You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Victor B. Gonzalez" <ap...@vbgunz.com> on 2003/06/13 04:17:53 UTC

[users@httpd] Authentication/Authorization feature or bug?

Hello Apache,

  I am pretty sure maybe I am doing something wrong on my part. If
  someone knows my name they can on my machine easily change my
  password without knowing the original password...

  Is this the case? I tried to change my password and it just asked to
  change it without knowing the original. Is this a feature or a bug?

  I can also see if they get to the password files they can delete
  them too... OK, no biggie but can I make a backup file without
  manually backing it up?

  Just curious about the last part but concerned a little about the
  first question.

-- 
Best regards,
 Victor B. Gonzalez                          

apache_2.0.46-win32-x86-no_src
Windows XP 5.1 Build 2600 Service Pack 1


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re[2]: [users@httpd] Authentication/Authorization feature or bug?

Posted by Robert Andersson <ro...@profundis.nu>.

Victor B. Gonzalez wrote:
> I am sorry. I mean if I use htpasswd.exe through the command line and
> set a password for myself any one else can through the command line
> change my password without knowing the original...

Anyone that can execute htpasswd and has write permissions on the password
file can do just about anything with it. It is up to you to make sure noone
has access to the utility and/or those permissions.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re[2]: [users@httpd] Authentication/Authorization feature or bug?

Posted by Robert Andersson <ro...@profundis.nu>.

Sorry, forgot to answer this one:

Victor B. Gonzalez wrote:
>   I can also see if they get to the password files they can delete
>   them too... OK, no biggie but can I make a backup file without
>   manually backing it up?

Not sure what you mean by "manually backing it up" in this context. There is
no native automatic backup feature associated with htpasswd. But yes, they
are regular files so you can copy and replace them at your discretion.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re[2]: [users@httpd] Authentication/Authorization feature or bug?

Posted by "Victor B. Gonzalez" <ap...@vbgunz.com>.

Hello Robert,

>>   I am pretty sure maybe I am doing something wrong on my part. If
>>   someone knows my name they can on my machine easily change my
>>   password without knowing the original password...

RA> In what way does this relate to Apache? And, if you are talking about your
RA> Windows user account, this is probably not the best place to ask ;-).

>>   ...snip...

RA> I'm sorry, I cannot  really see what you are asking here. If this indeed do
RA> relate to Apache, please elaborate on your question(s).

I am sorry. I mean if I use htpasswd.exe through the command line and
set a password for myself any one else can through the command line
change my password without knowing the original...

I guess it is not a big deal if someone can do much more harm simply
deleting the password files all together...

Thank you

-- 
Best regards,
 Victor B. Gonzalez                          

apache_2.0.46-win32-x86-no_src
Windows XP 5.1 Build 2600 Service Pack 1


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] user dir for user home directory

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 12 Jun 2003, Suba Arunkumar wrote:
> Even after this step if i go to Http://127.0.0.1/~user
>
> it doesn't work. I have virtual host settings and all
> of my virtual hosts are working.
>
> In the error log it's showing that the webwage is
> trying to access the user home dir from the apache
> document root.

Starting by looking at the UserDir directive, both in httpd.conf and in
the documentation.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] user dir for user home directory

Posted by Robert Andersson <ro...@profundis.nu>.

Suba Arunkumar wrote:
> <Directory /home/*/public_html>
>     AllowOverride FileInfo AuthConfig Limit
>     Options MultiViews Indexes SymLinksIfOwnerMatch
> IncludesNoExec
>     <Limit GET POST OPTIONS PROPFIND>
>         Order allow,deny
>         Allow from all
>     </Limit>
>     <LimitExcept GET POST OPTIONS PROPFIND>
>         Order deny,allow
>         Deny from all
>     </LimitExcept>
> </Directory>
>
> Even after this step if i go to Http://127.0.0.1/~user
>
> it doesn't work. I have virtual host settings and all
> of my virtual hosts are working.

Is mod_userdir loaded or compiled in? What platform and Apache version are
you using?

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] user dir for user home directory

Posted by Suba Arunkumar <su...@yahoo.com>.

I am trying to activate the user dir for user home
directory by uncommenting the lines for user dir. 

<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options MultiViews Indexes SymLinksIfOwnerMatch
IncludesNoExec
    <Limit GET POST OPTIONS PROPFIND>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS PROPFIND>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

Even after this step if i go to Http://127.0.0.1/~user

it doesn't work. I have virtual host settings and all
of my virtual hosts are working. 

In the error log it's showing that the webwage is
trying to access the user home dir from the apache
document root.

Any suggestion please?

Regards

__________________________________
Do you Yahoo!?
Yahoo! Calendar - Free online calendar with sync to Outlook(TM).
http://calendar.yahoo.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Authentication/Authorization feature or bug?

Posted by Robert Andersson <ro...@profundis.nu>.

Victor B. Gonzalez wrote:
> apache_2.0.46-win32-x86-no_src
> Windows XP 5.1 Build 2600 Service Pack 1

I take this is your platform?

>   I am pretty sure maybe I am doing something wrong on my part. If
>   someone knows my name they can on my machine easily change my
>   password without knowing the original password...

In what way does this relate to Apache? And, if you are talking about your
Windows user account, this is probably not the best place to ask ;-).

>   ...snip...

I'm sorry, I cannot  really see what you are asking here. If this indeed do
relate to Apache, please elaborate on your question(s).


Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org