Change relative path for AuthUserFile, perhaps?

[David Harris <dh...@drh.net>]

Hi,

Currently the configuration directive AuthUserFile is taken as relative to
the ServerRoot. Well, in an virtual hosting setup where none of my users has
access to the ServerRoot, this is not really useful. I'd rather have it
relative to the document root or the directory of the .htaccess file.

I think making this relative to the server root was designed to support
people keeping the .htpasswd files out of the document root so that they
can't be downloaded. But this can just as easily done by denying access to
.htpasswd just like .htaccess for all users, which is what I intend to do.

Oh, and if AuthUserFile is changed, then AuthGroupFile should also be
changed.

Are others interested in seeing this change made? Does changing this sound
possible? Any thoughts?

References:
http://www.apache.org/docs/mod/mod_auth.html#authuserfile

Thanks for reading this request!

 - David Harris
   Principal Engineer, DRH Internet Services

RE: Change relative path for AuthUserFile, perhaps?

[David Harris <dh...@drh.net>]

Raymond S Brand wrote:
> Can it be done? Yes. Can it be done compatibly? No. How big an issue is
> compatibility? It's not for my setups (ServerRoot is on a read only
partition).
> I THINK (really a guess) that most Auth*File directives in use use
absolute
> paths but I don't really know.

Compatibility is not an issue for my setup. I'm thinking that to get this
into the next apache release, breaking older setups might be a problem. But
I remember when the command line options changed in a non-reverse-compatible
way, and people were okay with that because it was for the better.

We agree that we want this changed. I wonder if any others like this idea.
It would be nice to hear from any others...

Anyone want to write a patch for this? Alas, I'm too busy right now.

 - David Harris
   Principal Engineer, DRH Internet Services

Re: Change relative path for AuthUserFile, perhaps?

[Raymond S Brand <rs...@rsbx.net>]

David Harris wrote:
> 
...
> 
> I agree. Having the path be relative to the directory of the AccessFile
> which contains the Auth*Files directive is better. That's what I most
> commonly have... a .htaccess and .htpasswd file in the same directory.
> 
> Then adding in blocking for .htpasswd files just like .htaccess files, along
> with a warning on the docs could help with security.
> 
> Can this be done? What about reverse compatibility for other webmasters?

Can it be done? Yes. Can it be done compatibly? No. How big an issue is
compatibility? It's not for my setups (ServerRoot is on a read only partition).
I THINK (really a guess) that most Auth*File directives in use use absolute
paths but I don't really know.

Raymond S Brand

RE: Change relative path for AuthUserFile, perhaps?

[David Harris <dh...@drh.net>]

Raymond S Brand wrote:
> I, personally, would prefer that the Auth*Files be relative to the
> AccessFile directory (with warnings in the documentation) or absolute
paths.
> DocumentRoot is not always meaningful, think about the Alias and UserDir
> directives; ServerRoot can be on a read only partition. This would benefit
> virtual hosting setups and multi department/project setups of the kind
I've
> been doing.

I agree. Having the path be relative to the directory of the AccessFile
which contains the Auth*Files directive is better. That's what I most
commonly have... a .htaccess and .htpasswd file in the same directory.

Then adding in blocking for .htpasswd files just like .htaccess files, along
with a warning on the docs could help with security.

Can this be done? What about reverse compatibility for other webmasters?

 - David Harris
   Principal Engineer, DRH Internet Services

Re: Change relative path for AuthUserFile, perhaps?

[Raymond S Brand <rs...@rsbx.net>]

Actually, all of the Auth*File directives are documented as taking absolute
paths, with Auth{File|Group}File also taking paths relative to ServerRoot.

I seem to recall that the original behavior of the Auth*File directives was
that they were relative to AccessFile directory and that the behavior was
changed because people were allowing their passwd files to be served. Some-
one with access to the CVS history could look that up.

