Protect Server Files by Default
One aspect of Apache which is occasionally misunderstood is the feature of default access. That is, unless you take steps to change it, if the server can find its way to a file through normal URL mapping rules, it can serve it to clients.
For instance, consider the following example:
1. # cd /; ln -s / public_html
2. Accessing http://localhost/~root/
2. Accessing http://localhost/~root/
This would allow clients to walk through the entire filesystem. To work around this, add the following block to your server’s configuration:
Order Deny,Allow
Deny from all
Deny from all
Leave a Reply
You must be logged in to post a comment.