Making Files and Folders Inaccessible to the Public on a Webserver ???
Peter Olcott
on a webserver?
I want to allow execute access to a specific webservice, but
deny all other access to everything else.
Joseph M. Newcomer
permitted. There is no file access flag I can find for this. There is a flag for denying
execute access.
joe
Joseph M. Newcomer [MVP]
email: newc...@flounder.com
Web: http://www.flounder.com
MVP Tips: http://www.flounder.com/mvp_tips.htm
Joseph M. Newcomer
are not running the program on the server, there is no possible way to protect it. If you
are, the server should be configured so there is no possible way that anyone can gain
access to the file, for example, by being allowed to do FTP from arbitrary directories. So
the only way to access it is via the server-side interface, which would have no reason to
allow the file to be read.
joe
Geoff
<NoS...@SeeScreen.com> wrote:
Ambiguous context. What kind of web server, Apache or IIS? Are these
files executed on the server or on the clients? Server-side
executables are stored in places like cgi-bin/ and the server won't
transmit them to clients. If they are client-side scripts, they must
be transmitted to them in order to work, anything transmitted to them
is potentially viewable or executable.
Any file under the server's document root (usually public_html in
Apache) is potentially viewable. Placing an index.html file in the
folder makes the folder un-browsable but if one knows or can guess the
names of the files they can be accessed.
Peter Olcott
"Joseph M. Newcomer" <newc...@flounder.com> wrote in
message news:fj7bf5dpj4obmqqhf...@4ax.com...
> Are you running the program *on* the server? You have not
> been clear about this. If you
> are not running the program on the server, there is no
> possible way to protect it. If you
> are, the server should be configured so there is no
> possible way that anyone can gain
> access to the file, for example, by being allowed to do
> FTP from arbitrary directories. So
> the only way to access it is via the server-side
> interface, which would have no reason to
> allow the file to be read.
> joe
Yes I am running on the server. My program will be a web
service. What I do not know is how to restrict access to
execute only permission or this single file, and to deny all
access to every other file and directory.
Peter Olcott
"Geoff" <ge...@invalid.invalid> wrote in message
news:la7bf5pppfdi6eje0...@4ax.com...
> On Sat, 7 Nov 2009 08:09:16 -0600, "Peter Olcott"
> <NoS...@SeeScreen.com> wrote:
>
>>How do I make files and folders inaccessible to the public
>>on a webserver?
>>I want to allow execute access to a specific webservice,
>>but
>>deny all other access to everything else.
>>
>
> Ambiguous context. What kind of web server, Apache or IIS?
> Are these
I haven't decided yet.
> files executed on the server or on the clients?
> Server-side
> executables are stored in places like cgi-bin/ and the
> server won't
> transmit them to clients.
I want to make sure that it is next to impossible for anyone
to gain anything besides execute only access to my server
side web service. I want to make sure that all other access
to any other file or directory is denied.
Alexander Grigoriev
with the webserver access contrl (.htaccess, or similar).
"Peter Olcott" <NoS...@SeeScreen.com> wrote in message
news:5a6dne1qjeO7ZmjX...@giganews.com...
Geoff
<NoS...@SeeScreen.com> wrote:
>
>"Geoff" <ge...@invalid.invalid> wrote in message
>news:la7bf5pppfdi6eje0...@4ax.com...
>> On Sat, 7 Nov 2009 08:09:16 -0600, "Peter Olcott"
>> <NoS...@SeeScreen.com> wrote:
>>
>>>How do I make files and folders inaccessible to the public
>>>on a webserver?
>>>I want to allow execute access to a specific webservice,
>>>but
>>>deny all other access to everything else.
>>>
>>
>> Ambiguous context. What kind of web server, Apache or IIS?
>> Are these
>
>I haven't decided yet.
The server you choose will determine what you need to do. If you are
going to allow your server side code to be used on both platforms then
you will need to investigate both protection methods. Web servers are
designed to allow http access only to certain folders and
subdirectories, usually the document root with everything else being
protected. You need to read the documentation on the servers you
intend to use.
