Hiding directory contents from HTTP - Security

This is a discussion on Hiding directory contents from HTTP - Security ; I have a file named index.html in the top-level directory where my ISP hosts web space for me, and people browsing to that directory see the contents of index.html rather than a directory listing. How effective is this way of ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Hiding directory contents from HTTP

  1. Hiding directory contents from HTTP

    I have a file named index.html in the top-level
    directory where my ISP hosts web space for me, and
    people browsing to that directory see the contents
    of index.html rather than a directory listing. How
    effective is this way of hiding files? Is there
    a variant of the HTTP "GET" command that says,
    "Give me the directory listing, not index.html"?

    The URL is http://webpages.charter.net/curryfans/.

    I've tried creating a subdirectory with permissions
    rwx------ and ownership curryfans.apache, but if
    you guess its name, its contents are presented
    without visible reluctance.

    I'm not looking for CIA-proof security, just a way
    to share with friends stuff that I might not want
    to lay before all the weirdos on the Internet,
    no offense, present company excepted of course.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


  2. Re: Hiding directory contents from HTTP

    On Tue, 20 Dec 2005 12:45:44 -0800, Peter Pearson shouted Hoy......

    >
    >
    > I have a file named index.html in the top-level
    > directory where my ISP hosts web space for me, and
    > people browsing to that directory see the contents
    > of index.html rather than a directory listing. How
    > effective is this way of hiding files? Is there
    > a variant of the HTTP "GET" command that says,
    > "Give me the directory listing, not index.html"?
    >
    > The URL is http://webpages.charter.net/curryfans/.
    >
    > I've tried creating a subdirectory with permissions
    > rwx------ and ownership curryfans.apache, but if
    > you guess its name, its contents are presented
    > without visible reluctance.
    >
    > I'm not looking for CIA-proof security, just a way
    > to share with friends stuff that I might not want
    > to lay before all the weirdos on the Internet,
    > no offense, present company excepted of course.


    I assume apache used there?

    If so:

    mv index.html index.html.dont.use

    chmod o+rw

    add to http.conf


    Options Indexes
    Order deny,allow
    Allow from
    Deny from all


    YMMV

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy


  3. Re: Hiding directory contents from HTTP

    Baho Utot wrote:
    > On Tue, 20 Dec 2005 12:45:44 -0800, Peter Pearson shouted Hoy......
    >> I have a file named index.html in the top-level
    >> directory where my ISP hosts web space for me, and
    >> people browsing to that directory see the contents
    >> of index.html rather than a directory listing. How
    >> effective is this way of hiding files? Is there
    >> a variant of the HTTP "GET" command that says,
    >> "Give me the directory listing, not index.html"?


    > I assume apache used there?


    That's what the server says, in response to my GET
    command.

    > If so:
    >
    > mv index.html index.html.dont.use
    >
    > chmod o+rw
    >
    > add to http.conf

    [. . . snip]

    I don't have an http.conf that I'm aware of. Is this
    a file I can put into the directory with my html files?
    I'm sure charter.net won't allow me to edit *their*
    http.conf.


    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


  4. Re: Hiding directory contents from HTTP

    On Tue, 20 Dec 2005 22:10:02 +0000, Baho Utot mumbled something like this:

    > On Tue, 20 Dec 2005 12:45:44 -0800, Peter Pearson shouted Hoy......
    >
    >
    >>
    >> I have a file named index.html in the top-level directory where my ISP
    >> hosts web space for me, and people browsing to that directory see the
    >> contents of index.html rather than a directory listing. How effective is
    >> this way of hiding files? Is there a variant of the HTTP "GET" command
    >> that says, "Give me the directory listing, not index.html"?
    >>
    >> The URL is http://webpages.charter.net/curryfans/.
    >>
    >> I've tried creating a subdirectory with permissions rwx------ and
    >> ownership curryfans.apache, but if you guess its name, its contents are
    >> presented without visible reluctance.
    >>
    >> I'm not looking for CIA-proof security, just a way to share with friends
    >> stuff that I might not want to lay before all the weirdos on the
    >> Internet, no offense, present company excepted of course.

    >
    > I assume apache used there?
    >
    > If so:
    >
    > mv index.html index.html.dont.use
    >
    > chmod o+rw
    >
    > add to http.conf
    >
    >
    > Options Indexes
    > Order deny,allow
    > Allow from
    > Deny from all
    >

    >
    > YMMV


    His ISP will definitely not allow him to play with their httpd.conf!

    He could probably use .htaccess and htpasswd if he has shell access to the
    server.

    --
    Rinso
    /\
    / \
    /wizz\
    ~~~~~~~~~~~~


  5. Re: Hiding directory contents from HTTP

    Rincewind wrote:
    >
    > His ISP will definitely not allow him to play with their httpd.conf!
    >
    > He could probably use .htaccess and htpasswd if he has shell access to the
    > server.


    I could ftp .htaccess and htpasswd to the server, but I gather
    it's not cool to put htpasswd in a web-visible place.

