I’ve been using the “Sites” folder in my local home directory for some web development testing recently. I had a couple of directories created that didn’t include an “index.html” file. That means that anyone hitting the directory itself could list the contents and see all the other files I was working on in there. Not a major problem for what I was doing but a security issue none the less. After a quick bit of research I found it was quite easy to disable this at the command line.
Open Terminal and type
cd /private/etc/apache2/users. Inside the “users” folder will be conf files for each of the users with accounts on the machine. So, if we have a user with the short name of “joe” on the machine there will be a file in there named “joe.conf”.
To edit this file you need to have root permissions. So open it using
sudo. I prefer using
pico as my editor but use whichever works for you. The command below assumes you are already in the “users” folder.
sudo pico joe.conf
You’ll see something like this:
Options Indexes MultiViews
Allow from all
Navigate down to the line
Options Indexes MultiViews. Carefully delete the
Indexes part of the line and save the file. Now restart Apache, either by going to System Preferences and turning off and then back on Web Sharing, or at the command line by typing
sudo apachectl restart.
Now navigate to a directory in your “Sites” folder that doesn’t have an index file. You should get a “403 No permissions” error unless you specify a file. Much more secure. Note that you’ll need to do this individually for each account on the machine.
I’ve tested this with Snow Leopard and I’m betting it will work with Leopard. I’m not sure if versions of the OS below 10.5 support this feature.