Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Chmod Understandings

  1. Home
  2. Forum
  3. Webmasters Lounge
  4. Chmod Understandings

shadowls's Avatar

shadowls

You Like this!
90 0

Hello HBH'er's I am a little dumbfounded on the way chmod works on a particular server. Lets say that i have a server running on someone's else server. My first question is am i considered the owner or am i a user?

And now my second question is. Lets say I want to chmod this folder to that when a user is accessing the page, he gets access denied while the page can still be access as a 3rd party page. Is that even possible?

for example.

www.google.com/images I want to chmod that folder but make the files inside that folder only accessible through 3rd party via iframe.


Mordak's Avatar

Mordak

Evil Sorcerer
4,025 18

shadowls wrote: Lets say that i have a server running on someone's else server. My first question is am i considered the owner or am i a user?

Is your server running as a VM ? If so you should have ROOT and that would mean you are the owner. If you don't have ROOT then i would say you are a user on that box.

shadowls wrote: And now my second question is. Lets say I want to chmod this folder to that when a user is accessing the page, he gets access denied while the page can still be access as a 3rd party page. Is that even possible?

I would just use a htaccess file to limit the rights on the folder. You might run into Cross Origin Resource Sharing (CORS) by using an IFrame.


MrCyph3r's Avatar

MrCyph3r

npm ERR!
0 0

For the first question it entirely depends on how the server you are connected to is configuredā€¦ you may be the root of a virtual machine, you may be jailed in a particular chroot environment or you may be a regular user with permissions on your home or web root directory.

The answer to the second question is yes, it is possibleā€¦ and there are different possible implementations. In my opinion the best way to keep private, per-user or sensitive files inaccessible by a direct HTTP request is to put them in a separate folder out of web root directory, this way the web server cannot serve those files to the user for obvious reasons. Unfortunately in some cases (depending on permissions, as on your first question) you can't do that, and so your best chance is to specify file/folder access directives to the web server, via configuration files (main config files or .htaccess). If you use .htaccess file, as suggested by Mordak, you can prevent HTTP requests on files (by regex or filename), basically blocking communications.

Order deny,allow Deny for all

Using this method you will still be able to read your files via code.

References (assuming that you are using apache): Apache config for Directory (for main config only): http://httpd.apache.org/docs/2.2/mod/core.html#directory Apache config for Files: http://httpd.apache.org/docs/2.2/mod/core.html#files


elmiguel's Avatar

elmiguel

Member
2,795 1

I would suggest to use the Apache config file over htaccess when all possible and have it load on run and not have it "module" loaded. This will avoid path directive clashing and is a little more secure than having it served via a file.

ROOT is always owner, but sudo is as well, if you are apart of sudoers or wheel you can do sudo chmod [options] [file[s]]

In your config if you do

Order Deny,Allow
Deny from All
All from xxx.xxx.xxx.xxx

where the xxx.xxx.xxx.xxx is the third party ip adress, such as a vender you can limit to whom has access