You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Gunter Sammet <Gu...@SammySolutions.com> on 2002/08/30 19:25:53 UTC

[users@httpd] htpasswd security question

Hello all:
I wrote a script in php which pulls users and passwords from a DB and writes
to the htpasswd file. In order to get this going, I had to make the
/.htpasswd/<subfolder>/ world writeable (did 777).
My concern would be security. Are there any security threads if this folder
is world readable. AFAIK, this folder shouldn't be accessible through the
web server since it isn't in the public_html directory. But I am a newbie in
security, so I am not sure if this could be hacked.
If it is, how could I get the PHP script to create the file with 700 or any
other secure settings?
TIA

Gunter


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] htpasswd security question

Posted by Jacob Coby <jc...@listingbook.com>.

> Hello all:
> I wrote a script in php which pulls users and passwords from a DB and
writes
> to the htpasswd file. In order to get this going, I had to make the
> /.htpasswd/<subfolder>/ world writeable (did 777).
> My concern would be security. Are there any security threads if this
folder
> is world readable. AFAIK, this folder shouldn't be accessible through the
> web server since it isn't in the public_html directory. But I am a newbie
in
> security, so I am not sure if this could be hacked.
> If it is, how could I get the PHP script to create the file with 700 or
any
> other secure settings?
> TIA

Make apache run as nobody, chown /.htpasswd/<subfolder>/  to be
nobody.nobody and perms to be 700.

When you've created/updated the file through php, chmod($filename, 0700);
This way, only the webserver can read your htaccess dir, and no other users.

By default, files in php are written using the owner.group that the caller
runs as (normally nobody.nobody).  There is a setting in php.ini that sets
the default perms of a new file.

PHP does have a chown() function, but you really don't want to enable it if
you allow any of your users to run php.

-Jacob
http://www.listingbook.com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org