File And Directory Access Control

If you must access a file or a folder that you do not have rights to, you must first take ownership of that file or folder. When you do this, you replace the security permissions that were originally created for the file or folder.

To do this via Command Prompt you can use the “takeown” command.

A simple example would be:

takeown /f test.txt - which would take ownership of the file test.txt as the current user

In the example below – takeown /f * /r /d y – I have navigated into the parent folder TestFolder to take owner ship of all files and folders (including sub-directories) as the current user, and have specified that I would like to take ownership when prompted.

Takeown Command

You should get a message of success for each object this is carried out upon.

There are several useful arguments which can be used with the “takeown” command as demonstrated above.

/s <Computer> – Specifies the hostname or IP address of a remote computer (do not use backslashes). The default value is the local computer. This parameter applies to all of the files and folders specified in the command.

/u [<Domain>]<User name> – Runs the script with the permissions of the specified user account. The default value is system permissions.

/p [<Password>] – Specifies the password of the user account that is specified in the /u parameter.

/f <File name> – Specifies the file name or directory name pattern. You can use the wildcard character * when specifying the pattern. You can also use the syntax ShareNameFileName.

/a – Gives ownership to the Administrators group instead of the current user.

/r – Performs a recursive operation on all files in the specified directory and subdirectories.

/d {Y | N} – Suppresses the confirmation prompt that is displayed when the current user does not have the “List Folder” permission on a specified directory, and instead uses the specified default value.

Y: Take ownership of the directory.
N: Skip the directory.

Note that you must use this option in conjunction with the /r option.

Apache web servers implement the use of .htaccess (hypertext access) files to govern the way information is managed for a client. These directory-level configuration files are placed inside a web tree and allow for decentralized management of a web server’s configuration, capable of overriding the server’s global configuration.

The original purpose of .htaccess was to allow per-directory access control (e.g. requiring a password to access specific content). Today .htaccess can override many other configuration settings, commonly related to content control and proves a powerful tool in the world of Search Engine Optimisation.

Some very useful and common uses of .htaccess files are listed below.

Custom Directory Index Files

You can change a default index file of directory so that a user is served a default page should they request a directory. For example if a user requests /foo/, Apache will serve up /foo/index.html

Syntax:

DirectoryIndex < default-file >

Example:

DirectoryIndex index.html index.php index.htm

Note: In the above code snippet Apache will first try to serve the file index.html should it exist, failing the existence of index.html Apache will then attempt to serve index.php and so on.

Custom Error Pages

Standard error messages can be unsupportive and worse they actually drive viewers off your site! You may therefore wish to redirect your users to a custom error page. Error message can be mapped to a specified webpage, or you may also write a common page for all the http errors as follows:

Syntax:

ErrorDocument < error-code > < location -of-custom-page>

Example:

ErrorDocument /error.html

ErrorDocument 403 /403.html

ErrorDocument 404 /404.html

File and directory access control

.htaccess can be used to restrict access to individual files and folders.

One way to restrict user access would be by IP

Syntax:

order <setting-priority>

deny from <address>

allow from <address>

Example – Only those on the local IP 192.168.0.1 would be granted access

order deny,allow

deny from all

allow from 192.168.0.1

These types of rules become useful for filtering out undesirable IP blocks, known risks, perhaps some persistent robot that doesn’t play by the rules. In which case you would use a deny from < ip-address>

You may also wish to password protect a file. In which case you will need to create a .htpasswd file. This file stores your credentials for validating a user and should NOT be placed in a folder reachable externally.

Syntax:

AuthType <authentication-method>

AuthUserFile <passwordfile-location>

<Files <file-type>>

Require <requirement>

Example – The file test.mp3 will ask for a username and password to match that of those stored in the file C:/web-site/.htpasswd on the web server.

AuthName “Restricted Area”

AuthType Basic

AuthUserFile C:/ web-site/.htpasswd

<Files test.mp3>

require valid-user

</Files>

Modifying Environment Variables

Environment variables contain information used by the web server. Set/Unset environment variables using SetEnv and UnSetEnv.

Syntax:

SetEnv <environment-option> <option-setting>

Example – To set your website webmaster

SetEnv SITE_WEBMASTER “Robert Longworth”

Compression

Example – If your web server has the mod_gzip module enabled

<IfModule mod_gzip.c>

mod_gzip_on Yes

mod_gzip_dechunk Yes

mod_gzip_item_include file .(html?|txt|css|js|php|pl)$

mod_gzip_item_include handler ^cgi-script$

mod_gzip_item_include mime ^text/.*

mod_gzip_item_include mime ^application/x-javascript.*

mod_gzip_item_exclude mime ^image/.*

mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*

</IfModule>

Example – If your web server has the mod_deflate module enabled

<Location>

SetOutputFilter DEFLATE

SetEnvIfNoCase Request_URI

.(?:gif|jpe?g|png)$ no-gzip dont-vary

SetEnvIfNoCase Request_URI

.(?:exe|t?gz|zip|gz2|sit|rar)$ no-gzip dont-vary

</Location>

Tag Archives: File and directory access control

Take ownership of files with denied access in Windows using Command Prompt

Apache .htaccess tips