EECS Instructional Support, University of California at Berkeley
[ ISG home page ] [ who we are ] [ send us email ] [ search ] [ FAQ ]

SSH public hostkeys for EECS Instructional Computers

What this program is for:
This 'restrict-dir.cgi' program allows selected users (.htaccess) access via the WEB to files that are not world-readable. Usually, the WEB server requires that the files be world-readable, which also exposes the files to users who are logged in directly to the Instructional UNIX computers.

How to use it when accessing files in '/share/b/hostkeys':
  • 'restrict-dir.cgi' gives you access to these files, so you must read the files using the CGI program. The URL must look like (all on one line):

      ?file=
        /file-you-want

  • The permissions of files under the restricted directory must be readable by the owner of the WEB site to allow 'restrict-dir.cgi' to read it.

  • If you start your access from and step down the subdirectories from there, you will always be able to display or download the files, because 'restrict-dir.cgi' will be used to access them.

  • You can edit the '$DIR' variable in your copy of 'restrict-dir.cgi' to set the top-level restriction to be any directory that you have permission to read. Be careful not to expose any system files (such as /etc/passwd) that should not be displayed to the world over the WWW.
  • How to set it up:
  • You can copy this program from ~inst/public_html/restrict_demo/SSLonly/index.cgi into your own directory on an Instructional UNIX system such as cory.eecs.berkeley.edu.

  • Example: user "jdoe" wants to allow restricted access to the UNIX directory ~jdoe/public_html/restricted, including all files and subdirectories under it except the ~jdoe/public_html/restricted/denied subdirectory.

  • Files, ownership and permissions in the restricted directory: ls -al ~jdoe/public_html/restricted drwxr-xr-x 3 jdoe users 1024 Jul 18 17:15 ./ drwx--x--x 21 jdoe users 1536 Jul 15 15:20 ../ -rw-r--r-- 1 jdoe users 127 Jul 15 00:24 .htaccess drwx------ 2 jdoe users 512 Jul 18 23:36 allowed1/ -rw------- 1 jdoe users 2414 Jun 18 19:06 allowed2 d--------- 2 jdoe users 512 Jul 18 23:36 denied/ -rwx------ 1 jdoe users 17650 Jul 19 11:26 restrict-dir.cgi*

  • The URL inst.eecs.berkeley.edu/~jdoe/restricted will invoke the restrict-dir.cgi program, which will run with the permissions of its owner. (That is a feature of the WEB server.)

  • File permissions can be set using these UNIX commands: chmod 644 .htaccess chmod 700 restrict-dir.cgi chmod 700 allowed1 (a directory) chmod 600 allowed2 (a file) chmod 000 denied (for a directory or a file) chown jdoe .htaccess restrict-dir.cgi allowed1 allowed2

  • Sample contents of the .htaccess file: <Limit GET> order deny,allow deny from all allow from jdoe.hip.berkeley.edu 128.32.138.62 jdoe.eecs.berkeley.edu </Limit>

  • This program should be installed in a subdirectory of the public_html directory in the file owner's UNIX account. This allows the WEB server to find it.

  • You can edit the '$DIR' variable in your copy of 'restrict-dir.cgi' to set the top-level restriction to be any directory that you have permission to read. When this program is invoked as a URL, it will display that directory. Please be careful not to expose any system files (such as /etc/passwd) that should not be displayed to the world over the WWW.

  • There should be no 'index.html' or 'index.shtml' files in the directory.

  • .htaccess restricts access only by computer. An .htpasswd file could be used to prompt individual users for a password. .htpasswd is best used along with SSL-encrypted WEB sessions; please see Restricting Access to your WEB Site for information about that.


  • about this program
  • Wed Aug 16 8:07:04 2017
    'restrict-dir.cgi' by kevinm@eecs.berkeley.edu