Indiana University Bloomington

School of Informatics and Computing

CSG FAQ

Q: How do I prevent access to my web pages by local users via the filesystem?

All of the web-based access control mechanisms (by hostname/domain, with a password, and via network ID) work fine for limiting access via the web. However, you must take extra precautions if you want to prevent access directly via the filesystem (ie. using /l/www/some/path or /l/cgi/some/path) by people with local CS accounts.

In order for the web server to be able to access and serve web pages, these files must be readable by the www user or wwwd group (or the cgi user or cgid group if you are using the cgi server). The typical way to allow such privileges is to make your web pages world-readable (ie. readable by anyone with a local CS account). Since most web pages may be accessible with no restrictions via the web server, having these files readable by all local users is frequently not a problem. However, if you want to limit access via the web and also prevent local users from reading the files you must take extra steps.

One easy way to protect the files is to put them in a directory that is only readable by you and the web or cgi server. This can be done by setting the appropriate ACLs or group permissions on the directory. The only problem with this is that you are not a member of the group under which the web and cgi servers run and unix will not let you change the group of a file or directory to a group of which you are not a member. To get around this problem, you can use Access Control Lists (ACLs) or some setgid frontend scripts to the chgrp command that let you do this:

chgrp_www - Change a named file or directory to group wwwd
chgrp_cgi - Change a named file or directory to group cgid

This is probably best explained with a couple examples. The first example will show how to secure files on the CS web server and the second on the CS cgi server.

Example 1: CS Web Server

Let's say that want to secure all the files on your CS homepage from access via the filesystem. You can do this using either of the following methods:

Using ACLs

% chmod 700 ~/.hyplan
% setfacl -m group:wwwd:r-x ~/.hyplan

Using Setgid Scripts

% chmod 750 ~/.hyplan
% chgrp_www ~/.hyplan

Note that the chgrp_www method can only be used from a linux server and not a workstation. So, in order to use that method you will have to first ssh into one of the servers (eg. burrow.cs.indiana.edu, sharks.cs.indiana.edu, moose.cs.indiana.edu, etc).

Once this is done, you can create the appropriate .htaccess files within that directory to limit access via the web server.

Example 2: CS CGI Server

Let's say that want to prevent access via the filesystem to all the cgi or php files in your /l/cgi directory. You can do using either of the following methods:

Using ACLs

% chmod 700 /l/cgi/username/cgi-pub
% setfacl -m group:cgid:r-x ~/.hyplan

Using Setgid Scripts

% chmod 750 /l/cgi/username/cgi-pub
% chgrp_cgi /l/cgi/username/cgi-pub

Note that the chgrp_www method can only be used from a linux server and not a workstation. So, in order to use that method you will have to first ssh into one of the servers (eg. burrow.cs.indiana.edu, sharks.cs.indiana.edu, moose.cs.indiana.edu, etc).

Once this is done, you can control access via the web using .htaccess files within your /l/cgi/username/cgi-pub directory.

In both examples, the files you create within these directories will still need to be readable by the web or cgi servers. However, since the containing directories are not world-readable, you can safely make the files/directories within these directories world readable.

If you are confused by unix file permissions in general, please see the Unix File Permissions Help Page.




See an error in this FAQ entry? Please report it.

[Return to the FAQ index]