I, personally, would prefer that the Auth*Files be relative to the
AccessFile directory (with warnings in the documentation) or absolute paths.
DocumentRoot is not always meaningful, think about the Alias and UserDir
directives; ServerRoot can be on a read only partition. This would benefit
virtual hosting setups and multi department/project setups of the kind I've
been doing.

Raymond S Brand


David Harris wrote:
> 
> Hi,
> 
> Currently the configuration directive AuthUserFile is taken as relative to
> the ServerRoot. Well, in an virtual hosting setup where none of my users has
> access to the ServerRoot, this is not really useful. I'd rather have it
> relative to the document root or the directory of the .htaccess file.
> 
> I think making this relative to the server root was designed to support
> people keeping the .htpasswd files out of the document root so that they
> can't be downloaded. But this can just as easily done by denying access to
> .htpasswd just like .htaccess for all users, which is what I intend to do.
> 
> Oh, and if AuthUserFile is changed, then AuthGroupFile should also be
> changed.
> 
> Are others interested in seeing this change made? Does changing this sound
> possible? Any thoughts?
> 
> References:
> http://www.apache.org/docs/mod/mod_auth.html#authuserfile
> 
> Thanks for reading this request!
> 
>  - David Harris
>    Principal Engineer, DRH Internet Services

RE: Change relative path for AuthUserFile, perhaps?

[David Harris <dh...@drh.net>]

I can't argue that having the password files outside of the DocumentRoot is
more fundamentally secure. However, I'm willing to trade some security for
some convenience here. And I think I can get most of my users to used a
blocked filename for their password files... they follow directions pretty
well.

But I don't think I'm giving up that much security in this ISP environment.
The files are not that secure, because in the UNIX permission world they are
global readable. Someone can just buy an account on that system and then
read the "secure" files.

I can't expect everyone to want the tradeoff that I do. I'm just thinking
that more people toss the .htaccess and password file in the same directory,
so a relative pathname might make it easier for these people. If we do this
change, you are still free to keep your password files out of the
DocumentRoot.

It's no biggie... just something that has annoyed me over the years with
Apache. (he, he.. and I'm probably spending more time lobbying for the
change than I will writing out full pathnames for Auth*File directives in
the next ten years.)

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	new-httpd-owner@apache.org [mailto:new-httpd-owner@apache.org] On
Behalf Of unknown@riverstyx.net
Sent:	Thursday, May 13, 1999 12:29 AM
To:	new-httpd@apache.org
Subject:	RE: Change relative path for AuthUserFile, perhaps?

Why not just keep your password files outside of your document tree?  It's
a good practise to get into, give multiple layers of security.  For
example, if AllowOverride becomes None, your password file is now
viewable.  Or if someone goes and changes your web server to a slightly
different type, which still supports .htaccess files (like Zeus, or a
patched thttpd that I saw somewhere).  That won't happen to you, but it
could happen if some ISP decides to change their system, and now they've
got a big problem.  Plus, not everyone calls the file .htpasswd, some call
it .passwd or .passwrd, or infinite variations.  You could account for all
of them, or send out a memo detailing this precaution, but it'd be better
IMHO to just stick to a pre-established, more fundamentally secure
philosophy.

---
tani hosokawa
river styx internet

RE: Change relative path for AuthUserFile, perhaps?

[un...@riverstyx.net]

Why not just keep your password files outside of your document tree?  It's
a good practise to get into, give multiple layers of security.  For
example, if AllowOverride becomes None, your password file is now
viewable.  Or if someone goes and changes your web server to a slightly
different type, which still supports .htaccess files (like Zeus, or a
patched thttpd that I saw somewhere).  That won't happen to you, but it
could happen if some ISP decides to change their system, and now they've
got a big problem.  Plus, not everyone calls the file .htpasswd, some call
it .passwd or .passwrd, or infinite variations.  You could account for all
of them, or send out a memo detailing this precaution, but it'd be better
IMHO to just stick to a pre-established, more fundamentally secure
philosophy.

