need help securing filepaths

giles100 · #1 14th May 2007, 09:37 PM

Hi,

This is my first posting so I hope it’s in the right place. I’m finishing my first dynamic site, which I’m administrating, on Fedora Core 4. I’m learning as I go along - so please forgive if questions are a bit unclear.

I’m currently reviewing the security of my site after reading a article (lost the URL!!!!!) that recomended using relative file paths to hinder attacks ... I think it was saying you can stop an attack by the fact that you are concealing the root directory. (e.g. ../index.html) - is this true?

thing is, the root of my site is the “public_HTML” folder on my server .... and so if I know my URL I can access any subdirectories. The only way I can see to truly protect my image folders, include files etc is to place them in a higher directory - i.e. in an adjacent folder to public_HTML, so the root folder cannot be guessed.

- Does this make sense?
- is this possible?
- or can you recommend a more appropriate practice?

many thanks in advance
Giles

landoncz · #2 14th May 2007, 11:02 PM

No, sorry I don't think that makes much sense from a security standpoint. For security, you should be more concerned about permissions than folder naming. From a website maintenance standpoint, relative paths are usually the way to go sense they limit the amount of "hard coding" of directory names, thus making directory changes easier to manage.

Anything that apache has permissions to read, you should assume that people will be able to get to it via the web, whether they "guess" correctly or not. So, you should just set sensitive information with permissions so that apahce cannot read/write there...

giles100 · #3 19th May 2007, 08:13 PM

OK thanks, your comments pointed me in the right direction and I’m a lot clearer now on the difference between security and organisation. On the latter I’ve made some changes … but I’ve hit a snagging point. Goes like this … I’ve moved my includes files, templates, JavaScripts and CSS out of public_html to a new folder so I have :

ServerRoot/public_html
ServerRoot/moved_items/includes/
ServerRoot/moved_items/templates/
ServerRoot/moved_items/java/
ServerRoot/moved_items/css/

This works perfectly on my localhost (erm dare I say it’s currently erm windows) with expressions such as "../../../moved_items/css/", but not when I upload it to my FC4 server. My pages can see the includes folder and the template folder, but they appear NOT to be able to locate the css or JS folder and I’m lost to know why that is. Their all called with the same expressions so why should half work and half not.

More confusingly, placing the css folder on level up (as below) to test, DOES work …

ServerRoot/public_html
ServerRoot/css/

… am I missing something?

marcrblevins · #4 20th May 2007, 06:53 AM

Dude, why don't you password protect those image folders? Search forum for htpasswd.