error_log permissions

[bigblackboxx]

-

Edited February 10, 2019 by bigblackboxx

[Byron]

Heya,

 

I have a quick question reguarding the error_log files. Everytime I access a directory within my public_html dir that has an error_log file within, I get an error in my cpanel error log as follows:

[sat May 29 12:50:26 2010] [error] [client 76.123.xxx.xxx] client denied by server configuration: /home/boxx/public_html/test/error_log, referer: http://bigblackboxx.com/

 

The server is set up default not to display error-log files via directory indexing. That error in your log files is normal.

 

The test dir has the +Indexes option turned on and also does not diplay error_log file via indexing, but I'm able to see and access this file via FTP.

 

You should be able to see ANY file via FTP as long as your logged in.

 

I've attempted to adjust the permissions of the specific dir test/ to 777, but this doesnt seem to effect access to the error_log.

Do I need to adjust the permissions of the error_log file itself? Or am I missing some other key point here altogether?

 

Don't worry about it. You really don't want error log files displayed to the public anyway. You also need to go back and chmod your directory back to 755. You never need to go higher than 755 on any of your directories.

 

[bigblackboxx]

-

Edited February 10, 2019 by bigblackboxx

[Byron]

So curious.. would that be an IndexIgnore directive you've added to the httpd.conf at the server level?

 

Yes and its done with Apache mod_autoindex and that would also include dot files like your .htaccess.

 

I'll be sure to adjust the folder permissions back accordingly, and as always... I appreciate you taking the time to help me better understand this.

 

No problem!

 

[bigblackboxx]

-

Edited February 10, 2019 by bigblackboxx

[Byron]

You maybe right about it using order deny, allow, but I really couldn't say for sure. I'll see if I can talk djbob into coming over here when he gets time to answer your question since he's the one who configured the server. In the meantime you might want to check out some more htaccess directives you can use for your htaccess file.

 

http://httpd.apache.org/docs/2.2/

 

[Ashoat]

bigblackboxx, you've clearly been doing your research! Yeah, we're actually not using IndexIgnore. Instead, we're using something more along the lines of the "File" tag you listed above.

 

Though I didn't personally set up this configuration (it was auto-generated by cPanel), I have a guess as to why they constructed it the way they did. IndexIgnore will prevent the error_log from being listed in a directory page, but it will still allow that file to be downloaded or looked at. Since "error_log" is the default filename for any file containing Apache errors, without the "File" tag directives in httpd.conf a hacker would be able to often glean crucial information just from guessing the existence of an error_log file.

 

However, with our current configuration it is impossible to read these files.

[bigblackboxx]

-

Edited February 10, 2019 by bigblackboxx

[Byron]

IndexIgnore will prevent the error_log from being listed in a directory page, but it will still allow that file to be downloaded or looked at. Since "error_log" is the default filename for any file containing Apache errors, without the "File" tag directives in httpd.conf a hacker would be able to often glean crucial information just from guessing the existence of an error_log file.

 

I believe you hit the nail on the head djbob. Yeah it makes way more sense to use the "File" tag directive than to use IndexIgnore with sensitive files. Thanks djbob for clearing this up for both of us.

 

 

 

 

[bigblackboxx]

-

Edited February 10, 2019 by bigblackboxx