- I can't access my files (Access Forbidden! Error 403).
- What are file permissions? Why do we need them?
- How can I check and set the file access permissions?
- I setup everything following the instructions but I still cannot connect to the server.
- How can I setup username/password access? (requirement: knowledge of UNIX command line and SSH connection)
If you see an error as below, it is very likely that you uploaded your files to the server using port 21 instead of 3501 for NetID accounts and 3500 for NonNetID accounts. Please follow the FTP Instructions to set up the FTP connection and after that refer to this link to upload them correctly.
File permissions are necessary to protect and to instruct the server about how to handle certain files. They can be set using raw FTP commands, but the easiest way to set them is using an inbuilt tool from your FTP client. This is where some FTP clients do not support the changing of permissions on files. One good example is the built-in FTP client in Dreamweaver, which will only allow you to set permissions using a specific raw FTP command. If you have multiple files and folders to set permissions on, typing the FTP command multiple times would become tedious.
It is a good idea to become at least a little familiar with what permissions are used for what purpose. The reason for this is that most scripts will actually need certain permissions to run. If they are simply uploaded as normal by say, Dreamweaver, they will inherit 'normal' permissions by default, but it may not be suitable in order to actually 'run' or 'execute' the commands that are inside the script. Most default permissions will only allow you to read a file, which will unfortunately not be enough to run a script.
The most common permission required to run a script is CHMOD 755 (-rwx r-x r-x)
What's CHMOD?CHMOD stands for Change Mode and simply means that you are changing your permissions on the file or folder. "CHMOD" is also a UNIX command that is used in code and through the command line to change permissions on files and folders.
Types of permissions for different user groups
- There are three types of permissions to set on folders and files on UNIX servers – Read, Write and Execute permissions. There are three distinct groups that are affected with these permissions to allow you to control who has access to the file or folder.
These groups are as follows:
The owner of the file - usually whoever uploaded it, or whomever created it.
The group – usually other registered hosting users on the actual server or common resources that are setup to run under this permission group.
The public – this is the public or Internet user.
So each group has three settings or switches, to allow you to control their access based on whether you want them to read, write or execute the resource that you are setting permissions on.
- all the folders/directories should have:
- R W and E for owners, and
- R and E for the other groups,
- Each individual web file (image file, pdf file, html file, etc) should have
- R W and E for owners, and
- R for other groups.
- Create a password file using the htpasswd2 program
- Create (or modify) an .htaccess file to work with the password file
- The first directive, AuthName, specifies a realm name for this protection. Once a user has entered a valid username and password, any other resources within the same realm name can be accessed with the same username and password.
- The AuthType directive tells the server to use the Basic method for authentication (default).
- The AuthUserFile directive tells the server which password file to use. You must use the full path name for this file.
- Require valid-user tells the server that any username/password pair in the .htpasswd file can be used to access this directory. However, it is possible to limit access to only certain users:
require user guest nobody
For your website,
as shown below,
How can I check and set the file access permissions *?
If you used the wrong port 21, you cannot check/set the file access permission in Dreamweaver; you need to check/set that either in SSH or by using FileZilla or Fetch.
Note: If you upload your files with port 21, after changing the port to 3500 (NonNetID accounts) or 3501 (NetID accounts) and reuploading files, file permissions could still be wrong! Please pick one of the following three options to fix the problem:
1. Delete all your files on the server , change the port to correct one and reupload all your files again in FileZila or Fetch.
3. In case, you uploaded a lot of files and directories, use SSH, Linux commands.
FileZilla will allow you to change the file permissions or "attributes" as this program calls them, on files and folders. You can even choose multiple files and folders in the same window view to change multiple permissions at the same time.
Setting a file or folder permission in FileZilla is easy. You simply check the box to turn that setting on, like a switch. Select a file, then right click on it. A menu will appear and you will need to choose "File Attributes".
1. Select the file or directory, click on Remote from the main menu, then Get Info (or shortcut key as SHIFT+COMMAND+I):
2. You can see file information,
3. click on Ownership and Permission, check on the permissions to turn them on.
1. Download the free Putty Telnet/SSH Client.
2. Refer to CHANGE PASSWORD to find out how to download SSH client and start up in windows and mac.
3. Check this Linux command chmod
If you follow the instructions correctly but you still cannot connect to the server, usually it might happen when you use the wireless network, or maybe because of some firewall problem.
How can I setup username/password access? (requirement: knowledge of UNIX command line and SSH connection)
CAUTON: if your account gets hacked into, you will lose data and if they use your account to do further damage to the network you could end up loosing account privileges.
Setting up password protection requires two steps:
htpasswd2 is a UNIX utility used to create user name and passwords for use in authenticating access to a directory (under the public_html directory).
htpasswd2 is used as follows:
htpasswd2 [-c] password_file username
The -c option flag is only used the first time as it creates the password file and subsequent use will delete any existing password file and replace it with a new one. If you have previously created a password file simply do not use the -c option flag.
password_file refers to the pathway and name of the file you will use to store your password information in. There are no restrictions on the name you give the password file, however, the accepted convention is .htpasswd
To create a password file named .htpasswd in a directory '/public_html/restricted' for a user named 'guest', you would type the following:htpasswd2 -c /public_html/restricted/.htpasswd guest
Once you hit enter, you will be prompted to enter a new password for 'guest' and then confirm the password by entering it again. This process places the selected password into the .htpasswd file in encrypted form. Check it out. The password is encrypted to protect it from prying eyes. However if your password isn't a good one, then someone may be able to grab a copy of the .htpasswd file and crack your password!Adding Users & Changing Passwords
To add new users follow the above procedure without using the -c option flag.
Example:htpasswd2 /public_html/restricted/.htpasswd nobodyAgain DO NOT USE the -c option flag.
To change a password (which should be done periodically) we again use htpasswd2:
htpasswd2 /public_html/restricted/.htpasswd guestYou will again be prompted to enter the new passwords. htpasswd2 does not provide a way to remove users from your password file. We suggest two methods change their password or open the .htpasswd file and delete the line that their user name appears on.
DO NOT USE your UNIX login password as your web htaccess password. Here is why, these passwords are sent over an HTTP connection as unencrypted text which makes them vulnerable to sniffing. Additionally HTTP send the unencrypted password with EVERY request, in contrast with protocols like telnet that only send the password unencrypted once (this is why we strongly suggest SSH). So again you have been warned, if your account gets hacked into you will lose data and if they use your account to do further damage to the network you could end up loosing account privileges.
Now that the user name and password have been created and saved we need to activate them. Every directory that you created an .htpasswd file for needs to have a .htaccess file with the following entry:AuthName "restricted stuff" AuthType Basic AuthUserFile /u/mysite/public_html/private/.htpasswd require valid-user
This will only allow users guest and nobody access to the directory. Any other users would be denied access to the directory even though they may appear in the .htpasswd file.