Site Links
Home
Features
Documentation
Pricing & Order
Members Area
Support Options
UBBDev.com
UBBWiki.com
Who's Online Now
2 registered members (UBBSystems, isaac), 46 guests, and 235 spiders.
Key: Admin, Global Mod, Mod
Member Spotlight
Ruben
Ruben
Lutz,FL
Posts: 5,898
Joined: December 2003
Show All Member Profiles 
Top Posters(30 Days)
isaac 18
Gizmo 12
Ruben 11
Morgan 4
BB 2
Latest Photos
Testing to drag photos
Comfortable Cats
Test
BSA photos
Chinese Buddhist temple.
Previous Thread
Next Thread
Print Thread
Protecting the members dir #145075
04/21/01 11:15 AM
04/21/01 11:15 AM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Hi,

On my hosting I can't place the members dir above the http root. So atm its placed in a subdirectory of the cgi-bin.

I don't have telnet on my hosting so I'm not sure if I can drop a htaccess file in there ?

I can in my control panel password protect certain directories but I don't know if this is going to affect registration and normal member activities if I was to do so.

How can I go about protecting this dir pls ?

Thanks

Express Hosting
Express Hosting "We are the official hosting company of UBB.threads. Ask us about our free migration services to migrate your UBB.threads installation."
Re: Protecting the members dir #145076
04/21/01 01:12 PM
04/21/01 01:12 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Normally, if the Members directory is under the CGI-BIN folder, it should be protected, fi your webhost doesn't allow the execution of scripts CHMOD to 777. That way, the script shouldn't be able to be viewed or run.

Re: Protecting the members dir #145077
04/21/01 02:47 PM
04/21/01 02:47 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Hi,

I can chmod to 777 :/

Can I use a htaccess file without having telnet ?

and if I used a htaccess file saying

deny from all

how can I check to see if its working ?

Yep Apache Unix if I hadn't already mentioned it

Thanks

Re: Protecting the members dir #145078
04/21/01 02:58 PM
04/21/01 02:58 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Sure, you can use a .htaccess file without telnet - just as long as your server recognizes it. Apache does by default, but it can be disabled centrally..

Anyway, if it is working and you try to access a file in the members area by URL, you should get a 403 forbidden error.

Graeme

Re: Protecting the members dir #145079
04/21/01 03:12 PM
04/21/01 03:12 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Thanks Graeme I'll give it a go <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" />

Re: Protecting the members dir #145080
04/22/01 10:50 AM
04/22/01 10:50 AM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


That worked perfectly thanks <img src="https://www.ubbcentral.com/boards/images/graemlins/smile.gif" alt="" /> I got a luvly 403 error when trying to access my members files directly through my browser.

I feel safer already <img src="https://www.ubbcentral.com/boards/images/graemlins/laugh.gif" alt="" />

Thanks again,

moosh

Re: Protecting the members dir #145081
04/27/01 09:13 PM
04/27/01 09:13 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


hey,

I thought this was a good place to drop my question, as I searched the entire board for how to protect the Members dir. I apologize in advance if you've answered this question before.

I need to know if 777 rights is absolutely necessary for the Members dir. I need to protect a 5.47d from Linux shell users viewing the password files. This is not about protecting from http or ftp clients. This is protecting it from ssh clients.

I'm a server administrator for several virtual hosts on one machine, one of which is a major UBB board with 5,000 registered users. Since this client is a not-for-profit site, they couldn't afford one machine robust enough, so they got some of their members to share the server. Hell, I'm a long-standing member too.

Question: If I must use 777 permissions, do you guys know of anyway to assign perl's "nobody" to the Members group, thus allowing me to reset permissions to 770. Actually I thought "nobody" was part of the "root" wheel, anyhow. So why do you say 777 is necessary?

I know, I know, I should just place this board on its own partition. But hey, I was too concerned about speed (the reason they came to me), so I focused on setting it up with its own apache instantiation. got surprised by the text-based passwords after it was too late....sigh.

Sorry I don't just experiment before bothering you, but this client's board easily has 100+ apache sessions going at once. One wrong test and my client gets emailed by 25-50 people.

Re: Protecting the members dir #145082
04/27/01 11:39 PM
04/27/01 11:39 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Best thing would be to have the board running cgiwrap'd under a dedicated id, then chown all the UBB stuff over to it and start chmod'ing as low as you want. You could even go 700. But that requires a working cgiwrap.

Otherwise, "nobody" MUST have access to the files, and 777 is typically the only way to get that..

Almost forgot to mention:
If the board doesn't run under a dedicated user, there's nothing to stop another server user from accessing the member files using their own CGI scripts, which also run as "obody"

Graeme

Re: Protecting the members dir #145083
04/28/01 02:11 PM
04/28/01 02:11 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


Thanks Graeme,

I've since made 'nobody' a supplemental group of the UBB's group for this client. That definitely allowed me to reset to 770. thx for the tip that a user could still create a 'nobody' script.

I'll look into the cgiwrap method.

Follow up question, is your method still vulnerable to a script using 'nobody'.

Re: Protecting the members dir #145084
04/28/01 02:49 PM
04/28/01 02:49 PM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


If UBB runs as a dedicated user and you chmod the Members directory to 700 (and chown the directory to the UBB's user), "nobody" no longer has access, so the other-member's-script method no longer works.

Graeme

Re: Protecting the members dir #145085
04/29/01 01:57 AM
04/29/01 01:57 AM

A
Anonymous OP
Unregistered
Anonymous OP
Unregistered
A


thx graeme,

i got the answer with a little bit of cgiwrap reading. you are the best for answering it as well. especially on a weekend.

thx again, and I will definitely encourage my client to upgrade to 6.x


Shout Box
Today's Birthdays
No Birthdays
Recent Topics
Control Panel / Transactions Username
by Morgan. 06/20/18 05:38 AM
Custom Insert won't save
by Baldeagle. 06/18/18 07:44 PM
New Image capabilities ver 7.6.1
by Abbott. 06/14/18 02:28 PM
Thread deleted?
by Lisanne. 06/05/18 11:13 AM
random 500 server errors on post
by Bad Frog. 05/31/18 09:34 AM
Forum Statistics
Forums36
Topics35,122
Posts191,325
Members12,085
Most Online978
Jun 24th, 2007
Random Image
Powered by UBB.threads™ PHP Forum Software 7.6.2
(Preview build 20180524)