You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "Isenhower, Dave" <da...@siemens.com> on 2013/07/03 18:40:21 UTC
[users@httpd] htpasswd permissions
Hi,
I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.
The permissions I have set are as follows:
drwxr-xr-x 6 root root 4096 May 7 10:19 /www
drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc
drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache
drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
-rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd
The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.
The error log shows this:
[Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: Could not open password file: /www/etc/apache/config/htpasswd
[Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: couldn't check user. No user file?: /restricted/testfile.html
If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.
I'm stumped and would appreciate any help.
Thanks,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htpasswd permissions
Posted by Vincenzo D'Amore <v....@gmail.com>.
Hi,
together with User directive there should be defined also the Group directive.
I'm not sure if you double checked it, are they both defined?
User apache
Group apache
Just another thing, maybe a silly question, have you checked if there is a symbolic link in the path ?
/www/etc/apache/config/htpasswd
Best regards,
Vincenzo
On 03/lug/2013, at 20:03, "Isenhower, Dave" <da...@siemens.com> wrote:
> We’re running prefork. I can see the processes running under the correct user:
>
> $ ps -ef | grep httpd
> apache 14638 26766 0 11:32 ? 00:00:00 /usr/sbin/httpd -d /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f /www/etc/apache/config/httpd.conf
>
> $ groups apache
> apache : apache
>
> Even adding read and execute to others on the config directory isn’t sufficient. I still have to add read to the htpasswd file itself.
>
> Thanks,
> Dave
>
> From: Vincenzo D'Amore [mailto:v.damore@gmail.com]
> Sent: Wednesday, July 03, 2013 1:49 PM
> To: users@httpd.apache.org
> Cc: users@httpd.apache.org
> Subject: Re: [users@httpd] htpasswd permissions
>
> Hi,
>
> May be you should double check what MPM are you using and if the User directive is supported.
> http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
>
>
> I don't know exactly why you're experiencing this problem but if you grant the execute permission to others at config directory this shouldn't lead in any security issue.
>
> Best regards,
> Vincenzo
>
>
>
> On 03/lug/2013, at 18:40, "Isenhower, Dave" <da...@siemens.com> wrote:
>
> Hi,
>
> I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.
>
> The permissions I have set are as follows:
>
> drwxr-xr-x 6 root root 4096 May 7 10:19 /www
> drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc
> drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache
> drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
> -rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd
>
> The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.
>
> The error log shows this:
>
> [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: Could not open password file: /www/etc/apache/config/htpasswd
> [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: couldn't check user. No user file?: /restricted/testfile.html
>
> If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.
>
> I'm stumped and would appreciate any help.
>
> Thanks,
> Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] htpasswd permissions
Posted by "Isenhower, Dave" <da...@siemens.com>.
Jens and Vincenzo,
You both got me on the right track. Yes, there was a Group directive that was set to "nobody". I didn't even realize that the processes could run under a group that the User was not a member of.
Once I updated the Group to "apache", everything worked fine!
Thanks!
Dave
-----Original Message-----
From: Jens-U. Mozdzen [mailto:jmozdzen@nde.ag]
Sent: Thursday, July 04, 2013 5:29 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd permissions
Hi Dave,
Zitat von "Isenhower, Dave" <da...@siemens.com>:
> We’re running prefork. I can see the processes running under the
> correct user:
>
> $ ps -ef | grep httpd
> apache 14638 26766 0 11:32 ? 00:00:00 /usr/sbin/httpd -d
> /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f
> /www/etc/apache/config/httpd.conf
>
> $ groups apache
> apache : apache
>
> Even adding read and execute to others on the config directory isn’t
> sufficient. I still have to add read to the htpasswd file itself.
>
> Thanks,
> Dave
have you double-checked the effective user/group of your processes?
# ps -ax -o pid,euser,egroup,args|grep httpd
Regards,
Jens
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htpasswd permissions
Posted by "Jens-U. Mozdzen" <jm...@nde.ag>.
Hi Dave,
Zitat von "Isenhower, Dave" <da...@siemens.com>:
> We’re running prefork. I can see the processes running under the
> correct user:
>
> $ ps -ef | grep httpd
> apache 14638 26766 0 11:32 ? 00:00:00 /usr/sbin/httpd -d
> /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f
> /www/etc/apache/config/httpd.conf
>
> $ groups apache
> apache : apache
>
> Even adding read and execute to others on the config directory isn’t
> sufficient. I still have to add read to the htpasswd file itself.
