Reputation: 2435
Are folder permissions on a web server adequate security?
I'm working on a project which uses a folder full of flat-file databases. I'd like to make sure these databases are only accessible to scripts running off the server, so I set the folder permissions to 700.
This results in all scripts functioning properly, but a 403 Forbidden whenever I try to access the database folder in my browser. This is good.
However, I'm wondering: am I missing something? Is there any way — short of gaining access to my FTP account – for an outside user to access this folder? Or can I rest easy?
Upvotes: 1
Views: 81
Answers (1)
Reputation: 318568
The proper solution is storing them outside the document root. If you cannot do that, but know that Apache will be used, create a .htaccess in the folder with the following contents:
order deny, allow
deny from all
Using filesystem permissions may or may not work depending on the environment - in a perfect setup the webserver would use the same uid as your system user that owns the files. Then your approach wouldn't work.
Upvotes: 2
Related Questions
- File permissions; Should my www-folder content be owned by www-data?
- Safest way to set up webroot with permissions?
- File and folder access management and security (PHP/Apache)
- How to enforce permissions on a Web directory?
- Best practices for website permissions system
- Security: Is it a good practice to name folders on the server that are difficult to guess?
- CHMOD and the security for the directories on my server
- Keeping Files Secure On A Server - Is Changing Permissions Enough?
- Are these LAMP permissions secure?
- Folder security?