httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Harris" <>
Subject RE: Change relative path for AuthUserFile, perhaps?
Date Thu, 13 May 1999 14:39:12 GMT

I can't argue that having the password files outside of the DocumentRoot is
more fundamentally secure. However, I'm willing to trade some security for
some convenience here. And I think I can get most of my users to used a
blocked filename for their password files... they follow directions pretty

But I don't think I'm giving up that much security in this ISP environment.
The files are not that secure, because in the UNIX permission world they are
global readable. Someone can just buy an account on that system and then
read the "secure" files.

I can't expect everyone to want the tradeoff that I do. I'm just thinking
that more people toss the .htaccess and password file in the same directory,
so a relative pathname might make it easier for these people. If we do this
change, you are still free to keep your password files out of the

It's no biggie... just something that has annoyed me over the years with
Apache. (he, he.. and I'm probably spending more time lobbying for the
change than I will writing out full pathnames for Auth*File directives in
the next ten years.)

 - David Harris
   Principal Engineer, DRH Internet Services

-----Original Message-----
From: [] On
Behalf Of
Sent:	Thursday, May 13, 1999 12:29 AM
Subject:	RE: Change relative path for AuthUserFile, perhaps?

Why not just keep your password files outside of your document tree?  It's
a good practise to get into, give multiple layers of security.  For
example, if AllowOverride becomes None, your password file is now
viewable.  Or if someone goes and changes your web server to a slightly
different type, which still supports .htaccess files (like Zeus, or a
patched thttpd that I saw somewhere).  That won't happen to you, but it
could happen if some ISP decides to change their system, and now they've
got a big problem.  Plus, not everyone calls the file .htpasswd, some call
it .passwd or .passwrd, or infinite variations.  You could account for all
of them, or send out a memo detailing this precaution, but it'd be better
IMHO to just stick to a pre-established, more fundamentally secure

tani hosokawa
river styx internet

View raw message