| Author |
|
peacemaker
Joined: 23 May 2008
Posts: 80
|
 Posted: Wed 24 Nov '10 16:59 Post subject: About Locking htdocs folder |
 |
|
Hi i just need advice regarding one thing. If i made a web based software using php & mysql. How can i stop user from viewing htdocs folder, how can i lock that folder as..if i install that software on localhost..then all the files will be visible to user or any other person can copy those files. So i want to lock those files. how should i do that..
thanks in advance. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Wed 24 Nov '10 17:01 Post subject: |
|
|
| You cant to secure the php code from beeing viewed or secure the htdocs folder? |
|
| Back to top |
|
peacemaker
Joined: 23 May 2008
Posts: 80
|
| Posted: Wed 24 Nov '10 17:05 Post subject: About Locking htdocs folder |
|
|
Hi james thanks for the instant reply...sorry to say but i didnt got wat u were saying...do you want to say..we cannt lock htdocs folders..is that wat you wanted to sugges..then wat is the solution for that....else how can i do password protection to that folder..
thanks |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 24 Nov '10 17:36 Post subject: |
|
|
| I think what I am reading is he wants anything run in htdocs not to be able to look over the entire computer but only allowed access to the stuff in htdocs itself. Am I correct? |
|
| Back to top |
|
peacemaker
Joined: 23 May 2008
Posts: 80
|
| Posted: Thu 25 Nov '10 11:29 Post subject: About Locking htdocs folder |
|
|
Hi thanks for both replying...
Ya Smith you are right. What i want is.. i want to make a software which will run on local network using mysql. For running php code i will need apache server. i can get all this things using XAMPP. In that i will have to store all my files(php,CSS,Js) in htdocs folder. so if anyone who knows about these tings can easily copy that stuff and db . so i want to protect that folder or the whole XAMPP folder. so no one will be able to copy that stuff. i can put password to phpmyadmin. But how to protect that folder..Thanks in advance.. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 25 Nov '10 21:10 Post subject: |
|
|
Well,
If Apache HAS to read it, Apache MUST have access to it. However, since we are talking mysql here, databases are stored in the mysql/data folder are they not?
I am not sure how php's mysql connector works exactly, but there may be a possibility that you can deny Apache access to the mysql folder, to keep at the least the DB from being copied. But unless there is a big gaping hole in Apache, it should not be able to access it anyway unless you specifically configured Apache access to it.
A PHP/CGI/etc script however on Windoze, can because the service is running under a user that is real close to *nix's "root" and can get to anything on the computer. This however can be dealt with running Apache under a different, and limited user. It's called "Jailing Apache."
You can deny this user access to anything you do not want Apache, or any script running under Apache, to get it's hands on using permissions much in the same way as *nix.
Right click on any folder in Windows Explorer and the select the "Security" tab, you will start to get the picture.
So things to keep in mind. Let's say we are running apache as user xampp (yes you will have to create this user like all others). We can then start allowing or denying that user to locations on the file system. Apache HAS to be able to read & execute itself and all DLLs, so you cannot really deny all access to c:\xampp. You can can give it read only, as long it never tries to write a log or pid file to xampp/logs! You tell it to drop these elsewhere where you do allow the user xampp write access.
Another thing you cannot do is deny anything above, in the tree, that you are going to want to allow. There is a way to uninherit what's above but in my experience, deny will still kill you. So that said you could not
C:\xampp <- deny all here
C:\xampp\bin <- allow read access here
C:\xampp\conf <- allow read access here
C:\xampp\htdocs <- allow read/write here
C:\xampp\logs <- allow read/write here
C:\xampp\manual <- allow read access here
As I said, in my experience for whatever that is worth (not much usually), that deny will conquer all regardless of inheritance.
For this reason I keep nothing but Apache in Apache and leave it at read only. I put logs and pid elsewhere that my xampp user has read/write permission to, and keep all websites under c:\home\*, and deny access to almost the rest of the entire hard drive.
