2

I want to restrict access to certain folders (includes, xml and logs for example) and so I've given them 700 permissions, and all files within them 600 permissions. Firstly, is this the right approach to restrict access?

I have a .htaccess file in my root that handles rewriting and error documents. There are two pages in the root - 403.php and 404.php - for 403 and 404 errors. And I have these rules added to my .htaccess file:

ErrorDocument 404 /404.php ErrorDocument 403 /403.php

Now, the 404 page works just fine. The 403 page does not show when I try to access the 'includes' folder - I get the standard apache 403 error page instead, saying 'Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.'

However, when I try going to the .htaccess file (in the web root) in my browser, I get my custom 403 error page. Why is this happening?

Improve this question
2
  • What are you trying to restrict access from - web requests? Who's the owner of the files? As far as the ErrorDocument directives not applying, is the .htaccess file in a parent directory of your includes directory? Commented Nov 17, 2011 at 6:12
  • Yes, from web requests. The .htaccess is in a parent folder. It's in the root folder - the includes directory is one of the subfolders there. Ideal would be to place the includes out of the web root I'm sure, but I have no need of very strict security. I'd just like to have some basic restrictions in place. Commented Nov 17, 2011 at 10:43

1 Answer 1

Reset to default
2

Is there a .htaccess file inside the includes/ folder? And does it have an ErrorDocument 403 directive?

If that one is overriding the parent one then that could cause the issue you describe.

Try putting the ErrorDocument directive in your httpd.conf or vhost file.

What do you see in your access and error logs for these requests ?

It's also worth triple checking that the 403 line definitely says ErrorDocument 403 /403.php and not ErrorDocument 403 403.php. That small typo would cause all of the symptoms you described.

Update after chat:

The final solution was to make the includes directory readable by the Apache user and add this to the .htaccess:

 <Location /includes> Order Deny,Allow Deny from all </Location>
Improve this answer
10
  • There is only one .htaccess file, and that's in the root directory. I don't have access to httpd.conf as this is on a shared hosting server. I'm not sure how to access the logs - when I attempt to open the 'http' folder within the logs folder in my ftp client, I get Failed to retrieve directory listing Commented Nov 17, 2011 at 15:28
  • Ah, that's because /var/log/httpd usually has restrictive permissions in most distros because it's a security issue to have it writable. You will need to get a shell account with appropriate privileges on your server if you want to be an effective sysadmin. Commented Nov 17, 2011 at 16:21
  • I've made the user a shell user, but no cigar. I assume there are some permissions somewhere that I've missed? Is there no way to debug this without accessing those logs? Commented Nov 17, 2011 at 16:41
  • You also need "sudo" permission for your shell account. The command sudo -s will change you to the root user which will allow you to see that directory. It will also allow you to do anything at all, including deleting the entire server, so double check what you're typing when you are the root user. Commented Nov 17, 2011 at 17:15
  • Thanks for the help. My error.log has this line: [Fri Nov 18 02:31:36 2011] [crit] [client 117.202.97.45] (13)Permission denied: /home/adorups/adorups.com/includes/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable - I take it apache is searching for a htaccess file within the includes directory, but can't find it because of the file permissions? What can I do about this? Commented Nov 18, 2011 at 13:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.