Previous Thread
Next Thread
Print Thread
Hop To
#145075 04/21/2001 11:15 AM
Anonymous
Unregistered
Anonymous
Unregistered
Hi,

On my hosting I can't place the members dir above the http root. So atm its placed in a subdirectory of the cgi-bin.

I don't have telnet on my hosting so I'm not sure if I can drop a htaccess file in there ?

I can in my control panel password protect certain directories but I don't know if this is going to affect registration and normal member activities if I was to do so.

How can I go about protecting this dir pls ?

Thanks

Anonymous
Unregistered
Anonymous
Unregistered
Normally, if the Members directory is under the CGI-BIN folder, it should be protected, fi your webhost doesn't allow the execution of scripts CHMOD to 777. That way, the script shouldn't be able to be viewed or run.

Anonymous
Unregistered
Anonymous
Unregistered
Hi,

I can chmod to 777 :/

Can I use a htaccess file without having telnet ?

and if I used a htaccess file saying

deny from all

how can I check to see if its working ?

Yep Apache Unix if I hadn't already mentioned it

Thanks

Anonymous
Unregistered
Anonymous
Unregistered
Sure, you can use a .htaccess file without telnet - just as long as your server recognizes it. Apache does by default, but it can be disabled centrally..

Anyway, if it is working and you try to access a file in the members area by URL, you should get a 403 forbidden error.

Graeme

Anonymous
Unregistered
Anonymous
Unregistered
Thanks Graeme I'll give it a go <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

#145080 04/22/2001 10:50 AM
Anonymous
Unregistered
Anonymous
Unregistered
That worked perfectly thanks <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" /> I got a luvly 403 error when trying to access my members files directly through my browser.

I feel safer already <img src="https://www.ubbcentral.com/boards/images/graemlins/laugh.gif" alt="" />

Thanks again,

moosh

Anonymous
Unregistered
Anonymous
Unregistered
hey,

I thought this was a good place to drop my question, as I searched the entire board for how to protect the Members dir. I apologize in advance if you've answered this question before.

I need to know if 777 rights is absolutely necessary for the Members dir. I need to protect a 5.47d from Linux shell users viewing the password files. This is not about protecting from http or ftp clients. This is protecting it from ssh clients.

I'm a server administrator for several virtual hosts on one machine, one of which is a major UBB board with 5,000 registered users. Since this client is a not-for-profit site, they couldn't afford one machine robust enough, so they got some of their members to share the server. Hell, I'm a long-standing member too.

Question: If I must use 777 permissions, do you guys know of anyway to assign perl's "nobody" to the Members group, thus allowing me to reset permissions to 770. Actually I thought "nobody" was part of the "root" wheel, anyhow. So why do you say 777 is necessary?

I know, I know, I should just place this board on its own partition. But hey, I was too concerned about speed (the reason they came to me), so I focused on setting it up with its own apache instantiation. got surprised by the text-based passwords after it was too late....sigh.

Sorry I don't just experiment before bothering you, but this client's board easily has 100+ apache sessions going at once. One wrong test and my client gets emailed by 25-50 people.

#145082 04/27/2001 11:39 PM
Anonymous
Unregistered
Anonymous
Unregistered
Best thing would be to have the board running cgiwrap'd under a dedicated id, then chown all the UBB stuff over to it and start chmod'ing as low as you want. You could even go 700. But that requires a working cgiwrap.

Otherwise, "nobody" MUST have access to the files, and 777 is typically the only way to get that..

Almost forgot to mention:
If the board doesn't run under a dedicated user, there's nothing to stop another server user from accessing the member files using their own CGI scripts, which also run as "obody"

Graeme

Anonymous
Unregistered
Anonymous
Unregistered
Thanks Graeme,

I've since made 'nobody' a supplemental group of the UBB's group for this client. That definitely allowed me to reset to 770. thx for the tip that a user could still create a 'nobody' script.

I'll look into the cgiwrap method.

Follow up question, is your method still vulnerable to a script using 'nobody'.

Anonymous
Unregistered
Anonymous
Unregistered
If UBB runs as a dedicated user and you chmod the Members directory to 700 (and chown the directory to the UBB's user), "nobody" no longer has access, so the other-member's-script method no longer works.

Graeme

Anonymous
Unregistered
Anonymous
Unregistered
thx graeme,

i got the answer with a little bit of cgiwrap reading. you are the best for answering it as well. especially on a weekend.

thx again, and I will definitely encourage my client to upgrade to 6.x


Link Copied to Clipboard
ShoutChat
Comment Guidelines: Do post respectful and insightful comments. Don't flame, hate, spam.
Recent Topics
spam issues
by ECNet - 03/19/2024 11:45 PM
Looking for a forum
by azr - 03/15/2024 11:26 PM
Editing Links in Post
by Outdoorking - 03/15/2024 9:31 AM
Question on barkrowler and the like
by Mors - 02/29/2024 6:51 PM
Member Permissions Help
by domspeak - 02/27/2024 6:31 PM
Who's Online Now
1 members (Havenofsobriety), 522 guests, and 99 robots.
Key: Admin, Global Mod, Mod
Random Gallery Image
Latest Gallery Images
Los Angeles
Los Angeles
by isaac, August 6
3D Creations
3D Creations
by JAISP, December 30
Artistic structures
Artistic structures
by isaac, August 29
Stones
Stones
by isaac, August 19
Powered by UBB.threads™ PHP Forum Software 8.0.0
(Preview build 20230217)