Have fun, it takes some time to do it. |
|
| Back to top |
|
James Blond
Moderator
Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg
|
| Posted: Fri 26 Nov '10 0:44 Post subject: |
|
|
| glsmith wrote: |
I am not sure how php's mysql connector works exactly, but there may be a possibility that you can deny Apache access to the mysql folder, to keep at the least the DB from being copied.
|
There are two options. The first is a TCP IP connection the second one is named pipes. Apache nor any script have to access the data folder in MySQL
| glsmith wrote: |
C:\xampp <- deny all here
C:\xampp\bin <- allow read access here
C:\xampp\conf <- allow read access here
C:\xampp\htdocs <- allow read/write here
C:\xampp\logs <- allow read/write here
C:\xampp\manual <- allow read access here
|
I disagree with the htdocs folder. Apache or any script should have only read permissions. Only if you have a flat file database it should be writable and even in that case only that file should be writable.
C:\xampp\htdocs <- allow read access here
I've seen it more than once that attackers were able to put their file some kinda way into htdocs and execute them. That doesn't happen when apache nor the script is allowed to write there. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Fri 26 Nov '10 7:09 Post subject: |
|
|
Agreed, sorry it was just an example, for what it was worth. The thought of turkey dinner was affecting my brain 
I prefer, using inheritance, everything not specifically set to +rw below home will be read only with a data folder along side the docroot with +rw
/home <- +r
/home/site
/home/site/data <- +rw (not inherited)
/home/site/public_html <- Docroot
/home/site2/data <- +rw (not inherited)
/home/site2/public_html <- Docroot
etc. |
|
| Back to top |
|
peacemaker
Joined: 23 May 2008
Posts: 80
|
| Posted: Wed 01 Dec '10 7:29 Post subject: About Locking htdocs folder |
|
|
thanks for replying james and smith....i understood...what i need to do is to give just read permission to that perticular folders...i will surely look into it..
just a quick question...just want to know from where i can give these permission as smith mention below...
| Quote: | C:\xampp <- deny all here
C:\xampp\bin <- allow read access here
C:\xampp\conf <- allow read access here
C:\xampp\htdocs <- allow read/write here
C:\xampp\logs <- allow read/write here
C:\xampp\manual <- allow read access here |
how can i give permission like above and from where plz guide me
thanks in advance. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Wed 01 Dec '10 18:07 Post subject: |
|
|
| right click on a folder, select Properties then the "Security" tab in the properties dialog. |
|
| Back to top |
|
glsmith
Moderator
Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA
|
| Posted: Thu 02 Dec '10 14:27 Post subject: |
|
|
In an interesting twist of fate, an example of the power of the SYSTEM account that Apache's service runs on. There are other factors at play here but...
http://seclists.org/fulldisclosure/2010/Dec/8 |
|
| Back to top |
|
peacemaker
Joined: 23 May 2008
Posts: 80
|
| Posted: Fri 03 Dec '10 15:27 Post subject: About Locking htdocs folder |
|
|
Hi thanks for the reply.
But i am really very sorry to say to both of you that its very confusing for me what ever you ppl are saying...what i want is very simple (i m really sorry for this) with reference to smith's reply i wil have to lock folders but its very possible to any user to unlock those if he or she is aware of how to unlock the folder unless its password protected. Wat i want is...
1) if i am making a software not web site in php mysql. when i install xampp, all the php files will reside in htdocs folder and database in mysql folder of xampp.
2) if any person who learn php and aware of xampp he can straight way go to that folder and copy those files and run the frontend of the software.
3) i want to protect this htdocs folder or as whole xampp folder as the mysql database will be in xampp folder. So i will have to either lock (using password ) both htdocs and mysql folders or whole xampp folder.
I just want to know is there any other secured way to protect those folders. like encrypting or anything else. so no body should be able to see my php files or copy my database from mysql folder.
I am apologise to both of you for saying this again... But i got confused so i m giving my requirement again..
Thanks in advance.
Hope you ppl will reply again to me.
thanks |
|
| Back to top |
|
