Jump to content


- - - - -

Perms to prevent .htaccess alterations

Started by Bluesplinter, Jun 01 2010 11:10 AM

  • You cannot reply to this topic
2 replies to this topic

#1 Bluesplinter

    King of the Ticket Pests

  • Members
  • PipPipPip
  • 180 posts
  • LocationDagobah, Outer Rim Territories

Posted 01 June 2010 - 11:10 AM

What is the best set of perms to prevent scripts from tinkering with an .htaccess file (including the control panel, DA in this case)? I had installed a forum script in a private subdomain, protected with .htaccess. When I found the forum software unacceptable, I deleted the files via the DA control panel before installing a different script, which (of course) deleted the .htaccess file, and the private subdomain was no longer so private. Luckily I discovered the problem quickly, but it brought this question to mind.

Since this is a cloud server, and I have SSH access, I can change the perms and owner:group to whatever will work best. Mostly, I don't want any php script to be able to alter the file, nor be able to delete it from the DA control panel. I know if it's set to root:root, DA can't delete it, but I don't think it'll actually WORK with that owner:group. So, what's the best way to handle this?

FWIW, I would normally just put the auth code in the httpd conf vhost section, which is off-limit for scripts, but then the DA password function won't work (or is that wrong?).

Anyway, thoughts? :)

Thanks!
Steve

P.S. Goodness... looks like I'm monopolizing this forum ;)
Attached File  monopoly.png   83.34K   5 downloads

#2 CH-Jonathan

    Cartika Staff

  • Staff
  • 729 posts

Posted 01 June 2010 - 11:43 AM

Hi Steve,

You can use chattr +i <whatever you want to chattr> to set the immutable bit on a file - which makes it read only to everything (even root) until the file(s) is/are re-owned (chattr -i).

View PostBluesplinter, on 01 June 2010 - 11:10 AM, said:

What is the best set of perms to prevent scripts from tinkering with an .htaccess file (including the control panel, DA in this case)? I had installed a forum script in a private subdomain, protected with .htaccess. When I found the forum software unacceptable, I deleted the files via the DA control panel before installing a different script, which (of course) deleted the .htaccess file, and the private subdomain was no longer so private. Luckily I discovered the problem quickly, but it brought this question to mind.

Since this is a cloud server, and I have SSH access, I can change the perms and owner:group to whatever will work best. Mostly, I don't want any php script to be able to alter the file, nor be able to delete it from the DA control panel. I know if it's set to root:root, DA can't delete it, but I don't think it'll actually WORK with that owner:group. So, what's the best way to handle this?

FWIW, I would normally just put the auth code in the httpd conf vhost section, which is off-limit for scripts, but then the DA password function won't work (or is that wrong?).

Anyway, thoughts? :)

Thanks!
Steve

P.S. Goodness... looks like I'm monopolizing this forum ;)
Attachment monopoly.png

Jonathan M. Slivko
Senior Support Representative
Cartika, Inc.

#3 Bluesplinter

    King of the Ticket Pests

  • Members
  • PipPipPip
  • 180 posts
  • LocationDagobah, Outer Rim Territories

Posted 01 June 2010 - 11:55 AM

Hey Jonathan,

View PostCH-Jonathan, on 01 June 2010 - 11:43 AM, said:

You can use chattr +i

Yeah, works perfect! Thanks :)
Steve
Back to Cartika Hosting Support


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Cartika Hosting Forum
  2. Cartika Main Forums
  3. Cartika Hosting Support
© 2012 Cartika Hosting. All rights reserved