University of Connecticut

University Information Technolgy Services

Homepages Web Server

FAQ

• I can't access my files (Access Forbidden! Error 403).
• What are file permissions? Why do we need them?
• How can I check and set the file access permissions?
• I setup everything following the instructions but I still cannot connect to the server.
• How can I setup username/password access? (requirement: knowledge of UNIX command line and SSH connection)

I can't access my files (Access Forbidden! Error 403).

If you see an error as below, it is very likely that you uploaded your files to the server using port 21 instead of 3501 for NetID accounts and 3500 for NonNetID accounts. Please follow the FTP Instructions to set up the FTP connection and after that refer to this link to upload them correctly.

 

What are file permissions? Why do we need them? 

File permissions are necessary to protect and to instruct the server about how to handle certain files. They can be set using raw FTP commands, but the easiest way to set them is using an inbuilt tool from your FTP client. This is where some FTP clients do not support the changing of permissions on files. One good example is the built-in FTP client in Dreamweaver, which will only allow you to set permissions using a specific raw FTP command. If you have multiple files and folders to set permissions on, typing the FTP command multiple times would become tedious.

It is a good idea to become at least a little familiar with what permissions are used for what purpose. The reason for this is that most scripts will actually need certain permissions to run. If they are simply uploaded as normal by say, Dreamweaver, they will inherit 'normal' permissions by default, but it may not be suitable in order to actually 'run' or 'execute' the commands that are inside the script. Most default permissions will only allow you to read a file, which will unfortunately not be enough to run a script.
The most common permission required to run a script is CHMOD 755 (-rwx r-x r-x)

What's CHMOD?

CHMOD stands for Change Mode and simply means that you are changing your permissions on the file or folder. "CHMOD" is also a UNIX command that is used in code and through the command line to change permissions on files and folders.

Types of permissions for different user groups

• There are three types of permissions to set on folders and files on UNIX servers – Read, Write and Execute permissions. There are three distinct groups that are affected with these permissions to allow you to control who has access to the file or folder.
  
  These groups are as follows:
  The owner of the file - usually whoever uploaded it, or whomever created it.
  The group – usually other registered hosting users on the actual server or common resources that are setup to run under this permission group.
  The public – this is the public or Internet user.
  
  So each group has three settings or switches, to allow you to control their access based on whether you want them to read, write or execute the resource that you are setting permissions on.

For your website,

• all the folders/directories should have:
  • R W and E for owners, and
  • R and E for the other groups,

as shown below,

 

• Each individual web file (image file, pdf file, html file, etc) should have
  • R W and E for owners, and
  • R for other groups.


 

How can I check and set the file access permissions *?

If you used the wrong port 21, you cannot check/set the file access permission in Dreamweaver; you need to check/set that either in SSH or by using FileZilla or Fetch.

Note: If you upload your files with port 21, after changing the port to 3500 (NonNetID accounts) or 3501 (NetID accounts) and reuploading files, file permissions could still be wrong! Please pick one of the following three options to fix the problem:

1. Delete all your files on the server , change the port to correct one and reupload all your files again in FileZila or Fetch.

2. Use FileZilla (Windows users) and Fetch (Mac users), and set the permissions manually.

3. In case, you uploaded a lot of files and directories, use SSH, Linux commands.

Using FileZilla:

FileZilla will allow you to change the file permissions or "attributes" as this program calls them, on files and folders. You can even choose multiple files and folders in the same window view to change multiple permissions at the same time.

Setting a file or folder permission in FileZilla is easy. You simply check the box to turn that setting on, like a switch. Select a file, then right click on it. A menu will appear and you will need to choose "File Attributes".






 

Using Fetch:

1. Select the file or directory, click on Remote from the main menu, then Get Info (or shortcut key as SHIFT+COMMAND+I):



2. You can see file information,



3. click on Ownership and Permission, check on the permissions to turn them on.



 

Using SSH client

1. Download the free Putty Telnet/SSH Client.

2. Refer to CHANGE PASSWORD to find out how to download SSH client and start up in windows and mac.

3. Check this Linux command chmod


* Some part of this document is gathered from an article by Eddie Machaalani, for further information click here.

I set up everything following the instructions but I still cannot connect to the server.

If you follow the instructions correctly but you still cannot connect to the server, usually it might happen when you use the wireless network, or maybe because of some firewall problem.



How can I setup username/password access? (requirement: knowledge of UNIX command line and SSH connection)

CAUTON: if your account gets hacked into, you will lose data and if they use your account to do further damage to the network you could end up loosing account privileges.

Setting up password protection requires two steps:

1. Create a password file using the htpasswd program
2. Create (or modify) an .htaccess file to work with the password file

Using htpasswd
htpasswd is a UNIX utility used to create user name and passwords for use in authenticating access to a directory (under the public_html directory).
htpasswd is used as follows:


htpasswd [-c] password_file username

The -c option flag is only used the first time as it creates the password file and subsequent use will delete any existing password file and replace it with a new one. If you have previously created a password file simply do not use the -c option flag.

password_file refers to the pathway and name of the file you will use to store your password information in. There are no restrictions on the name you give the password file, however, the accepted convention is .htpasswd

Example:
To create a password file named .htpasswd in a directory '/public_html/restricted' for a user named 'guest', you would type the following:

htpasswd -c /public_html/restricted/.htpasswd guest

Once you hit enter, you will be prompted to enter a new password for 'guest' and then confirm the password by entering it again. This process places the selected password into the .htpasswd file in encrypted form. Check it out. The password is encrypted to protect it from prying eyes. However if your password isn't a good one, then someone may be able to grab a copy of the .htpasswd file and crack your password!

Adding Users & Changing Passwords

To add new users follow the above procedure without using the -c option flag.
Example:

htpasswd /public_html/restricted/.htpasswd nobody

Again DO NOT USE the -c option flag.
To change a password (which should be done periodically) we again use htpasswd:
Example:


htpasswd /public_html/restricted/.htpasswd guest

You will again be prompted to enter the new passwords. htpasswd does not provide a way to remove users from your password file. We suggest two methods change their password or open the .htpasswd file and delete the line that their user name appears on.

Choosing Passwords
DO NOT USE your UNIX login password as your web htaccess password. Here is why, these passwords are sent over an HTTP connection as unencrypted text which makes them vulnerable to sniffing. Additionally HTTP send the unencrypted password with EVERY request, in contrast with protocols like telnet that only send the password unencrypted once (this is why we strongly suggest SSH). So again you have been warned, if your account gets hacked into you will lose data and if they use your account to do further damage to the network you could end up loosing account privileges.

Modifying .htaccess
Now that the user name and password have been created and saved we need to activate them. Every directory that you created an .htpasswd file for needs to have a .htaccess file with the following entry:

AuthName "restricted stuff"  AuthType Basic  AuthUserFile /www/foo/.htpasswd    require valid-user

The first directive, AuthName, specifies a realm name for this protection. Once a user has entered a valid username and password, any other resources within the same realm name can be accessed with the same username and password.

• The AuthType directive tells the server to use the Basic method for authentication (default).
• Require valid-user tells the server that any username/password pair in the .htpasswd file can be used to access this directory. However, it is possible to limit access to only certain users:

  require user guest nobody

This will only allow users guest and nobody access to the directory. Any other users would be denied access to the directory even though they may appear in the .htpasswd file.