Allow 404 File Permissions For .htaccess Files DSO

[AITpro Admin]

I did google searches like these below and found clues to how this issue was finally resolved, but did not come across the solution that Amel figured out.

Apache unable to set .htaccess file permissions to 404 DSO
.htaccess file 404 permissions causes 403 error DSO
Allow 404 file permissions for .htaccess files DSO
unable to use 404 file permissions for .htaccess files DSO

Additional search terms used by Amel:

Enable file locking in CentOS
PHP is not able to read 404 permissions on .htaccess files
Scripts cannot read the htaccess if set a permission of 404
Unable to lock the .htaccess file
Which php execution mod to use in order to be able to lock the .htaccess files with a permission 404

Amel has a self hosted DSO configured Server and was unable to to set file permissions of his Root .htaccess file to 404 Read-Only permissions without causing a 403 Error and crashing his website.

Amel’s solution is below:

This is what I exactly did:
****************************************************************************************
Apache server have following PHP execution modes:
Apache mod_php (run as Apache’s user)
CGI wrapper (run as virtual server owner) —- switched to this mode now
FCGId (run as virtual server owner) —– I used this one before
So after that, I was able to lock the root .htacecss file BUT !!
I could not lock it from BPS F-Lock web form, I had to log on to the server as root and lock it manually

by changing the .htaccess file permissions from 644 to 404. I tried several times to lock the root htaccess via F-Lock but it cannot lock the file, still red marked as unlocked, but when I manually lock the file via SSH

then I refresh the F-Lock it shows correct that root htaccess I locked and it’s green colored…
****************************************************************************************

However I am able to lock these files within F-Lock:
wp-config.php
index.php
wp-blog-header.php

But not htaccess, htaccess needs to be locked directly via SSH using either cli chmod, or WinSCP to set the permission 404

Than the F-Lock shows it as locked and have the green color…
Regarding the root .htaccess locking via F-Lock I found following error log, so You can check it:

[27-Jan-2013 13:17:39] PHP Warning:  chmod(): Operation not permitted in /home/xxxxx/public_html/wp-content/plugins/bulletproof-security/admin/lock/flock.php on line 215

This log can be interesting to find out why we cannot lock the root htaccess from F-Lock when the server is running in CGI wrapper mode…

PS: when running server in CGI Wrapper mode, the F-Lock shows it as follows:

Server API: cgi-fcgi – Your Host Server is using CGI. Use the CGI File Lock and Unlock options.

when using:
*******************************************************************************************************************

CGI wrapper (run as virtual server owner), we can set the permission 404 on htaccess file which is:
READ only for “Owner”   “Other”

 4      0      4

FCGId (run as virtual server owner), we can set the permission 444 on htaccess file which is:
READ only for: “Owner” “Group” “Other”

 4     4       4

Both permissions 444 and 404 gives the READ only, but the only difference is that when using FCGId we have to add a “Group” as well on Read Only

in order to be able to proccess the .htaccess file
*******************************************************************************************************************

Hm ok, but it is not a problem for me to reconfigure the htaccess permission manually, just set the 404 via SSH and that’s it. it works file is locked.. But I can use the F-Lock to lock the index.php we-config etc… but only lock htaccess via ssh… it’s ok for me if this is ok for BPS ?

If I lock it manually, will it impact the BPS later when changing the parameters ??
*******************************************************************************************************************

Additional Info Added:
Please keep in mind that we also need to update following configuration in the Aapche httpd.conf file as well:

<Directory />     
Options FollowSymLinks     
AllowOverride all -------------- WE MUST SET THE "all" in order to be able to lock the .htaccess file and it's still being readable by the server !! regardless of which php execution mode we use we have to set to "all" so .htaccess can be read when locked !
</Directory>

So in short,

if You will lock the .htaccess file running in FCGId (run as virtual server owner) mode, than lock it with a permission 444 (WORKS !)

if You will lock the .htaccess file running in CGI wrapper (run as virtual server owner)mode, than lock it with a permission 404 (WORKS!)

[AITpro Admin]

Well done on finding the solution Amel!!!!

I am not really sure why you can lock the other files.  Typically DSO folks have to manually lock all files and manually either change permissions or change ownership on files or folders.

So no manually locking the file does not cause any problems except for this one – you will have to manually unlock the file before installing a BPS Pro upgrade otherwise BPS will not be able / allowed to automatically update your root .htaccess file.  This is just what is with DSO unfortunately.

[Author]

Posts