Topic: webserver security/directory listing

[innorevtech]

is there a way to configure the apache/sme webserver to NOT display the directory listings when accessing subfolders? (ie http://www.mydomain.com/images/) i would prefer the forbidden, not accessible, etc  error messages appear instead of displaying all of the contents of the subfolders (IF that folder doesn't have an index.xxx file in it.)

any help would be appreciated.
i am currently running SME 7.0RC3, upgraded to 7.0 Final VIA Yum-Update.

thanks!

[dsemuk]

You should be getting "404 not found" or "401 unauthorised" errors, not directory listings.

Have you changed the server in any way?

Dave

[innorevtech]

system is stock out of the box, except for no smtp-proxy, and mysql has been enabled. i do not get 404/401 when accessing a folder that has no .htm/.html/.php in it. is there some config file in apache/sme i can check to make sure this is enabled?

[mmccarn]

The directory structure is visible. How do I disable indexes in ibays?
SME 6.0, 6.0.1, and 6.5 all had the following for the ibays/html directory - "Options Indexes Includes". This would indicate that indexes were allowed for html directories. In 7.0 we made this a parameter and defaulted it to enabled to be compatible with < 7.0 installations.

To disable indexes for an ibay in 7.0 do the following: (Be careful to use the exact capitalization)

db accounts setprop //ibayname// Indexes disabled
signal-event ibay-modify //ibayname//

Be sure to replace //ibayname// with your ibay name...

Read this and many more interesting tidbits in SME7FAQs

(It took me a while to find it - even though I knew I'd seen it before!)

[innorevtech]

thanks so much! this solved my problems.

[remstrus]

Hi

I ran the following commands (from this thread) to disallow directory listing (my SME7 fresh install allowed directory listings).

db accounts setprop //ibayname// Indexes disabled
signal-event ibay-modify //ibayname//

I replaced //ibayname// with the relevant ibay name.

The problem is my directories still allow their contents to be listed when www.somedomain/images is used.

Any thoughts would be appreciated

Phil

[remstrus]

Any thoughts??

[mmccarn]

I am using "images" as the i-bay name below; be sure to use your own i-bay name...

Run:
db accounts show images

After running the commands outlined in the SME7FAQ you should get something like:

Code: [Select]

images=ibay
    CgiBin=enabled
    Gid=5010
    Group=shared
    Indexes=disabled
    Name=Images
    PasswordSet=no
    PublicAccess=global
    Uid=5010
    UserAccess=wr-admin-rd-group
Note that "Indexes" has an initial capital, and "disabled" is all lower case

Looking at the code in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/90e-smithAccess40ibays:

- If there is no entry named "Indexes" (capital "I"!), the Indexes option is activated
- if there is an entry named "Indexes" containing a value of "enabled", the Indexes option is activated
- if there is an entry named "Indexes" containing anything except the word "enabled" (all lower case), the Indexes option will not be activated

Be sure you have run:
signal-event ibay-modify images

Then, if it still doesn't work, you can check the actual contents of httpd.conf using:
less -p"Directory /home/e-smith/files/ibays/images/html" /etc/httpd/conf/httpd.conf

You should get something like:

Code: [Select]

<Directory /home/e-smith/files/ibays/images/html>
    Options None
    Options +Includes
    AllowOverride None
    order deny,allow
    deny from all
    allow from all
</Directory>(for Indexes to work, there should be a line underneath "Options None" saying "Options +Indexes".  If you have correctly set "Indexes" to "disabled", this line will be absent as shown above).

If everything described here looks OK:

- do you have SME 7

Final installed (I think that the ability to set the "Indexes" Option in this manner was added near the end of the SME 7 release process), or
- do you have any contribs, scripts, or other packages installed that might have modified the settings in httpd.conf?[/list]