Web Page Security

What are file permissions and how do I set them?

Permissions are the way you regulate access to your files. When setting up web pages, the main thing you'll be concerned with is making sure everyone can read the file while not letting them overwrite it. There may be some things that you don't want people to have access to at all. To set permissions, you will use the chmod command. There are two ways to use chmod: number or text.

Using the numbering scheme, the chmod command has three number places, for example 744, representing the three user types. The first number on the left side is for "user", the middle one is for "group" and the right hand one for "other." Now, here's what each number does:

0  =  ---  =  no access
1  =  --x  =  execute
2  =  -w-  =  write
3  =  -wx  =  write and execute
4  =  r--  =  read
5  =  r-x  =  read and execute
6  =  rw-  =  read and write
7  =  rwx  =  read write execute (full access)

So, if you set a file to:

chmod 750 foo.html
      ^^^
      ||`-- others have no access
      |`-- group has read and execute access
      `-- user has full access

Now, for directories:

read = list files in the directory
write = add new files to the directory
execute = access files in the directory

Using text-based commands, the syntax is:

chmod [ugo][+-][rwx] [filename]
u=user, g=group and o=other and +/- turns on/off the attributes which follow it: r=read, w=write, x=execute.

For example, typing chmod go+r foo.html, turns on the read bits for group and others on file "foo.html". Note, that this command does NOT reset the other bits, so any previously specified permissions will not be changed. For example, this did not change any permissions for user and if group already had execuete permissions, it did not remove it. But, if you type chmod go=r foo.html, it will set file foo.html to be readable by group and other and turn off any write and execute permissions group and others had.

For the purposes of most websites, chmod 644 * or chmod a+r * (all files world-readable, writeable only by owner) should suffice; subdirectories should be set to 755/a+rx (which will allow files within the directory to be listed and read).

For more information, run man chmod from a Unix prompt.

How can I control access to my site (or parts of it)?

Your site, or parts of it, may not be intended for the eyes of the general populace. You can limit access only to parties with usernames and passwords (provided by you) by using .htaccess, a basic security function built into the HTTP protocol.

You need two files:
.htaccess
.htpasswd

The .htaccess file must be placed in the directory you want protected. It must contain the following:

For a Cheap-web or personal web account:

AuthUserFile /htdocs/userdirs/[$USERNAME]/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

and for a Standard, Advanced, or Developer Web account:

AuthUserFile /htdocs/corp-dirs/[$USERNAME]/[$DOMAIN]/.htpasswd
AuthGroupFile /dev/null
AuthName "Private"
AuthType Basic
require valid-user

The above example places the .htpasswd file in the root directory of your website. Naturally, you can place it anywhere you choose in your directory structure.

.htpasswd is where you will place the list of authorized usernames and passwords. The format is as follows:

username1:password1
username2:password2
...

Passwords are in an encrypted form. Do not create them by hand; use the command htpasswd to create them.
Usage: htpasswd [-c] passwordfile username
(The -c flag creates a new file).

Both files must be set via chmod to 755.

You might also want to customize the response given to an unauthorized access attempt ("401: Unauthorized"). The following line is an example of what you can add to .htaccess:

ErrorDocument 401 http://www.whatever.com/401.html

This will direct unauthorized requests to the file "401.html" (assumed to be in your root directory in the above example), which can contain forbidding graphics, pithy sayings, or anything else you decide will inform the viewer that the page is restricted.

This can, of course, be done for any of the error codes ("404: Not found" and "403: Forbidden" for example).

What are cookies and how do they work?

An HTTP cookie is text data exchanged between web servers and web browsers and used for authentication, storing user preferences, and tracking dynamically-stored information (such as, for example, the contents of electronic shopping carts).

For more detailed information about cookies, please see the Wikipedia entry.

How do I keep spammers from exploiting my web scripts?

To prevent attacks by spammers who exploit customers' vulnerable CGI scripts on our web servers, Panix has installed a filter script that holds mail addressed to a large number of recipients (the usual hallmark of a spammer). Panix staff are notified when such mail is held; we review it at the first opportunity and, unless it is the result of a break-in by a spammer, send it on.

We ask any customers who send (legitimate) large mailings via a web CGI to send us (via email to staff@panix.com) the full path of any scripts they run that send mail to multiple destinations. If these scripts are not exploitable, we'll add them to an exception list so that they can send mail without restrictions.

Customers who have not reviewed the CGI scripts in their web directories in recent years should follow the instructions below, disabling or deleting any unused scripts.



Last Modified:Wednesday, 30-Jan-2013 12:14:12 EST
© Copyright 2006-2011 Public Access Networks Corporation