If you use an Apple machine and work on a Linux server, sooner or later, you are going to get a PCI Compliance warning that you are using hidden files in your files directory, and they consider that a PCI Compliance no no.  This will surely get you flagged on this item so its best to remove them from the server.

When you navigate the Apache folders, your Mac will leave behind the .DS_STORE files in the directories.  This also happens if you upload files and directories from your Mac to the server via FTP.  What are these files?  They are used by the Mac to remember how you opened a file and to display what view should be used in the future for reopening that file or folder.

The .DS_Store files that are written to the web server folders can contain the file names that are on the server and this is certainly a security problem because a hacker could get hold of the .DS_Store file and then try to download the files by name.  The DS_Store file contains the full names, something that is normally hidden. But if you are using an Apache server,  it can be configured to not hand out those file names.

The following command can be run to [level-premier-free] remove any .DS_Store files on your web server’s document roots:

find /var/www/vhosts/*/http*docs/ -type f -name .DS_Store -exec rm -rf {} \;

To solve the problem of your server acting as an agent to this free information, use a <FilesMatch> directive in httpd.conf to forbid retrieval of this file:

# The Finder creates an invisible .DS_Store file in each directory.
# For ‘no-index’ access controls to be effective, we had better forbid
# retrieval of that file as well. Note that we have to protect
# against the same case-insensitivity bug as above.
<FilesMatch “^\.DS_Store”>
Order allow,deny
Deny from all

This will block access to any hidden file (a file with the prefix of ‘.DS_Store’).   Once finished:

# sudo apachectl restart


2 thoughts on “Removing DS_Store files on Linux Server”

  1. I want to use the method above:

    Do I include everything from the first # sign to ?

    Will this prevent .DS Stores files from being added via FTP?

  2. this will work on a plesk server. to use on a cpanel server use this:

    find / -type f -name .DS_Store -exec rm -rf {} \;

    cpanel does not use the /var…format they use /home

Leave a Reply

Your email address will not be published. Required fields are marked *