Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    hidden directory config?

    I have set my Apache server to use /var/www/html as DocumentRoot.

    I also would like to set a directory 'hidden' like this:

    How do I configure Apache so that the public can access html directory but not in hidden directory? I tried to set 711 permissions to 'hidden' but the public can still run my scripts in hidden directory and that means backdoor entry.

    I would like to configure so that nobody can look into hidden, nobody can execute any scripts in there either. The only ones allowed to see or execute scripts are other php scripts in html directory.

    How can I do this? Thanks.

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Well 711 still allows permission to execute for group and others. Remember 1=execute, 2=write and 4=read. Adding them together gives you the desired permission. So you should be setting it as 700, though I don't use Apache an awful lot so it may require its own permissions to be set.

  3. #3
    Yes, I tried setting 700. This will prevent others from executing scripts. But also prevents the server (apache) from running them too.

  4. $spacer_open
  5. #4
    what's your apache owner? I mean the user & group in the conf file. change /var/www/html/hidden to 700 and change the same owner as the apache conf file.

  6. #5
    If you want to allow apache access, but not users, then you'll need to setup the directory permissions using apache mod_auth, not filesystem permissions.

    Easy Way:
    Don't put the hidden directory under the document root e.g.
    now the scripts can't be accessed from the web, but apache can still execute them.

    Technically more correct way:
    enable mod auth; if you're using a Debian based system then:
    a2enmod mod_auth
    will do the trick, otherwise check your distro's apache documentation.

    next you need to create a .htaccess file in the hidden directory, with the following contents:
     Order deny,allow
    Deny from all
    Allow from localhost SERVER_IP SERVER_NAME
    change SERVER_IP and SERVER_NAME to suit your setup

    Open the apache config file for the server/domain, and change:
            <Directory /var/www/html/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride None
                    Order allow,deny
                    allow from all
            <Directory /var/www/html/>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride AuthConfig ## only this line changes
                    Order allow,deny
                    allow from all
    save it and restart apache, and if a user tries to access anything in the hidden directory they should get a Forbidden 403 error.

    I haven't used mod_auth for a while, so if you have any problems, read the apache docs on it Documentation: Apache HTTP Server - The Apache HTTP Server Project

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts