httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vincenzo D'Amore <v.dam...@gmail.com>
Subject Re: [users@httpd] htpasswd permissions
Date Thu, 04 Jul 2013 07:44:10 GMT
Hi,

together with User directive there should be defined also the Group directive.
I'm not sure if you double checked it, are they both defined?

User apache
Group apache

Just another thing, maybe a silly question, have you checked if there is a symbolic link in
the path ?

/www/etc/apache/config/htpasswd

Best regards,
Vincenzo


On 03/lug/2013, at 20:03, "Isenhower, Dave" <dave.isenhower@siemens.com> wrote:

> We’re running prefork.  I can see the processes running under the correct user:
>  
> $ ps -ef | grep httpd
> apache 14638 26766  0 11:32 ?        00:00:00 /usr/sbin/httpd -d /www/etc/apache/config
-c Pidfile /web/logs/pid-files/httpd.pid -f /www/etc/apache/config/httpd.conf
>  
> $ groups apache
> apache : apache
>  
> Even adding read and execute to others on the config directory isn’t sufficient.  I
still have to add read to the htpasswd file itself.
>  
> Thanks,
> Dave
>  
> From: Vincenzo D'Amore [mailto:v.damore@gmail.com] 
> Sent: Wednesday, July 03, 2013 1:49 PM
> To: users@httpd.apache.org
> Cc: users@httpd.apache.org
> Subject: Re: [users@httpd] htpasswd permissions
>  
> Hi,
>  
> May be you should double check what MPM are you using and if the User directive is supported.
> http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
> 
> 
> I don't know exactly why you're experiencing this problem but if you grant the execute
permission to others at config directory this shouldn't lead in any security issue.
>  
> Best regards,
> Vincenzo
>  
>  
> 
> On 03/lug/2013, at 18:40, "Isenhower, Dave" <dave.isenhower@siemens.com> wrote:
> 
> Hi,
> 
> I have a an htpasswd file that I want to have locked down so that it cannot be read on
the filesystem by anyone other than the owner and Apache.  Apache is version 2.2.3 running
on RedHat Linux 5.9.  
> 
> The permissions I have set are as follows:
> 
> drwxr-xr-x 6 root     root   4096 May  7 10:19 /www
> drwxrwxr-x 3 webowner apache 4096 May  7 10:03 /www/etc
> drwxrwxr-x 4 webowner apache 4096 Jun  7 18:01 /www/etc/apache
> drwxrwx--- 6 webowner apache 4096 Jun  7 18:01 /www/etc/apache/config
> -rw-rw---- 1 webowner apache 123  Jun  7 18:01 /www/etc/apache/config/htpasswd
> 
> The httpd server starts as root and runs under the apache account as a member of the
apache group.  Under this permission structure, the web server will prompt the user for authentication,
but throws an internal server error after the attempted login.
> 
> The error log shows this:
> 
> [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: Could not
open password file: /www/etc/apache/config/htpasswd
> [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error:  couldn't check
user.  No user file?: /restricted/testfile.html
> 
> If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod
o+rx), there's no more internal server error.  Changing the owner from webowner to apache
also resolves the issue.  However, neither of these options meets my needs in terms of file-security.
> 
> I'm stumped and would appreciate any help.
> 
> Thanks,
> Dave
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org

Mime
View raw message