For example, if you store files in a folder under the document root
without installing a index.html file in that folder the HTTP server
will present the browser with a directory listing. It is therefore
very important to NOT store private documents in any folders under the
document root.
>
>> files executed on the server or on the clients?
>> Server-side
>> executables are stored in places like cgi-bin/ and the
>> server won't
>> transmit them to clients.
>
>I want to make sure that it is next to impossible for anyone
>to gain anything besides execute only access to my server
>side web service. I want to make sure that all other access
>to any other file or directory is denied.
>
Unless you are writing your own web server, (not recommended) I
suggest you read the setup and operation documentation for the server
you intend to use and pay particular attention to the chapter on
securing the server. This is not an MFC issue.
Joseph M. Newcomer
Controlling access to the file for purposes other than execution is solely and exclusively
the responsibility of the hosting system. If I can log into that system and gain access
to the directory, and my ACL allows reading the file, I can read it. So the correct
approach, which everyone keeps telling you, is to simply set up your server so there is no
way for anyone to gain access to the file. End of story. Since it is being run on the
server, only the server program (IIS or Apache) will have access to the directory, and
they should not allow a file to be read and downloaded. If they allow this, and I'm not
sure what mechanism would be used (since this would be unnatural), then you can't stop
anyone. But I've never seen a Web server configured to allow any file downloads of its
server-side executables, and I'm not even sure it can be done unless you create a Web page
that embodies some kind of facility for doing this, which invokes some operation on the
server to cause the download. This seems unlikely.
And it is not clear that an "execute-only" capability exists in the Windows file
protection scheme. I was unable to find one when I first answered this question.
For example, I took an executable, and tried to run it under one of my "low privilege"
accounts. It ran. I switched to my admin account. I went in to the security, and denied
read access to that executable, but allowed the "read & execute". I was unable to copy
it. But I was also unable to execute it.
Evidence suggests there is no way to deny read access and allow execute access.
joe
Alexander Grigoriev
"Joseph M. Newcomer" <newc...@flounder.com> wrote in message >
>And it is not clear that an "execute-only" capability exists in the Windows
>file
> protection scheme. I was unable to find one when I first answered this
> question.
>
> For example, I took an executable, and tried to run it under one of my
> "low privilege"
> accounts. It ran. I switched to my admin account. I went in to the
> security, and denied
> read access to that executable, but allowed the "read & execute". I was
> unable to copy
> it. But I was also unable to execute it.
>
> Evidence suggests there is no way to deny read access and allow execute
> access.
> joe
>
Read-execute access allows to create a file mapping on the file. That's what
it means. But, apparently, Win32 PE loader also does a few ReadFile calls to
decode the file headers, etc, this is why it also needs plain read access.
It can be considered a bug, but for all those years it seems to become a
feature.
David Ching
"Peter Olcott" <NoS...@SeeScreen.com> wrote in message
>
>>>How do I make files and folders inaccessible to the public
>>>on a webserver?
>>>I want to allow execute access to a specific webservice, but
>>>deny all other access to everything else.
>>>
>>
>> Ambiguous context. What kind of web server, Apache or IIS? Are these
>
> I haven't decided yet.
>
Maybe this will help. When I hosted my website on Apache, I think (it was
many years ago), I just chmod the folder I wanted to prevent browsing of.
But when I moved my website to IIS, I used my ISP's browser-based control
panel to set permissions. So you can be assured that there WILL be a way to
prevent browsing of the folder but still be able to access specific files if
you know their names. This is such a common problem, it has been solved
numerous times. But the actual method of doing so depends on the actual
server.
-- David
AliR
files on your server.
You might want to ask in a IIS, or WebServices group just to be sure.
AliR.
"Peter Olcott" <NoS...@SeeScreen.com> wrote in message
news:EIadnfaqk-gR4mjX...@giganews.com...