httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gunter Sammet" <Gun...@SammySolutions.com>
Subject RE: [users@httpd] htpasswd security question
Date Fri, 30 Aug 2002 19:49:57 GMT
Thanks Robert:
Thanks Jacob:

	This is a reseller package on a shared server. So I don't think we have
access to php.ini and httpd.conf. Also changing as who Apache runs won't be
an option. I doubt that chown would be an option either.


<snip>
Make apache run as nobody, chown /.htpasswd/<subfolder>/  to be
nobody.nobody and perms to be 700.

When you've created/updated the file through php, chmod($filename, 0700);
This way, only the webserver can read your htaccess dir, and no other users.

By default, files in php are written using the owner.group that the caller
runs as (normally nobody.nobody).  There is a setting in php.ini that sets
the default perms of a new file.

PHP does have a chown() function, but you really don't want to enable it if
you allow any of your users to run php.
</snip>


	The name in the respective directory doesn't start with . it is plain
htpasswd

	I'll try chmod before and after. Hope it will work.

	If not, would it be an option to leave it as 777 and put and .htaccess file
into the directory which would just deny all outside users?


<snip>
The permissions on the server will certainly be important.  However, as far
as being able to get an .htaccess or .htpasswd file by requesting it through
the Apache, there is a denial...

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

This is probably already in your httpd.conf file and will keep those files
from being directly served.
</snip>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message