newbie questions about security
I'm trying to understand various aspects of permissions. I wanted to encapsulate my whole web site, so beneath / (root) I put a /Home folder. I would like only the contents of /Home to be viewable. I first set the protection of / to be not viewable by anonymous but then any time I try to do anything I have to enter a password. I worked around this by making the /index_html not viewable by anonymous, but leaving /Home viewable. Is this the way I am supposed to do it, at the document level as opposed to the folder level? Next I decided to try and squirrel away all my images into a /Home/img folder. I don't want anything in this folder to be directly viewable. So I created an index_html document (more on this later) and made it not viewable. Fine, anonymous can't read it, so that works, but I have to make the images viewable. If I make /Home/img not viewable (don't acquire permissions) then the whole directory requires a password any time I access an image. So I let /Home/img acquire permissions, and try and change the permissions at the image level. Now the problem is that if I make the images directly viewable, I can access them from /Home which is what I want, but I can also get to them explicitly via /Home/img/ImageName which I don't want. So I can get the image even though /Home/img is password protected. What is the correct way to have an image folder to be totally non-viewable but still accessible from another folder? A weird/cool feature I discovered which may be interesting to other newbies, is that acquisition acquires the protection of the parent, not the child. At least I found this. I made my /Home/img folder not viewable by anonymous, but didn't put an index_html document in it. Surprisingly, as anonymous I could view /Home/img. My guess is that the index_html document was inherited from /Home which was viewable so the permissions of /Home applied, rather than the permissions of /Home/img. Danny __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
danny shevitz wrote:
I'm trying to understand various aspects of permissions. I wanted to encapsulate my whole web site, so beneath / (root) I put a /Home folder. I would like only the contents of /Home to be viewable. I first set the protection of / to be not viewable by anonymous but then any time I try to do anything I have to enter a password. I worked around this by making the /index_html not viewable by anonymous, but leaving /Home viewable. Is this the way I am supposed to do it, at the document level as opposed to the folder level?
Probably what's happening here is that: a) You don't have an index_html in Home, in which case it's acquired from / or b) You are using standard_html_header and standard_html_footer in /Home which are acquired from /. "b" probably explains the behavior you suggested in your following paragraphs (which I snipped). -- Chris McDonough Digital Creations, Inc. Zope - http://www.zope.org
participants (2)
-
Chris McDonough -
danny shevitz