[CLUE-Tech] How safe is it?

Jed S. Baer thag at frii.com
Sun Nov 3 08:56:37 MST 2002 

On Sun, 3 Nov 2002 07:46:24 -0700
Randy Arabie <randy at arabie.org> wrote:

> On Saturday,  2 November 2002 at  4:45:16 -0700, Roger Frank wrote:
> > I want to have some content in my /var/www/html directory that
> > has restricted access.  How safe are these scenarios:
> > 
> > 2.  I put it on a link, such as "Solutions to Student Labs", that
> >     is password protected, probably using a PHP intermediate page.
> >     (Here, I'm wondering what can be done with viewing the page
> >     source and following it.  Are PHP or PERL or any password
> >     page/link protection schemes solid?)
> > 
> > 3.  Other scenarios that work, other than "Don't put the data there
> >     if you don't want it compromised".
> > 
> > Many thanks.
> 
> What about using .htaccess password protection on the secret_stuff
> directory?

Depends upon how much security is desired. .htaccess password protection
is not encrypted. It's easily broken by anyone who can sniff packets.

What I'd do is put the restricted files somewhere outside the web document
tree. This should be a directory that Apache will deny access to (check
directives in httpd.conf to be sure). PHP can then be used to retrieve the
file(s) from that location (or Perl or whatever). There is a "source code"
function available for php, but you have to enable it (or disable it if
it's already turned on). From the install.apache.html file (php docs):

"There are 2 ways you can use the source code highlighting feature,
however their ability to work depends on your installation. If you have
configured Apache to use PHP as an ISAPI module, then by adding the
following line to your configuration file you can use this feature:
AddType application/x-httpd-php-source .phps"

But even if someone can view the source, if Apache is configured such that
it will not serve the directory tree where these files are stored, it
won't matter (assuming only trusted people have console/shell access to
the server itself, because these files need to be either owned by the user
under which Apache is running, or be readable by the web server, using
either group or world permissions).

jed
-- 
We're frogs who are getting boiled in a pot full of single-character
morphemes, and we don't notice. - Larry Wall; Perl6, Apocalypse 5

More information about the clue-tech mailing list