What kind of security can be implemented from within the Apache Web Servers htaccess files?
Recently I was asked the following question and decided to post it here for others.
I have set up a sandbox site for my students. They have subdirectories under a main directory on my site.
order deny,allow deny from all
Works like a charm. One problem, though. If the student was savvy enough he could place an htaccess file in the subdirectory he has access to that reverses this file.
order deny,allow allow from all
Darn it all, the student is now able to run php scripts in his directory.
I am sure there is a way to indicate in the htaccess file on the main level that any htaccess files in subdirectories should be ignored. It is a simple thing, but I can find how to do that.
You need to remove their ability to execute scripts. Heres a couple different ways I do it.
This is cool, the AddHandler directive sets all the files ending in those extensions to be handled as cgi-script. The next line uses the Options directive to disable cgi-script completely. This is special so that they fall under the jurisdiction of the -ExecCGI command, which also means -FollowSymLinks
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Combine that with
order allow, deny deny from all
Then you might try blocking most HTTP Request Types, and disabling the RewriteEngine.
Options -ExecCGI -Indexes -All RewriteEngine On RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST) RewriteRule .* - [F] RewriteEngine Off
If you'd rather have .pl, .py, or .cgi files displayed in the browser rather than executed as scripts, simply create a .htaccess file in the relevant directory with the following content:
RemoveHandler cgi-script .pl .py .cgi ForceType text/plain .pl .py .cgi
Options -ExecCGI RemoveHandler .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5 RemoveType .cgi .pl .py .php4 .pcgi4 .php .php3 .phtml .pcgi .php5 .pcgi5