Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
3 registered members (Gizmo, isaac, SteveS), 65 guests, and 211 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
TGCsanderson
TGCsanderson
Hackleton, U.K.
Posts: 80
Joined: September 2007
Show All Member Profiles 
Top Posters(30 Days)
Gizmo 17
isaac 13
SteveS 8
Morgan 5
Ruben 4
jorb 4
Zarzal 2
Latest Photos
Test
Testing to drag photos
Comfortable Cats
Test
BSA photos
Previous Thread
Next Thread
Print Thread
Protecting the members dir #145075
04/21/01 10:15 AM
04/21/01 10:15 AM
A
Anonymous OP
Unregistered

Hi,

On my hosting I can't place the members dir above the http root. So atm its placed in a subdirectory of the cgi-bin.

I don't have telnet on my hosting so I'm not sure if I can drop a htaccess file in there ?

I can in my control panel password protect certain directories but I don't know if this is going to affect registration and normal member activities if I was to do so.

How can I go about protecting this dir pls ?

Thanks

Express Hosting
Express Hosting "We are the official hosting company of UBB.threads. Ask us about our free migration services to migrate your UBB.threads installation."
Re: Protecting the members dir #145076
04/21/01 12:12 PM
04/21/01 12:12 PM
A
Anonymous OP
Unregistered

Normally, if the Members directory is under the CGI-BIN folder, it should be protected, fi your webhost doesn't allow the execution of scripts CHMOD to 777. That way, the script shouldn't be able to be viewed or run.

Re: Protecting the members dir #145077
04/21/01 01:47 PM
04/21/01 01:47 PM
A
Anonymous OP
Unregistered

Hi,

I can chmod to 777 :/

Can I use a htaccess file without having telnet ?

and if I used a htaccess file saying

deny from all

how can I check to see if its working ?

Yep Apache Unix if I hadn't already mentioned it

Thanks

Re: Protecting the members dir #145078
04/21/01 01:58 PM
04/21/01 01:58 PM
A
Anonymous OP
Unregistered

Sure, you can use a .htaccess file without telnet - just as long as your server recognizes it. Apache does by default, but it can be disabled centrally..

Anyway, if it is working and you try to access a file in the members area by URL, you should get a 403 forbidden error.

Graeme

Re: Protecting the members dir #145079
04/21/01 02:12 PM
04/21/01 02:12 PM
A
Anonymous OP
Unregistered

Thanks Graeme I'll give it a go <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Re: Protecting the members dir #145080
04/22/01 09:50 AM
04/22/01 09:50 AM
A
Anonymous OP
Unregistered

That worked perfectly thanks <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" /> I got a luvly 403 error when trying to access my members files directly through my browser.

I feel safer already <img src="https://www.ubbcentral.com/boards/images/graemlins/laugh.gif" alt="" />

Thanks again,

moosh

Re: Protecting the members dir #145081
04/27/01 08:13 PM
04/27/01 08:13 PM
A
Anonymous OP
Unregistered

hey,

I thought this was a good place to drop my question, as I searched the entire board for how to protect the Members dir. I apologize in advance if you've answered this question before.

I need to know if 777 rights is absolutely necessary for the Members dir. I need to protect a 5.47d from Linux shell users viewing the password files. This is not about protecting from http or ftp clients. This is protecting it from ssh clients.

I'm a server administrator for several virtual hosts on one machine, one of which is a major UBB board with 5,000 registered users. Since this client is a not-for-profit site, they couldn't afford one machine robust enough, so they got some of their members to share the server. Hell, I'm a long-standing member too.

Question: If I must use 777 permissions, do you guys know of anyway to assign perl's "nobody" to the Members group, thus allowing me to reset permissions to 770. Actually I thought "nobody" was part of the "root" wheel, anyhow. So why do you say 777 is necessary?

I know, I know, I should just place this board on its own partition. But hey, I was too concerned about speed (the reason they came to me), so I focused on setting it up with its own apache instantiation. got surprised by the text-based passwords after it was too late....sigh.

Sorry I don't just experiment before bothering you, but this client's board easily has 100+ apache sessions going at once. One wrong test and my client gets emailed by 25-50 people.

Re: Protecting the members dir #145082
04/27/01 10:39 PM
04/27/01 10:39 PM
A
Anonymous OP
Unregistered

Best thing would be to have the board running cgiwrap'd under a dedicated id, then chown all the UBB stuff over to it and start chmod'ing as low as you want. You could even go 700. But that requires a working cgiwrap.

Otherwise, "nobody" MUST have access to the files, and 777 is typically the only way to get that..

Almost forgot to mention:
If the board doesn't run under a dedicated user, there's nothing to stop another server user from accessing the member files using their own CGI scripts, which also run as "obody"

Graeme

Re: Protecting the members dir #145083
04/28/01 01:11 PM
04/28/01 01:11 PM
A
Anonymous OP
Unregistered

Thanks Graeme,

I've since made 'nobody' a supplemental group of the UBB's group for this client. That definitely allowed me to reset to 770. thx for the tip that a user could still create a 'nobody' script.

I'll look into the cgiwrap method.

Follow up question, is your method still vulnerable to a script using 'nobody'.

Re: Protecting the members dir #145084
04/28/01 01:49 PM
04/28/01 01:49 PM
A
Anonymous OP
Unregistered

If UBB runs as a dedicated user and you chmod the Members directory to 700 (and chown the directory to the UBB's user), "nobody" no longer has access, so the other-member's-script method no longer works.

Graeme

Re: Protecting the members dir #145085
04/29/01 12:57 AM
04/29/01 12:57 AM
A
Anonymous OP
Unregistered

thx graeme,

i got the answer with a little bit of cgiwrap reading. you are the best for answering it as well. especially on a weekend.

thx again, and I will definitely encourage my client to upgrade to 6.x


Shout Box
Today's Birthdays
No Birthdays
Recent Topics
table issue
by TheBrit. 12/13/18 06:05 PM
testing table layout
by TheBrit. 12/13/18 11:16 AM
header.php after update from 7.5.x to 7.6.x
by Zarzal. 12/12/18 05:29 AM
Does 7.6.2 support php 71?
by Baldeagle. 12/12/18 02:17 AM
Cannot contact support
by . 12/11/18 06:43 PM
Forum Statistics
Forums36
Topics35,178
Posts191,669
Members12,122
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.2