Message-ID: <XFMail.980525120436.sfx@unix-ag.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <Pine.LNX.3.95.980525014748.12182A-100000@gaia.vr.net>
Date: Mon, 25 May 1998 12:04:36 +0200 (CEST)
Organization: German Unix-AG Association
From: Lars Eilebrecht <Lars.Eilebrecht@unix-ag.org>
To: new-httpd@apache.org
Subject: Re: general/2270: Required Patches to Apache sources for FrontPa
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

According to Gregory A Lundberg:

>  Only one problem: this all depends upon having mod_auth, .htacess files,
>  group and user (htpasswd) files.  What happens if one of these isn't
>  there?  Why we let _anyone_ .. that's right .. anyone in the world .. have
>  at our nice Frontpage (or whatever) CGIs.  That sucks raw eggs at MACH 9
>  through a straw doesn't it?  All this work making things secure and some
>  dumb user FTPs in and DELEtes his .htaccess file blowing it all away.

Why do you want to use .htaccess at all? IMHO such security relevant 
things should only go into the main server configuration.

>  So we need one last change: we need to be ABSOLUTELY SURE _this_ URL was
>  approved through mod_auth with a valid .htaccess and a valid password
>  challenge and response. 

IMHO a check with ap_some_auth_required() is sufficient.
If authentication fails the request is already kicked out by
mod_auth_any and with a call to ap_some_auth_required() you know
that there is a require directive for this request and the user
has been authenticated. Or am I wrong?


ciao...
-- 
Lars Eilebrecht                                 - Did you know...
sfx@unix-ag.org                      - That no-one ever reads these things?
http://www.home.unix-ag.org/sfx/