[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Apache User Authentication

* Philippe Vogel wrote on Fri, Sep 10, 2004 at 10:31 +0200:
> AuthType Basic

(which means clear text unless https is used, just BTW)

> #use the intended webuser here!
> chown .ht* wwwrun:nogroup

yeah, especially not "nogroup" because that group shouldn't own

> chmod o+r .htaccess
> chmod o+r .htpasswd

I must admit that I also dislike o+r, because trival passwords
are quickly cracked when the crypt string is known and many
people reuse passwords all over (not only for some web pages
where it may not matter).

I propose to use <webmaster>:<wwwrun> with mode 0640. However,
tihs depends if you have users on the web server, e.g. when they
access ~/public_html or such. That files should of course belong
to that user :)

> Now you should have password protected Webfolders.
> If not you have to change apache config file which settings can be 
> changed by .htaccess files (there should be an example in the config!).

Yeah, but also take care that by this you don't allow users to
much! If they can add FollowSymLinks (instead of symlinks if owner
match) they can read files the webserver has access to - and who
knows what else :)

> We got a webscript at our university for making .htaccess 
> authentification. You better shange .passwd to .htpasswd. Here you find 
> it (german version, but it is self explaining):
> http://www.uni-duisburg.de/HRZ/services/alle/internet/www/htaccess/

It is really amazing what people automate... In the past a
simple $EDITOR was sufficient for adminstration, now you need a
graphical browser :-) SCNR.



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here