---
tani hosokawa
river styx internet


On Wed, 12 May 1999, David Harris wrote:

> 
> unknown@riverstyx.net wrote:
> > Is that really necessary?  If you go that route, you'll need to add a
> > (normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
> > still possible for the users to use .htpasswd files since they can just
> > specify an absolute path.
> 
> Well, every .htpasswd file I see is in the same directory as the .htaccess
> file... so specifying the full path gets annoying. I really hate moving a
> directory and then having things break because of absolute pathnames. I
> think the interpretation should be relative because the setup is usually
> relative.
> 
> I don't see the <file .htpasswd> directive as a problem. It's actually
> beside the point, because my .htpasswd files are already inside the
> DocumentRoot... it's a prudent thing to do even if Auth*File is not relative
> to the .htaccess file.
> 
>  - David Harris
>    Principal Engineer, DRH Internet Services
> 
> 
> -----Original Message-----
> From:	new-httpd-owner@apache.org [mailto:new-httpd-owner@apache.org] On
> Behalf Of unknown@riverstyx.net
> Sent:	Wednesday, May 12, 1999 11:37 PM
> To:	new-httpd@apache.org
> Subject:	Re: Change relative path for AuthUserFile, perhaps?
> 
> Is that really necessary?  If you go that route, you'll need to add a
> (normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
> still possible for the users to use .htpasswd files since they can just
> specify an absolute path.
> 
> ---
> tani hosokawa
> river styx internet
> 
> 

RE: Change relative path for AuthUserFile, perhaps?

[David Harris <dh...@drh.net>]

unknown@riverstyx.net wrote:
> Is that really necessary?  If you go that route, you'll need to add a
> (normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
> still possible for the users to use .htpasswd files since they can just
> specify an absolute path.

Well, every .htpasswd file I see is in the same directory as the .htaccess
file... so specifying the full path gets annoying. I really hate moving a
directory and then having things break because of absolute pathnames. I
think the interpretation should be relative because the setup is usually
relative.

I don't see the <file .htpasswd> directive as a problem. It's actually
beside the point, because my .htpasswd files are already inside the
DocumentRoot... it's a prudent thing to do even if Auth*File is not relative
to the .htaccess file.

 - David Harris
   Principal Engineer, DRH Internet Services


-----Original Message-----
From:	new-httpd-owner@apache.org [mailto:new-httpd-owner@apache.org] On
Behalf Of unknown@riverstyx.net
Sent:	Wednesday, May 12, 1999 11:37 PM
To:	new-httpd@apache.org
Subject:	Re: Change relative path for AuthUserFile, perhaps?

Is that really necessary?  If you go that route, you'll need to add a
(normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
still possible for the users to use .htpasswd files since they can just
specify an absolute path.

---
tani hosokawa
river styx internet

Re: Change relative path for AuthUserFile, perhaps?

[un...@riverstyx.net]

Is that really necessary?  If you go that route, you'll need to add a
(normally) unnecessary <file .htpasswd> directive to httpd.conf.  it's
still possible for the users to use .htpasswd files since they can just
specify an absolute path.

---
tani hosokawa
river styx internet


On Wed, 12 May 1999, David Harris wrote:

> Hi,
> 
> Currently the configuration directive AuthUserFile is taken as relative to
> the ServerRoot. Well, in an virtual hosting setup where none of my users has
> access to the ServerRoot, this is not really useful. I'd rather have it
> relative to the document root or the directory of the .htaccess file.
> 
> I think making this relative to the server root was designed to support
> people keeping the .htpasswd files out of the document root so that they
> can't be downloaded. But this can just as easily done by denying access to
> .htpasswd just like .htaccess for all users, which is what I intend to do.
> 
> Oh, and if AuthUserFile is changed, then AuthGroupFile should also be
> changed.
> 
> Are others interested in seeing this change made? Does changing this sound
> possible? Any thoughts?
> 
> References:
> http://www.apache.org/docs/mod/mod_auth.html#authuserfile
> 
> Thanks for reading this request!
> 
>  - David Harris
>    Principal Engineer, DRH Internet Services
> 
>