Controlling Web Page Access With HTAccess
from http://www.mcs.kent.edu/system/web_help/htaccess/introduction.html
File permissions
Basics on file permissions
Every file and directory in your account can be protected from or made
accessible to other users by changing its access permissions. You can only
change the permissions for files and directories that you own. In
order to display the access permissions of a file or directory, use the
command:
ls -l {filename/directory}
This displays a one-line summary for that file or directory. For example:
-rwxr-xr-x 1 jdoe ugrad 2810 Aug 28 16:34 index.html
The first item -rwxr-xr-x represents the access permissions on this file
or directory. There are three types of permissions:
r |
the file or directory is readable |
w |
the file or directory is writable |
x |
the file or directory is executable |
Each of these permissions can be set for any of three types of user:
u |
the user who owns the file |
g |
members of the group to which the owner belongs |
o |
all other users |
The access permissions are represented as a nine-character string, which
is displayed when the ls -l command is executed:
user |
group |
others |
r w x |
r w x |
r w x |
Directories are treated slightly differently than regular files. In order
to give a user permission to change into a directory, they must have execute
permission
for that directory. In order to be able to do an ls on that directory
(i.e., read the directory), they must have read permission for that directory.
In order to access a file within a directory, you must only have
execute permission on the directory.
In order to change the permissions on a file, the chmod command
is used:
chmod {mode filename}
chmod {mode directory_name}
where the mode consists of who (u/g/o), how (+/-/=), and which (r/w/x).
For more information on the chmod command, please execute the command
man chmod.
File permissions for web pages
In order to give the web browser permission to display a web page, the
page must be readable by "others", and any directories above that page
must be executable by "others":
drwx---r-- for files
-rwx-----x for directories
Otherwise, the browser cannot open the file to display it. There is no
way to get around this.
The main problem with this scheme is that anyone else who qualifies
as part of "others" can also see that page from your public_html directory
on aegis or another machine, regardless of the .htaccess file. They may
not be permitted to bring the page up via the web browser, but it is still
a regular UNIX file, and can be read and even copied to their home directory
from the UNIX file system itself.
There are several things you can do to make it harder for users to access
your web pages via the file system:
Remove all permissions for "group" from the files and directories you
wish to protect. Since the web browser is a part of "others", this has
no effect on the web browser's ability to display the files, but keeps
everyone in the same group as you (e.g., ugrad or grad) out.
Only allow execute permission for "others" on the directories you wish
to protect. Users will still be able to change to the directory, but they
will not be able to see which files are in that directory. They would have
to previously know the name of the file they are looking for.
Minimize the number of links to password protected pages from non-password
protected pages. If someone can get to a page which links to a password
protected page, they can see which page the link points to, and now they
know exactly which file to look for (see #2).