AnimeSuki Forum - View Single Post - .htaccess files

SeijiSensei · 2008-04-12, 08:40

Let me add that if you have full access to the machine, you should use its firewalling methods to block IP addresses, not application-level access controls like .htaccess. You have so much more control at the IP level, and it's absolute. You're no longer depending on the security of the server application (which, in Apache's case, is pretty damned impressive) to block unwanted connections. Firewalling closes the door on those packets when they come a-knocking.

Simple iptables rules like

/sbin/iptables -A INPUT -s 3.0.0.0/8 -j REJECT

drops any packet from General Electric's address block.

If you have root privileges, try

/sbin/iptables -L -nv

and see what you get.

(This is for Linux and, I think, the BSD's as well now. I know nothing about OS X firewalling methods, and this certainly won't get you anywhere on Windows.)

Oh, and props to GHDpro for that excellent primer on Unix file permissions.

Here's what I think you did. You probably changed the access permissions on your HTML files so that they couldn't be read by Apache. Apache will return an "Access Denied" error in this situation because access is denied by the operating system. Unfortunately the same error is returned when a specific address is blocked by virtue of the rules in .htaccess. So while you might have thought the rules were working with one set of permissions and not the other, in fact you were changing everyone's access to the files themselves. When you turned off the execute bit, you blocked access to the directory where the web documents are kept. If you changed privileges recursively with "-R" you'll have made changes all the way down the directory tree.

By default, most users have a directory for web documents that has 755 privileges, and the documents themselves have 644 privileges. That lets the entire world list the contents of the web directory (if Apache's Indexes directive is enabled), and lets everybody read the site's documents. Only you have write privileges granted by the "7" or "6" value.

Here's an example:

(755 privileges)
drwxr-xr-x me mygroup /home/user/public_html

(644 privileges)
-rw-r--r-- me mygroup /home/user/public_html/index.html

The user "me" with "owner" privileges (6 or 7) can read, write, and list the directory /home/user/public_html. Members of "mygroup" and the "world" can read and list the directory, and read the index.html file therein. If these aren't the permissions of your web directories and documents, you'll get an "Access Denied" back from Apache when you try and view them online.

I know about these issues so well, because I've played the same trick on myself in the past!

2008-04-12, 08:40	Link #4
SeijiSensei AS Oji-kun Join Date: Nov 2006 Age: 74	Let me add that if you have full access to the machine, you should use its firewalling methods to block IP addresses, not application-level access controls like .htaccess. You have so much more control at the IP level, and it's absolute. You're no longer depending on the security of the server application (which, in Apache's case, is pretty damned impressive) to block unwanted connections. Firewalling closes the door on those packets when they come a-knocking. Simple iptables rules like /sbin/iptables -A INPUT -s 3.0.0.0/8 -j REJECT drops any packet from General Electric's address block. If you have root privileges, try /sbin/iptables -L -nv and see what you get. (This is for Linux and, I think, the BSD's as well now. I know nothing about OS X firewalling methods, and this certainly won't get you anywhere on Windows.) Oh, and props to GHDpro for that excellent primer on Unix file permissions. Here's what I think you did. You probably changed the access permissions on your HTML files so that they couldn't be read by Apache. Apache will return an "Access Denied" error in this situation because access is denied by the operating system. Unfortunately the same error is returned when a specific address is blocked by virtue of the rules in .htaccess. So while you might have thought the rules were working with one set of permissions and not the other, in fact you were changing everyone's access to the files themselves. When you turned off the execute bit, you blocked access to the directory where the web documents are kept. If you changed privileges recursively with "-R" you'll have made changes all the way down the directory tree. By default, most users have a directory for web documents that has 755 privileges, and the documents themselves have 644 privileges. That lets the entire world list the contents of the web directory (if Apache's Indexes directive is enabled), and lets everybody read the site's documents. Only you have write privileges granted by the "7" or "6" value. Here's an example: (755 privileges) drwxr-xr-x me mygroup /home/user/public_html (644 privileges) -rw-r--r-- me mygroup /home/user/public_html/index.html The user "me" with "owner" privileges (6 or 7) can read, write, and list the directory /home/user/public_html. Members of "mygroup" and the "world" can read and list the directory, and read the index.html file therein. If these aren't the permissions of your web directories and documents, you'll get an "Access Denied" back from Apache when you try and view them online. I know about these issues so well, because I've played the same trick on myself in the past! __________________ Taking Anime Seriously - Politics by the Numbers - Sports by the Numbers - MAL List - Avatars - Images Last edited by SeijiSensei; 2008-04-12 at 19:32. Reason: specified 755/644 in example for clarity