    Thanks for thinking about this for me.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


  6. Re: Hiding directory contents from HTTP

    On Tue, 20 Dec 2005 17:37:51 -0800, Peter Pearson mumbled something like
    this:

    > Rincewind wrote:
    >>
    >> His ISP will definitely not allow him to play with their httpd.conf!
    >>
    >> He could probably use .htaccess and htpasswd if he has shell access to
    >> the server.

    >
    > I could ftp .htaccess and htpasswd to the server, but I gather it's not
    > cool to put htpasswd in a web-visible place.
    >
    > Thanks for thinking about this for me.


    htpasswd is the command that is used to create and manage the access
    file(s), not a file that you would ftp up. It is usually located in
    /usr/bin on a *nix system.

    You are correct that you could probably ftp a .htaccess file and a
    password file to your site, but you will need to be able to locate the
    password file where it cannot be accessed by browsers. The .htaccess file
    should point to this location and should be stored in the directory you
    want to protect. The following example uses groups as well as users, but
    you don't need to create the .group file if not required.

    Here is an example .htaccess:

    AuthType Basic
    AuthName "MYSITE LOGIN"
    AuthUserFile /home/mysite/logs/.passwd
    AuthGroupFile /home/mysite/logs/.group

    require valid-user


    and the command to create the .passwd file containing 'jim' would be:

    htpasswd -c /home/mysite/logs/.passwd jim

    You will then be prompted for the password and the file will be created.
    Amend the paths to something appropriate for your circumstances.

    A study of the relevant man pages would also help.

    --
    Rinso
    /\
    / \
    /wizz\
    ~~~~~~~~~~~~


  7. Re: Hiding directory contents from HTTP

    On Wed, 21 Dec 2005 10:21:01 +0000, Rincewind wrote:

    Sorry, the following wrapped incorrectly when posted

    >
    > AuthType Basic
    > AuthName "MYSITE LOGIN"
    > AuthUserFile /home/mysite/logs/.passwd AuthGroupFile
    > /home/mysite/logs/.group
    > require valid-user
    >

    >


    Remove the blank lines from the following:

    AuthType Basic

    AuthName "MYSITE LOGIN"

    AuthUserFile /home/mysite/logs/.passwd

    AuthGroupFile /home/mysite/logs/.group



    require valid-user




    --
    Microsoft Scandisk
    ------------------
    Because your computer was not properly shut down, one or more
    of your drives may contain errors.

    To avoid seeing this message again, shut down your computer
    by selecting 'Shut Down' from the 'Start' menu and leave it
    switched off.

  8. Re: Hiding directory contents from HTTP

    On Tue, 20 Dec 2005 15:08:27 -0800, Peter Pearson shouted Hoy......

    >
    >
    > Baho Utot wrote:
    >> On Tue, 20 Dec 2005 12:45:44 -0800, Peter Pearson shouted Hoy......
    >>> I have a file named index.html in the top-level
    >>> directory where my ISP hosts web space for me, and
    >>> people browsing to that directory see the contents
    >>> of index.html rather than a directory listing. How
    >>> effective is this way of hiding files? Is there
    >>> a variant of the HTTP "GET" command that says,
    >>> "Give me the directory listing, not index.html"?

    >
    >> I assume apache used there?

    >
    > That's what the server says, in response to my GET
    > command.
    >
    >> If so:
    >>
    >> mv index.html index.html.dont.use
    >>
    >> chmod o+rw
    >>
    >> add to http.conf

    > [. . . snip]
    >
    > I don't have an http.conf that I'm aware of. Is this
    > a file I can put into the directory with my html files?
    > I'm sure charter.net won't allow me to edit *their*
    > http.conf.


    Yes it is called .htaccess, apache will "protect" the file from access if
    it(apache) is configured correctly. It won't be seen from the inet.

    Ok, then

    Have a look at this:
    http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html

    http://httpd.apache.org/docs/2.0/sections.html

    http://httpd.apache.org/docs/2.0/mod...n#indexoptions

    Those may/will answer your questions.

    --
    Dancin' in the ruins tonight
    mail: echo onub-hgbg@pbyhzohf.ee.pbz | perl -pe 'y/a-z/n-za-m/'
    Tayo'y Mga Pinoy


  9. Re: Hiding directory contents from HTTP

    Baho Utot wrote:
    > Yes it is called .htaccess, apache will "protect" the file from access if
    > it(apache) is configured correctly. It won't be seen from the inet.
    >
    > Ok, then
    >
    > Have a look at this:
    > http://httpd.apache.org/docs/2.0/mod/mod_autoindex.html
    >
    > http://httpd.apache.org/docs/2.0/sections.html
    >
    > http://httpd.apache.org/docs/2.0/mod...n#indexoptions
    >
    > Those may/will answer your questions.


    Hey, thank you very much. And thanks to Dave and Rincewind, too.

    I had a rather discouraging (as expected) chat with a Charter
    customer-service tech, who wanted to talk about files' "Hidden"
    attributes, suggested I learn more about web authoring, and
    noted that they don't support Linux -- all as if it had something
    to do with my question. Sigh.

    --
    Peter Pearson
    To get my email address, substitute:
    nowhere -> spamcop, invalid -> net


+ Reply to Thread