>
> Thanks,
> Dave
have you double-checked the effective user/group of your processes?
# ps -ax -o pid,euser,egroup,args|grep httpd
Regards,
Jens
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] htpasswd permissions
Posted by "Isenhower, Dave" <da...@siemens.com>.
We’re running prefork. I can see the processes running under the correct user:
$ ps -ef | grep httpd
apache 14638 26766 0 11:32 ? 00:00:00 /usr/sbin/httpd -d /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f /www/etc/apache/config/httpd.conf
$ groups apache
apache : apache
Even adding read and execute to others on the config directory isn’t sufficient. I still have to add read to the htpasswd file itself.
Thanks,
Dave
From: Vincenzo D'Amore [mailto:v.damore@gmail.com]
Sent: Wednesday, July 03, 2013 1:49 PM
To: users@httpd.apache.org
Cc: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd permissions
Hi,
May be you should double check what MPM are you using and if the User directive is supported.
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
I don't know exactly why you're experiencing this problem but if you grant the execute permission to others at config directory this shouldn't lead in any security issue.
Best regards,
Vincenzo
On 03/lug/2013, at 18:40, "Isenhower, Dave" <da...@siemens.com>> wrote:
Hi,
I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.
The permissions I have set are as follows:
drwxr-xr-x 6 root root 4096 May 7 10:19 /www
drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc
drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache
drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
-rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd
The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.
The error log shows this:
[Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: Could not open password file: /www/etc/apache/config/htpasswd
[Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: couldn't check user. No user file?: /restricted/testfile.html
If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.
I'm stumped and would appreciate any help.
Thanks,
Dave
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org<ma...@httpd.apache.org>
For additional commands, e-mail: users-help@httpd.apache.org<ma...@httpd.apache.org>
Re: [users@httpd] htpasswd permissions
Posted by Vincenzo D'Amore <v....@gmail.com>.
Hi,
May be you should double check what MPM are you using and if the User directive is supported.
http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
I don't know exactly why you're experiencing this problem but if you grant the execute permission to others at config directory this shouldn't lead in any security issue.
Best regards,
Vincenzo
On 03/lug/2013, at 18:40, "Isenhower, Dave" <da...@siemens.com> wrote:
> Hi,
>
> I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.
>
> The permissions I have set are as follows:
>
> drwxr-xr-x 6 root root 4096 May 7 10:19 /www
> drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc
> drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache
> drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
> -rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd
>
> The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.
>
> The error log shows this:
>
> [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: Could not open password file: /www/etc/apache/config/htpasswd
> [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: couldn't check user. No user file?: /restricted/testfile.html
>
> If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.
>
> I'm stumped and would appreciate any help.
>
> Thanks,
> Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
RE: [users@httpd] htpasswd permissions
Posted by "Isenhower, Dave" <da...@siemens.com>.
No, SELinux is disabled.
-----Original Message-----
From: laurence.schuler [mailto:laurence.schuler@nasa.gov]
Sent: Wednesday, July 03, 2013 1:43 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] htpasswd permissions
On 07/03/2013 12:40 PM, Isenhower, Dave wrote:
> Hi,
>
> I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.
>
> The permissions I have set are as follows:
>
> drwxr-xr-x 6 root root 4096 May 7 10:19 /www
> drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc drwxrwxr-x 4
> webowner apache 4096 Jun 7 18:01 /www/etc/apache
> drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
> -rw-rw---- 1 webowner apache 123 Jun 7 18:01
> /www/etc/apache/config/htpasswd
>
> The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.
>
> The error log shows this:
>
> [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission
> denied: Could not open password file: /www/etc/apache/config/htpasswd
> [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration
> error: couldn't check user. No user file?: /restricted/testfile.html
>
> If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.
>
> I'm stumped and would appreciate any help.
>
> Thanks,
> Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Are you using SELinux?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] htpasswd permissions
Posted by "laurence.schuler" <la...@nasa.gov>.
On 07/03/2013 12:40 PM, Isenhower, Dave wrote:
> Hi,
>
> I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.
>
> The permissions I have set are as follows:
>
> drwxr-xr-x 6 root root 4096 May 7 10:19 /www
> drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc
> drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache
> drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
> -rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd
>
> The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.
>
> The error log shows this:
>
> [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: Could not open password file: /www/etc/apache/config/htpasswd
> [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: couldn't check user. No user file?: /restricted/testfile.html
>
> If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.
>
> I'm stumped and would appreciate any help.
>
> Thanks,
> Dave
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Are you using SELinux?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org