you do allow the user xampp write access.

Another thing you cannot do is deny anything above, in the tree, that you are going to want to allow. There is a way to uninherit what's above but in my experience, deny will still kill you. So that said you could not

C:\xampp <- deny all here
C:\xampp\bin <- allow read access here
C:\xampp\conf <- allow read access here
C:\xampp\htdocs <- allow read/write here
C:\xampp\logs <- allow read/write here
C:\xampp\manual <- allow read access here

As I said, in my experience for whatever that is worth (not much usually), that deny will conquer all regardless of inheritance.

For this reason I keep nothing but Apache in Apache and leave it at read only. I put logs and pid elsewhere that my xampp user has read/write permission to, and keep all websites under c:\home\*, and deny access to almost the rest of the entire hard drive.

Have fun, it takes some time to do it.
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6255
Location: Germany, Next to Hamburg

PostPosted: Fri 26 Nov '10 0:44    Post subject: Reply with quote

glsmith wrote:

I am not sure how php's mysql connector works exactly, but there may be a possibility that you can deny Apache access to the mysql folder, to keep at the least the DB from being copied.

There are two options. The first is a TCP IP connection the second one is named pipes. Apache nor any script have to access the data folder in MySQL

glsmith wrote:

C:\xampp <- deny all here
C:\xampp\bin <- allow read access here
C:\xampp\conf <- allow read access here
C:\xampp\htdocs <- allow read/write here
C:\xampp\logs <- allow read/write here
C:\xampp\manual <- allow read access here


I disagree with the htdocs folder. Apache or any script should have only read permissions. Only if you have a flat file database it should be writable and even in that case only that file should be writable.

C:\xampp\htdocs <- allow read access here

I've seen it more than once that attackers were able to put their file some kinda way into htdocs and execute them. That doesn't happen when apache nor the script is allowed to write there.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Fri 26 Nov '10 7:09    Post subject: Reply with quote

Agreed, sorry it was just an example, for what it was worth. The thought of turkey dinner was affecting my brain Embarassed

I prefer, using inheritance, everything not specifically set to +rw below home will be read only with a data folder along side the docroot with +rw

/home <- +r
/home/site
/home/site/data <- +rw (not inherited)
/home/site/public_html <- Docroot

/home/site2/data <- +rw (not inherited)
/home/site2/public_html <- Docroot
etc.
Back to top
peacemaker



Joined: 23 May 2008
Posts: 80

PostPosted: Wed 01 Dec '10 7:29    Post subject: About Locking htdocs folder Reply with quote

thanks for replying james and smith....i understood...what i need to do is to give just read permission to that perticular folders...i will surely look into it..
just a quick question...just want to know from where i can give these permission as smith mention below...
Quote:
C:\xampp <- deny all here
C:\xampp\bin <- allow read access here
C:\xampp\conf <- allow read access here
C:\xampp\htdocs <- allow read/write here
C:\xampp\logs <- allow read/write here
C:\xampp\manual <- allow read access here

how can i give permission like above and from where plz guide me
thanks in advance.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Wed 01 Dec '10 18:07    Post subject: Reply with quote

right click on a folder, select Properties then the "Security" tab in the properties dialog.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2123
Location: Sun Diego, USA

PostPosted: Thu 02 Dec '10 14:27    Post subject: Reply with quote

In an interesting twist of fate, an example of the power of the SYSTEM account that Apache's service runs on. There are other factors at play here but...

http://seclists.org/fulldisclosure/2010/Dec/8
Back to top
peacemaker



Joined: 23 May 2008
Posts: 80

PostPosted: Fri 03 Dec '10 15:27    Post subject: About Locking htdocs folder Reply with quote

Hi thanks for the reply.
But i am really very sorry to say to both of you that its very confusing for me what ever you ppl are saying...what i want is very simple (i m really sorry for this) with reference to smith's reply i wil have to lock folders but its very possible to any user to unlock those if he or she is aware of how to unlock the folder unless its password protected. Wat i want is...
1) if i am making a software not web site in php mysql. when i install xampp, all the php files will reside in htdocs folder and database in mysql folder of xampp.

2) if any person who learn php and aware of xampp he can straight way go to that folder and copy those files and run the frontend of the software.

3) i want to protect this htdocs folder or as whole xampp folder as the mysql database will be in xampp folder. So i will have to either lock (using password ) both htdocs and mysql folders or whole xampp folder.
I just want to know is there any other secured way to protect those folders. like encrypting or anything else. so no body should be able to see my php files or copy my database from mysql folder.
I am apologise to both of you for saying this again... But i got confused so i m giving my requirement again..
Thanks in advance.
Hope you ppl will reply again to me.
thanks
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Coding & Scripting Corner
Page 1 of 1