Can others access my application files?

[fguy64]

I intend to use X10 to host a little java gaming applet I have written. What I want to know is, with the default permissions on my public_html directory, can others obtain my java .class files. Is it possible to tighten up the permissions on this directory without impairing the functionality of the application?

Thanks,

 

[garrettroyce]

Your public_html folder is by default (and for good reason ) accessible to anyone and everyone who happens to know the url. And, any sub folders you make in that folder will have the same accessibility. Changing the current chmod of the public_html would probably make your site entirely inaccessible. Here's what I would do:

using cPanel->file manager
create a new folder /home/{username}/public_html/forbidden (I like to call mine "forbidden" you can call it whatever you want
select the new folder and use the "change permissions" (aka CHMOD) and change it to 751

Now, if you try to access the folder, a file in the folder, or any sub folders you will get a permission error

 

[fguy64]

Thanks Garrett. I tried what you suggested, and did a little experimentation. I'm not really on top of the whole permissions thing, my guess is what is happening is by changing to 751 that people can technically still get the application (.class) files, they just can no longer see them? So they would need first determine the names of the application files by reverse compiling the one main application file that is loaded by the web page? Just a guess.

 

[garrettroyce]

no, they are denied read permission for the directory and the files.

 

[fguy64]

Well, I don't mean to belabor the point, but it's not clear to me how things are any different with the 751 permission on a subfolder of public_html. I'm still able to download anyone of the .class files from that directory using my browser by typing the path and the filename. Am I missing the point somewhere?

Thanks for your time.

 

[misson]

Well, I don't mean to belabor the point, but it's not clear to me how things are any different with the 751 permission on a subfolder of public_html. I'm still able to download anyone of the .class files from that directory using my browser by typing the path and the filename. Am I missing the point somewhere?

What you're missing is that Java applets are executed on the client, not the server. How is a client supposed to run an applet if the computer can't download it?

 

[garrettroyce]

Mission has an excellent point

The other problem is, by default, cPanel makes files put in folders world readable (CHMOD 644) and I thought that it would inherit the folder setting, which would make it CHMOD 640.

I have never messed with Java apps, so I missed the part about client side execution. However, you could probably make a script that checks to see if the file being requested is being used for java or being downloaded by itself and act accordingly, like preventing image hotlinking.

 

[fguy64]

Duly noted about java apps being executed by the client, not the server. I knew that, but I had not made the connection that if you want the app to execute in the client browser, that you must have permissions which also allows them to be downloaded separately.

It's still not clear to me whether creating a directory with permission of 751, had any effect at all, or whether there is anything at all you can do to make things a little more difficult to access. I guess I have some research to do. It shouldn't be too difficult to find some instructional resources on the net that deal with permissions.

Thanks again for your time.

 

[misson]

It's still not clear to me whether creating a directory with permission of 751, had any effect at all, or whether there is anything at all you can do to make things a little more difficult to access.

On most filesystems directories can be thought of as special files that hold a list of file records. With a permission mode of --x (no read, no write, execute), a user can access files within a directory but not the directory itself (the directory contents, or list of files in a directory, will be inaccessible). For instance, opendir("/home/fguy64/public_html/forbidden") would fail, while fopen("/home/fguy64/public_html/forbidden/foo.class", "r") would succeed. To put it another way, the execute bit allows anything to pass through a directory when a path is traversed. If you don't have directory indexing enabled for a given directory, removing the read permission won't be beneficial as there is no way for a visitor to read directory contents. It may have unintended effects on your site internals, but those effects aren't what you're looking for.

You can't prevent downloading, but you may be able to use the java.AppletAPI to check non-forgeable (well, difficult to forge) information about the document in which the applet is embedded. getDocumentBase would probably work. Note that this implementation will have its drawbacks (should you change the host URI in any way, you'll need to recompile) and won't be 100% effective (a downloaded applet could be patched in place or decompiled).