Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Prevent Apache from serving .DS_Store files Internet
I was just looking at the directory listing in a shared web directory, and a .DS_Store file caught my eye. The default OS X httpd.conf allows these files to be served. This might be a security hole, particularly if directory listings are denied. One could inadvertently give prying eyes a glimpse of the files in the directory that one would rather not make public. To prevent this, /etc -> httpd -> httpd.conf should probably contain:
<Files .DS_Store>
    Order allow,deny
    Deny from all
    Satisfy All
</Files>
Remember to restart Apache after making this change, either with the GUI tools or just by typing sudo apachectl graceful in the Terminal.
    •    
  • Currently 1.50 / 5
  • 1
  • 2
  • 3
  • 4
  • 5
  (2 votes cast)
 
[13,605 views]  

Prevent Apache from serving .DS_Store files | 10 comments | Create New Account
Click here to return to the 'Prevent Apache from serving .DS_Store files' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Prevent Apache from serving .DS_Store files
Authored by: Beernd on May 30, '03 10:38:32AM

Perhaps one should also add .DS_Store to the IndexIgnore line. I would use something like this:

IndexIgnore *~ *# HEADER* README* RCS CVS *,v *,t .DS_Store

This would prevent .DS_Store from showing up in the index.

---
"Perhaps nothing is true, and not even that!"
Multatuli, Ideen 1

[ Reply to This | # ]

Prevent Apache from serving .DS_Store files
Authored by: Harold on May 30, '03 11:59:30AM

Even better. Disallow anything starting with a dot.

# Disallow viewing of .DS_Store, .FBCIndex etc.
# These files are internal to MacOSX but are a potential security risk
# so basically we don't allow access to ANYTHING that starts with a dot

<FilesMatch "^\.">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>

---
--
NIL ANXIETAS
http://www.haroldbakker.com/



[ Reply to This | # ]
Prevent Apache from serving .DS_Store files
Authored by: loucasa on May 30, '03 10:36:21PM

Would any of these suggestions prevent Apache from displaying a directory listing if someone were to try to access http://myipnumber/ or http://myipnumber/~myuserid/ without specifying a file (e.g. index.html) in the url? Or is there a way that I can force a url to the directory to access a specific file or alternates?

Thanks,
Lou



[ Reply to This | # ]
Prevent Apache from serving .DS_Store files
Authored by: aaronfaby on May 31, '03 12:42:54AM

Add "-Indexes" to the document root Directory container.



[ Reply to This | # ]
Preventing Apache from listing directory contents
Authored by: newbish on Jun 03, '03 09:26:59AM

Yes, Lou, there is a way!

Apache allows you to tell it what it can or cannot show when it is asked to serve a directory without any index page in it. The details for what else you can ask Apache to do in such a case can be found in the Apache manual. The URL on your computer will be:

http://127.0.0.1/manual/

The keyword will be "Indexing."

To stop index listings being created, here is the shortcut if you want it right away. First edit the Apache Configuration file, httpd.conf with:

sudo pico /etc/httpd/httpd.conf

And add this block of text to the end of the file:

# Don't allow any files in an index listing of the directory
<Directory /Library/WebServer/Documents/*>
IndexIgnore *
</Directory>
# end of index limiting

I think this will solve your problem in the shortrun. For more complex matters, you can use the indexing commands in Apache to actually point to a generic index.html should a directory not contain one.



[ Reply to This | # ]
A Far More Elegant Solution
Authored by: newbish on Jun 03, '03 11:56:11AM
Hi, Lou,

Just needed to give myself a minute to come up with something better than my last solution! First I told you to use IndexIgnore * so that Apache's indexing engine would not list any files in the index.

Starting with my previous example, replace IndexIgnore * with this line:

DirectoryIndex index.html /oops.txt

You must also create a text file name oops.txt that contains a message like, "no files here for you to see!" and store it in /Library/WebServer/Documents/. Now when anyone surfing to a directory on your machine that contains no index.html will get the message in opps.txt. This will be global for your machine, and I think this is a better solution than what I suggested earlier. Amazing what I can come up with when I RTF. :)

[ Reply to This | # ]
And ":*" too
Authored by: repetty on May 31, '03 03:04:43AM

I'm running Apache on Linux box but work remotely from a Mac, so the same situation applies to me, too.

I've noticed that I also have files that start with a colon, too. Maybe it's a by-product of netatalk AppleShare file server.

Anyway, I appended this to the IndexIgnore line:

\.* :*

It seems to take care of both cases. BTW, I MUCH prefer not showing the visitor something that they shouldn't have access to rather than let them see it but forbid them to access it.

Much more tidy.

Great suggestion.

--Richard



[ Reply to This | # ]
And ":*" too
Authored by: datawrangler on Jun 01, '03 12:20:31PM

those filenames which begin with a colon are netatalk's way of displaying non-ASCII characters such as a bullet (•), which Mac users often use to force custom sorting. I don't know how to translate the numbers, but netatalk has always done a good job of preserving these "think different" filenames for me. In the OS X Terminal, non-ASCII characters are displayed with a '?'.



[ Reply to This | # ]
Prevent Apache from serving .DS_Store files
Authored by: LouieNet on May 17, '05 02:35:46AM
By the way, the httpd.conf file for my Panther installation has:
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
The ".??*" at the beginning will let you ignore any dot files without ignoring .. (i.e. the parent directory). Louie

---
G4 cube, 1152M RAM, OS X Server 10.2.8
17" Powerbook G4, 1G RAM, OS X 10.2.8

[ Reply to This | # ]

Prevent Apache from serving .DS_Store files
Authored by: petekjohnson on Jun 03, '03 12:24:43PM

Does anyone know how to prevent the serving of invisible (example: Icon) files with the Mac OS X FTP server?



[ Reply to This | # ]