httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <unkn...@riverstyx.net>
Subject RE: Change relative path for AuthUserFile, perhaps?
Date Thu, 13 May 1999 04:29:20 GMT
Why not just keep your password files outside of your document tree?  It's
a good practise to get into, give multiple layers of security.  For
example, if AllowOverride becomes None, your password file is now
viewable.  Or if someone goes and changes your web server to a slightly
different type, which still supports .htaccess files (like Zeus, or a
patched thttpd that I saw somewhere).  That won't happen to you, but it
could happen if some ISP decides to change their system, and now they've
got a big problem.  Plus, not everyone calls the file .htpasswd, some call
it .passwd or .passwrd, or infinite variations.  You could account for all
of them, or send out a memo detailing this precaution, but it'd be better
IMHO to just stick to a pre-established, more fundamentally secure
philosophy.

---
tani hosokawa
river styx internet


On Wed, 12 May 1999, David Harris wrote:

> 
> unknown@riverstyx.net wrote:
> > Is that really necessary?  If you go that route, you'll need to add a
> > (normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
> > still possible for the users to use .htpasswd files since they can just
> > specify an absolute path.
> 
> Well, every .htpasswd file I see is in the same directory as the .htaccess
> file... so specifying the full path gets annoying. I really hate moving a
> directory and then having things break because of absolute pathnames. I
> think the interpretation should be relative because the setup is usually
> relative.
> 
> I don't see the <file .htpasswd> directive as a problem. It's actually
> beside the point, because my .htpasswd files are already inside the
> DocumentRoot... it's a prudent thing to do even if Auth*File is not relative
> to the .htaccess file.
> 
>  - David Harris
>    Principal Engineer, DRH Internet Services
> 
> 
> -----Original Message-----
> From:	new-httpd-owner@apache.org [mailto:new-httpd-owner@apache.org] On
> Behalf Of unknown@riverstyx.net
> Sent:	Wednesday, May 12, 1999 11:37 PM
> To:	new-httpd@apache.org
> Subject:	Re: Change relative path for AuthUserFile, perhaps?
> 
> Is that really necessary?  If you go that route, you'll need to add a
> (normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
> still possible for the users to use .htpasswd files since they can just
> specify an absolute path.
> 
> ---
> tani hosokawa
> river styx internet
> 
> 


Mime
View raw message