preventing directory browsing

db2admin has asked for the wisdom of the Perl Monks concerning the following question:

Replies are listed 'Best First'.
Re: preventing directory browsing by vladb (Vicar) on May 02, 2003 at 04:27 UTC
Dropping a blank index.html file in each of the directories should work. Try placing one at the top of your directory tree and it'll 'hide' any directories below (by not allowing a client to see them in the first place). One would have to do a darn good guessing job in order to get to the lower directories ;-) _____________________ `# Under Construction` [download]	[reply] [d/l]
Re: Re: preventing directory browsing by fsn (Friar) on May 02, 2003 at 09:18 UTC
Yes, but.... Beware that you will only hide the directories on the same level. If you link to any object on any other level, the user doesn't have to guess directories any more, and he can browse at least a subtree. Put empty `index.html`-files (or even perhaps with redirects) everywhere. If you're on an apache server, and it's configured to read `.htaccess` files, you can use it to turn off browsing for an entire subtree (if I remember correctly). However, what you can do with an `.htacces`-file depends on the server setup, so you have to ask the server administrators. Read all about `.htaccess` in this tutorial.	[reply]
Re: Re: preventing directory browsing by db2admin (Acolyte) on May 02, 2003 at 04:59 UTC
Thank you very much for your suggestion. David K.	[reply]
Re: preventing directory browsing by hmerrill (Friar) on May 02, 2003 at 12:46 UTC
Previous suggestions about putting a blank index.html in each directory that you do NOT want a directory listing to be generated in will work. But, are you sure your web host's webserver config allows access to those directories other than cgi-bin? I just looked in my apache httpd.conf file, and if I interpret this correctly it explains that the default setting of `<Directory /> Options FollowSymLinks AllowOverride None </Directory>` [download] for the root '/' directory, restricts access to that directory and all directories below, unless overridden by definitions for specific subdirectories(under '/'). So since this 'Directory /' definition(this is the default on my machine) doesn't specify 'Indexes', then no directory index listings will be generated for any directory unless expressly enabled by an 'Option Indexes' in a 'Directory' definition entered into the httpd.conf file. So looks to me like you may(?) already be protected by your web host's webserver config. But if not, then either `1. put a blank index.html in each directory you want to protect(against directory listing), OR 2. assuming the webserver config is configured for it, you can also put a .htaccess file in each directory you want to protect.` [download] HTH.	[reply] [d/l] [select]
Re: preventing directory browsing by pzbagel (Chaplain) on May 02, 2003 at 04:49 UTC
Do you have shell access? Can you change permissions on directories? If you remove the read bit for the user that the webserver will be accessing your files with from the directories then the web server will not be able to get file listings, however, any URLs can be served up normally. Ususally this should be enough: `chmod o-r <directory>` [download] If the http user is in the group that owns your directories, then you may need to do this: `chmod g-r <directory>` [download] However, that could put a hamper on collaboration efforts if many people update the site using a common group. And never remove your own read permissions to the directory. You won't be able to ls the directories yourself. But you can easily put it back. You can run this on your whole web tree in one command: `find . -type d -exec chmod o-r {} \;` [download] Cheers	[reply] [d/l] [select]
Re: Re: preventing directory browsing by db2admin (Acolyte) on May 02, 2003 at 05:00 UTC
Thank you very much for your suggestion. David K.	[reply]