Public directory browsing


Private areas ( path contain the word protected/) are browsable via Apache rule even so an index.html is not available. This is a default. For the public areas, especially the ~xxx/ user areas, directory browsing was turned off by default to avoid some side effects we explain below.

We however provide a simple way to make directory browsing available if  users really need it. We have installed AutoIndex tool and this is available to all STAR users. More details and how it works is provided below. The tool provides a restored convenience to our user while at the same time, allows us to either comply with Cyber-security regulations by implementing global rules for directory browsing or add/extend directory browsing with add-on features as our user need it.

Helper script

To generate an index, simply go into a Web accessible directory and issue the following command

% WebIndex

An AutoIndex.php script will be generated and our Web server will execute it whenever it finds it modulo the rules explained in the next section.

Note that only one of such file allows for an entire directory tree browsing - you DO NOT need to create one of such file per sub-directory. However, and by global rule (see below), if a sub-directory contains a file named index.html or index.php, AutoIndex will "jump" to the file and display or execute its content. In such case, the directory browsing capability will stop in this directory branch (so, you have a way to disable directory automatic browsing if you need to do so and hide content).

Global rules

Note: Please, respect our global rules and use our installed version as most correspond to BNL cyber-security concerns: finding of some special files listed below for example would flag our Web server as "vulnerable" and require a corrective action.

We have set the following global rules:

  • Functional
    • Only one AutoIndex file is needed for an entire directory tree browsing. However, if a sub-directory from the tree contains a file named index.html or index.php, the file will be "opened" (i.e. displayed or executed respectively) instead - This feature allows for one AutoIndex to be present without interfering with your previous documents. An additional consequence (and required feature) is that shall you need to disable directory browsing in a particular branch of a tree containing one AutoIndex file on top, you CAN disable it by adding such Apache-style index file.
    • Soft-linked files (or directories) are skipped - this is done to avoid side effects such as a infinite recursive directory lookup from Spiders and bots but also since our Apache rules include denying access whne downloading/accessing files in a linked tree.
  • General exclusion (part of  AutoIndex tool exclusion) - the following files or directories will never be displayed:
    • style.css stylesheet content
    • index_icons/, languages/, templates/ directories 
    • *.php - accessing code as text is a possible security issue
  • Cyber security related. Several files are skipped by default and will not show in the directory browsing listing.
    • *~ or #* files - emacs or vim-like backup files
    • *.old, *.bak, *.save, *.orig, *.hide - those are frequent extensions used for backup copies made by user
    • *.exe - Windows executables
    • *.bat, *.com - Windows BAT and COM files
  • Other security issues
    • .ht* - aims to exclude .htaccess and .htpaswd if exists. Apache already excludes those but it is easy to forget to implement this rule at Apache level. The content of those files should always be hidden.