.htaccess/.htpasswd; apache chroot

[phinsman]

I've seen this sort of problem a lot while searching forums for it, but I've yet to find a solution to the problem I'm having that works for me.

Here are the facts:

I have an .htaccess file in a directory I want to share only with friends. Thus the password protection.

I read somewhere about the chroot problem. I moved the .htpasswd file into one of the cgi-bin directories (which I didn't want to do at all) and that worked.

Now, my question is, is there a better way? I guess having Apache chroot'ed is a good idea, but it doesn't sound safe to me to have the .htpasswd files within the web site's DirectoryRoot.

I do have to leave the permissions at 644 for the .htpasswd files, and the directories above it should be 775, correct?

If anyone has any advice I would appreciate it.

Dale

 

[thedaver]

I have no idea what you're talking about with "the chroot problem"....
.htaccess files are fine in their own directory.
they should be chmod read-only unless you are going to change them, then add write access.
There's an Apache forum around here that might be a more direct route to this matter as well....
forum65 luck.

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.

http://www.surfinbox.com/shares/

 

[phinsman]

Well "the chroot problem" is something I just read about the other night. Apparently recent versions of Apache are, by default, chroot'ed and cannot see outside of the DocumentRoot directory. Thus, you can't place an .htpasswd (not .htaccess) file outside of the DocumentRoot directory. Apache can't read it.

Thanks for the forum pointer by the way...I didn't notice before that there was an Apache forum.

Dale

 

[danielhozac]

Apache does not chroot itself in it's default configuration unless you are using OpenBSD. You can place your .htpasswd files whereever you want.

//Daniel

 

[rouse01]

This really should be in the Apache group...
To create a password file outside your web tree, try this from your shell as root:

htpasswd -c /usr/local/apache/.pwd mybuddy
(you'll be prompted for password)

This creates (-c) a hidden password file (.) called pwd in the /usr/local/apache folder and adds someone named mybuddy.
To add another user, use same syntax as above but leave off the -c, otherwise you'll overwrite your pwd file.

Then in your /etc/httpd/conf/ folder, edit your httpd.conf and add this:

<Directory &quot;/var/

http://www/html&quot;>

Options Indexes Includes FollowSymLinks
AuthType Basic
AuthName &quot;By Invitation Only&quot;
AuthUserFile /usr/local/apache/.pwd
AuthGroupFile /dev/null
require valid-user
# require user mybuddy
AllowOverride None
Allow from from all
Order Deny,Allow
</Directory>


Change the <Directory...> to be a specific folder under the html, like <Directory &quot;/var/

http://www/html/budpage&quot;>

if you want to let them in there. I beleive the rights are inherited from that entry page on down.

Require valid-user grants access to anyone listed in the .pwd file.

Keith