Google Answers Logo
View Question
Q: Optimizing permissions in Unix ( Answered,   0 Comments )
Subject: Optimizing permissions in Unix
Category: Computers > Security
Asked by: snoopyatwork2003-ga
List Price: $10.00
Posted: 17 Jul 2003 11:32 PDT
Expires: 16 Aug 2003 11:32 PDT
Question ID: 232089
I am running a large website hosted on Unix Apache. I want to optimize
the various permission settings for files and directories to improve
the security.

When I say inaccesible below I mean -not being downloadable through
the web or "site downloader" applications or ideally other more
advanced solutions.

What I want to achieve is:
-make any files and dirs under cg-bin totally inaccessible for anyone
but my own scripts running under my domain
-limit the access to various dirs (graphics and javascript files etc
under separete dirs) at root level as far as possible while still
accessible for execution by html and scripts under my domain

I have come across websites that kick me out from directories when
trying to download its files through "site downloaders" or direct from
the web, whilst other sites obviously are more "open".

Please advice. Many thanks
Subject: Re: Optimizing permissions in Unix
Answered By: sycophant-ga on 18 Jul 2003 00:33 PDT

The easiest way to achieve what you want it probably through a
combination of Apache access control and rewrites.

I will provide the following examples to try, test them and see if
they are sufficent.

For each of the options below, there are two ways the can generally be
1) <Directory> blocks. 
2) .htaccess files.

The first can be incorporated within the second.

For example, say my web-root is /home/sycophant/public_html
I can create a file in there called .htaccess (this may depend on
server configuration) which can contain Apache directives. These
directives will affect that directory and any sub-directories, until
they are overridden (by another .htaccess with different rules, for

The <Directory> method can be used in a .htaccess file, or within the
Apache config files. It is used like so:

<Directory /home/sycophant/public_html>
  Directive  Value
  Directive  Value

Again, this will apply to sub directories until it is overridden.

Make files and directories under cg-bin (cgi-bin?) inaccessable:

Create a .htaccess in the cgi-bin directory and add the directives

Create a <Directory> block for the cgi-bin directory and add the
directives below.


Order Deny,Allow
Deny From All
Allow From None

Restrict access to resources in certain directories:

For each directory, create either a .htaccess or <Directory>
configuration to execute the following directives

Method 1 - Requires mod_access and mod_setenvif

Options -Indexes
SetEnvIf Referer ^ allow_load
Order Deny,Allow
Deny From All
Allow From env=allow_load

Method 2 - Require mod_rewrite

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^
RewriteRule (.*) $1 [F] 

This should disallow the direct accessing of any of the files within
the directory. Also, the addition of the option "-Indexes" means that
people will not be presented with a directory index when visiting a
directory without an index.html.

The limitation with the above methods of restricting access to the
resources is that a very determined person can still get them - they
are relying on the HTTP header 'Referer' to determine if the object is
being called from within one of your own pages or not.

If you administer your own server, all of these implementations should
be quite easy to implement. However, if you are on a shared server
which you do not control, then you may find some of the options
restricted by the server's administrator.

Also, overall there is nothing you can do really to really enforce
restrictions on web content. If it is in a web-accessible directory,
in can generally be retrieved. The difference between a graphic or
file being called by your page, and being downloaded by a downloader
is just a few HTTP headers. And those can be faked.

Check out the following Apache manual pages, all are found easily from
the main Apache documentation ( ):

Mod_access - Access control (Order, Deny, Allow etc)

Mod_setenvif - SetEnvIf - environment variable setting

Mod_rewrite - URL Rewriting

Mod_rewrite guide - Practical rewriting examples

Options directive - Set various per-directory options

<Directory> directive - Per directory configuration

.htaccess tutorial

I hope this helps.

There are no comments at this time.

Important Disclaimer: Answers and comments provided on Google Answers are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Google does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. Please read carefully the Google Answers Terms of Service.

If you feel that you have found inappropriate content, please let us know by emailing us at with the question ID listed above. Thank you.
Search Google Answers for
Google Answers  

Google Home - Answers FAQ - Terms of Service - Privacy Policy