CentOS - Feb 2007 - How to prevent reading of an xml in a particular directory from browser in apache on Centos4.4

hi friends,

 I have configured a HelpDesk Ticketing System on Centos4.4. The
problem I am facing is that there is a file called "site.xml" which
contains the information about database connections and I don't want
ppl to be able to read that file through browser. As per the
readme.htm of that software if the below entries will be put in
.htaccess then nobody can read the xml through browser.

<Files ~ ".xml">
   Order allow,deny
   Deny from all
   Satisfy All
</Files>


Even though the above entries are there in .htaccess still I am able
to read "site.xml" file. How do I prevent the reading of this file ?

HelpDesk Ticketing Software is under /var/www/html/request and
.htaccess is also under /var/www/html/request.

Please let me know if you need any further information.

Thanks & Regards

Ankush Grover

On 2/10/07, ankush grover <ankushcentos at gmail.com>
wrote:
>  I have configured a HelpDesk Ticketing System on Centos4.4. The
> problem I am facing is that there is a file called "site.xml"
which
> contains the information about database connections and I don't want
> ppl to be able to read that file through browser. As per the
> readme.htm of that software if the below entries will be put in
> .htaccess then nobody can read the xml through browser.
I am not an apache wiz but have you tried excluding just that file - I
think the stanza you posted was trying to block reading of all xml
files. Also, how is your top level apache config file set up? Can you
use .htaccess files within sections of the same or other sites? I know
it is possible to set up your main configuration so that normal users
can't override options in lower level config files.

-- 
Cynthia Kiser

> Even though the above entries are there in .htaccess still I am able
> to read "site.xml" file. How do I prevent the reading of this
file ?
.htaccess files are only good if you're allowing them via the
AllowOverrides option in your httpd.conf. By default this option is
off, and if you have administrative access to the box it should stay
that way, as using .htaccess files will cause a (slight) performance
hit.

You don't really need the satisfy statement there either. I'd create a
helpdesk.conf file in /etc/httpd/conf.d/ with:

<Directory "/var/www/html/request">
  <Files "site.xml">
   Order allow,deny
   Deny from all
  </Files>
#other directory wide modifications, custom 404, etc.
</Directory>

If all you're protecting is that one file, you don't really need the
~, as that enables full regex matching, which should really be done
with FilesMatch

Alternatively if you really want to block all xml files, use this:

<Files  ~ "\.xml$">



-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell

ankush grover spake the following on 2/10/2007 2:11 AM:
> hi friends,
> 
> I have configured a HelpDesk Ticketing System on Centos4.4. The
> problem I am facing is that there is a file called "site.xml"
which
> contains the information about database connections and I don't want
> ppl to be able to read that file through browser. As per the
> readme.htm of that software if the below entries will be put in
> .htaccess then nobody can read the xml through browser.
> 
> <Files ~ ".xml">
>   Order allow,deny
>   Deny from all
>   Satisfy All
> </Files>
> 
> 
> Even though the above entries are there in .htaccess still I am able
> to read "site.xml" file. How do I prevent the reading of this
file ?
> 
> HelpDesk Ticketing Software is under /var/www/html/request and
> .htaccess is also under /var/www/html/request.
> 
> Please let me know if you need any further information.
> 
> Thanks & Regards
> 
> Ankush Grover
Did you try to chown to root:root and chmod to 600?
That should keep apache from reading the file.

-- 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!