|
|
Posted by Erwin Moller on 10/03/05 14:37
Ray wrote:
> Hi Erwin,
>
> Erwin Moller wrote:
> ...
>> > I can do #1 and I was wondering if that is sufficient.
>> No, the only advantage working outside webroot is that a simple request
>> to the right place will not be answered by the webserver.
>> But you can also do so by other means.
>
> I am tempted to ask you what you mean by "other means", but on second
> thought, the less people who know, the better. Good enough for me to
> know that it isn't perfect security.
Hi,
No secret here. :-)
On a *nix filesystem every directory and file has permissions.
If that file is in or outside public_html (or whatever your directory is
called), is of no concern when it comes to the other users of the system.
When you are the only user of the server, you probably don't have to worry
too much, but when you know you are in a shared hosting environment AND you
use rw for the 'world'/thrid argument, alarmbells should ring. :-)
>
>> As the non-root
>> > user, I guess I cannot do #2...
>> Yes you can.
>> you can place a robots.txt file just as you can place any other text
>> file.
>
> Ah! I didn't know that...thank you!
Here is more:
http://www.searchengineworld.com/robots/robots_tutorial.htm
It is actually a very simple straightforward system.
But be aware that robots.txt only works when the spider is friendly and
cares about your suggestions.
The first email-harvester written by Mr. Spam and Mr. Scriptboy would not
even bother to read robots.txt.
So never rely on it when it comes to protecting your data.
It will only work for the Good Guys, like Google.
>
>> Yes, can be done.
>> Pay attention to permissions however. :-)
>> If you do not, you can end up with files that are readable to the world,
>> that is 'everybody' who has access to your system.
>> When using shared hosting, that is everybody else on the same system.
>
> Ah! I see...
>
>> Yes you can.
>> Suppose I am on the same machine:
>> - I can see directory 3)
>> - I can browse the content of directory 3)
>> - I can read/modify file in directory 3)
>
> I said this in my previous reply, but I guess my main problem is that I
> don't understand www-data -- the account which runs the web server and
> thus, creates these files.
Well, www-data is just the name of a user.
It is typically the name of a user that runs Apache.
Remember that every process on *nix is owned by a user.
So is PHP. PHP is executed by Apache, so PHP runs as user Apache.
(Things might be more complicated actually, but this is the idea.)
A few years ago www-data had another name: 'Apache' or 'nobody'.
It is just what the serveradmin decided to name it.
I think nowadays www-data is used everywhere.
(When you are unlucky enough to hit a W$ machine, the user will often be
named IUSR_machinename. But W$ doesn't have permissions like *nix has.)
>
> I tried changing ownership to it and creating a group with only me and
> it, but neither worked because I'm not the root user. Perhaps I am
> doing something wrong, but I am having problems chown'ing my own
> files... Or, maybe the sysadmin has disallowed its use? Likewise for
> creating a new group.
True.
You don't want normal users changing ownership of files, do you?
;-)
That would make hacking/cracking too easy to give any satisfaction. :P
So: chown is a command executed by root.
>
>> Some time ago I discussed a similar problem with macbri.
>> Here is a link:
>>
http://groups.google.nl/group/comp.lang.php/browse_thread/thread/c8751c8082573e64/35398dedf888542a?lnk=st&q=erwin+moller++permission+directory&rnum=2&hl=nl#35398dedf888542a
>>
>> Maybe that helps setting up something a lot more secure.
>> It involves denying directorylistings combined with a very long strange
>> name for a directory.
>
> Thanks! I'm going through it now and it looks long and detailed.
> Thank you for the original posting...I'll make sure the extensive
> typing you did is used at least one more time by me. :)
Hehe, thanks.
When that trick was first explained to me by a guy, I decided to share it at
least 1 time with somebody else. I did twice now. ;-)
One last tip: Once you set up something you think is reasonable secure, try
to break it yourself by using another account on the same machine, if that
is possible. It is a good way of testing what the rwx means on directories
and such, which is quite confusing the first time you use them (for me).
Good luck.
Regards,
Erwin Moller
>
> Ray
[Back to original message]
|