| Author |
Message |
Gremmie
Former Moderator in Good Standing
Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
|
 Posted:
Tue Jun 06, 2006 5:51 pm |
|
I used Sentinel to setup CGIAuth, following the instructions found in another thread here. It seems to be working. My question is: Do you just leave the permissions on .htaccess and .staccess at 0777?
Thanks. |
| |
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Tue Jun 06, 2006 6:15 pm |
|
u cant change that to whatever permission u like...till u want it to write to it...like i personally wouldnt leave the .staccess writeable...so id chmod it to 444
but the .htaccess should remain at 666 if i want it to ban ips bt writing to the .htaccess |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
   
  |
|
kguske
Site Admin
Joined: Jun 04, 2004
Posts: 6437
|
| Posted:
Tue Jun 06, 2006 6:35 pm |
|
The .htaccess prevents other scripts from touching itself or the .staccess. So you shouldn't have to change the permissions. Also, if you use .htaccess to store your blocked IPs, changing the permissions will cause NukeSentinel to fail. |
_________________
I search, therefore I exist...
Only registered users can see links on this board! Get registered or login! |
|
|
|
|
gregexp
|
| Posted:
Tue Jun 06, 2006 6:41 pm |
|
i had no idea that .htaccess had that kinda capability...i stand corrected
thanx for showin me this kguske |
| |
|
|
|
|
kguske
|
| Posted:
Tue Jun 06, 2006 6:52 pm |
|
No problem. Take a look at the contents of htaccess after it's generated by NukeSentinel - I think most of it is pretty self-explanatory. |
| |
|
|
|
|
Gremmie
|
| Posted:
Tue Jun 06, 2006 8:13 pm |
|
Thanks.
But about .htaccess. How does it protect itself? I didn't see anything about .htaccess explicitly in the sample.htaccess that came with sentinel. I did see a deny for .ftaccess (whatever that is), and .staccess was added when I used Sentinel to do the CGIAuth thing.
Or does Apache just automatically protect .htaccess?
Thanks in advance. |
| |
|
|
|
|
kguske
|
| Posted:
Wed Jun 07, 2006 10:03 am |
|
That's a good question. I think it's automatic. |
| |
|
|
|
|
Tao_Man
Involved
Joined: Jul 15, 2004
Posts: 252
Location: OKC, OK
|
| Posted:
Wed Jun 07, 2006 10:35 am |
|
Well unless someone set up the server in a really stupid way it is covered.
If the server has been set up securily and someone hasn't overridden in a higher .htaccess files or someplace like httpd.conf you are fine |
_________________
------------------------------------------
To strive, to seek, to find, but not to yield!
I don't know Kara-te but I do know cra-zy, and I WILL use it! |
|
|
|
|
leo51
Worker
Joined: Sep 09, 2004
Posts: 106
Location: Canada
|
| Posted:
Sat Jun 10, 2006 3:29 pm |
|
| Tao_Man wrote: | Well unless someone set up the server in a really stupid way it is covered.
If the server has been set up securily and someone hasn't overridden in a higher .htaccess files or someplace like httpd.conf you are fine |
Hi Tao_Man, Sorry to ask but could you be a little more specific for someone as I am becaus Don't get what you are saying because I have looked at a httpd.conf file on a friend's server and what's in there is:
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files> yet I could still see text in the htaccess from the browser. However, at the moment the couple of hta files there are blank so there is no real issue but I wanted to fix it for him in the event that he to use htacess for good reasons.
Thanks |
| |
|
|
|
|
kguske
|
| Posted:
Sat Jun 10, 2006 3:36 pm |
|
Deny from all does the trick. That basically says no one outside this server can read that file. |
| |
|
|
|
|
leo51
|
| Posted:
Sat Jun 10, 2006 4:01 pm |
|
| kguske wrote: | | Deny from all does the trick. That basically says no one outside this server can read that file. |
Yes, correct kg, but what I am saying is that if I put a htaccess file in a folder as this for example:
AuthUserFile /whatever/whatever/.htpasswd
AuthGroupFile /dev/null
AuthName Whatevernane
AuthType Basic
<Limit GET>
require valid-user
</Limit>
and I go to the browser and type the path to the htaccess file I am able to read the text and I don't think that should be possible but if I would to use this example:
AuthUserFile /whatever/.htpasswd
AuthGroupFile /dev/null
AuthName "Whatevername"
AuthType Basic
<Limit GET>
require user goodadmin
</Limit>
Then its not possile to read the text from the browser. Look at the line between the Limit Get |
| |
|
|
|
|
Tao_Man
|
| Posted:
Mon Jun 12, 2006 11:14 am |
|
| leo51 wrote: |
<Files ~ "^\.ht">
Order allow,deny
Deny from all
</Files>
|
The above should block access to .htaccess or .htpaswd
If it is not working, I would say you have a setup problem on your server. Most likley a silly question but your sure those lines are not commeted out?
One other thing to check, .htaccess files cover that directory and all under it so there way be a .htaccess file in a higher directory that is overwriteing what you have in httpd.conf. Work your way up each directory and look for a .htaccess file and see if it has anything in it |
| |
|
|
|
|
leo51
|
| Posted:
Fri Jun 16, 2006 9:46 am |
|
Thanks for the response. I did check that server again did not see any other .htaccess file so it might just be a badly setup server and which directory could be higher than? \ root (lol)
UPDATE:
fix: added it as this:
<Files ~ "^\.ht">
Options None
AllowOverride None
Order deny,allow
Deny from all
</Files> |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
