httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject [users@httpd] Weird sbitting of htdigest
Date Tue, 21 Feb 2006 10:09:36 GMT

I needed to "protect" a URI of my webserver.
Since the Base64 encoding of mod_auth seemed too revealing to me,
and on the other hand SSL/TLS too involved
I looked for something in between and came accross

With mod_auth_digest comes the utility program htdigest
to create and maintain a password file with MD5 hashes similar to
htpasswd of mod_auth for Base64.

When I created my first passwd file with htdigest I was baffled
realize that the htdigest binary from my installation produced
a passwd file with suid, sgid and the sticky bit set.

Ugh, what the hack is any sbit necessary for a flat password


# ls -ld /tmp
drwxrwxrwt  6 root root 1024 Feb 21 10:31 /tmp
# htdigest -c /tmp/bogus.passwd Rotten\ Vault visitor
Adding password for visitor in realm Rotten Vault.
New password: 
Re-type new password: 
# ls -l /tmp/bogus.passwd 
-rwsr-sr-t  1 root root 54 Feb 21 10:34 /tmp/bogus.passwd

Needless to say that I immediately revoked those bits by

# chmod u-sx,g-sx,o-xt /tmp/bogus.passwd 
# ls -l /tmp/bogus.passwd 
-rw-r--r--  1 root root 54 Feb 21 10:34 /tmp/bogus.passwd

without breaking the functionality of MD5 Digest authentication
at all.

root's umask during htdigest invocation was

# umask

I consider this in my view redundant sbit setting as a severe
security infringement
(think of a DMZ webserver for the WWW)

I have to admit that I initially installed the Apache from the
Fedora Core 3 prebuilt RPMs

# rpm -qf $(which htdigest)

# uname -srv
Linux 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004
# cat /etc/redhat-release 
Fedora Core release 3 (Heidelberg)

Now I'm very much inclined to compile any Apache for public
from the source tarballs with no dso and only statically compiled
in modules.

Or did I miss something, and there is a hidden sense behind all


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message