PHWinfo - Afficher un message

16/03/2005, 15h31

On Thu, 17 Mar 2005, Tim wrote:

> On Tue, 15 Mar 2005 10:27:28 +0000,
> Mark <watson@211bakerstreet.com> posted:
>
> > I have been labouring under the belief that files beginning with a dot
> > were hidden from publick view on Unix.

They aren't really hidden (if we're still talking about unix-ish file
systems).

> As with *ix, they're hidden from view when listing a directory (i.e. it
> won't list dot prefixed file and directory names),

"ls -al" on any unix-ish system that I've ever used.

(OK, AFS is different. Let's not go there today...)

> but you can still view the contents of them if you know the file or
> directory name yourself.

Whether a web server permits a resource to be seen and to be accessed
depends on its configuration.

There's nothing remotely magical about an initial "." prefix: it's
no more than a convention that ls without the -a option omits dot
files.

If the server decides not to include them in a directory listing, that
isn't because it couldn't, but plain and simple because a decision was
taken to leave them out of the listing.

> Hiding and denying access are two different things.

True.

> > However I find that on my server this is only true for certain files
> > such as .htaccess.
>
> There's specific rules for them in the main configuration file.

Indeed, and modern Apache versions by default deny access to filenames
beginning with ".ht"

In the old days, we used to counsel that .htpasswd files should be
stored outside of the web tree, so that accidental web access to them
would be impossible[1]. But it was so damned convenient to put
individual .htpasswd files into the subdirectory that they were meant
to control that many folks disregarded this counsel, and the logical
move was to simply deny web access to anything resembling that kind of
file.

all the best

[1] years ago I was asked to diagnose access problems to a large
web server across the Atlantic, and quite by accident read the
..htpasswd file for its web document root. The file included a
password hash even for a user called "root". No, I resisted the
temptation to run crack against it...

16/03/2005, 15h31	#4
Alan J. Flavell Messages: n/a Hébergeur:	Re: Hiding all files beginning with dot On Thu, 17 Mar 2005, Tim wrote: > On Tue, 15 Mar 2005 10:27:28 +0000, > Mark <watson@211bakerstreet.com> posted: > > > I have been labouring under the belief that files beginning with a dot > > were hidden from publick view on Unix. They aren't really hidden (if we're still talking about unix-ish file systems). > As with *ix, they're hidden from view when listing a directory (i.e. it > won't list dot prefixed file and directory names), "ls -al" on any unix-ish system that I've ever used. (OK, AFS is different. Let's not go there today...) > but you can still view the contents of them if you know the file or > directory name yourself. Whether a web server permits a resource to be seen and to be accessed depends on its configuration. There's nothing remotely magical about an initial "." prefix: it's no more than a convention that ls without the -a option omits dot files. If the server decides not to include them in a directory listing, that isn't because it couldn't, but plain and simple because a decision was taken to leave them out of the listing. > Hiding and denying access are two different things. True. > > However I find that on my server this is only true for certain files > > such as .htaccess. > > There's specific rules for them in the main configuration file. Indeed, and modern Apache versions by default deny access to filenames beginning with ".ht" In the old days, we used to counsel that .htpasswd files should be stored outside of the web tree, so that accidental web access to them would be impossible[1]. But it was so damned convenient to put individual .htpasswd files into the subdirectory that they were meant to control that many folks disregarded this counsel, and the logical move was to simply deny web access to anything resembling that kind of file. all the best [1] years ago I was asked to diagnose access problems to a large web server across the Atlantic, and quite by accident read the ..htpasswd file for its web document root. The file included a password hash even for a user called "root". No, I resisted the temptation to run crack against it...