Is it really safe to store the .htpasswd file in the same, world readable directory as the .htaccess file? I have always learned that security is numero uno, and that this is generally NOT good practice.

Is there a way to put the .htpasswd file in the users home directory? (~/)

Other than that...looks good on my end. Cobalt Raq4...


randy sesser // web dev // troika web design, llc

>>world readable directory<<

It isn't world readable if you have a .htaccess file in there :)

You can't read either file as you need to login before you can get to them.

Sure it is. Doesn't matter if you have it pass protected, it's still serving up that directory to the world. Here's my issue:
We have over 80 clients on the Cobalt box...that's at least 80 logins and passwords to the machine...if the .htpasswd resides in a world readable directory (like any directory that serves up http), then anyone who logs in (SSH like) has access to the file. If the file resides in the users home directory, it's only readable by that username. One is better than 80+...in a shared environment, this is not so secure.

so...is there a quick hack to change where the .htpasswd file is stored? if not, my I make that a suggestion in future releases of FileMan?

thanks for the quick response in any case...

randy sesser // web dev // troika web design, llc

Hi,

It doesn't matter, if the file is 644 it is world readable (which it must be, it can't be 600 as user httpd needs to read it), then a user can access it via shell. i.e.

As user admin create a file called test in your home directory.
As use foo, you can view the contents of this file (as long as you know the path, which you will know by looking at the .htaccess file).

You might be able to do something by making the file 640 and making it in the httpd group, I'm not sure.

Cheers,

Alex
--
Gossamer Threads Inc.

On the RAQ it does matter...as a regular user with shell access, I can move into any sites' web directory and read any file contained within. I can also move into another users directory BUT i can not get a dir listing or much else within the users directory. with that, the .htpasswd would be completely unreadable by any other user than the owner of the file....that is my main concern. I don't know it you're familiar with the layout on Cobalt Raq's but...yeah.

call me paranoid, but it's simple things that always cause the biggest problems.

I guess it doesn't matter all that much, I just want to be safe.

Thanks...I'll dig though some code and maybe post a hack for Raq users if they so choose...if, that's alright?

randy sesser // web dev // troika web design, llc

Hmm, let me test something out..
--
Gossamer Threads Inc.

Hi,

Sorry, got tripped up as the users directory is 751 which means by default anyone can view files inside a users directory, just can't get a directory listing.

I'll look at adding a preference "Password Dir" where FileMan will create it's .htpasswd files, and modify the .pkg to default it to a users home directory/passwords. The script will make passwords and chmod it 700.

Cheers,

Alex
--
Gossamer Threads Inc.

Wow! Cool beans. Thanks for putting up with me.

Now, I hope our clients appreciate this

randy sesser // web dev // troika web design, llc

No, wait a minute, I'm mistaken. If you create a directory 700, and put your password file in it, then the web user can't view it and it won't work. If you create a directory 751 and put your password file in it, then the web user can view it, but so can other users.

I don't think the RaQ default group's are setup to handle this. There isn't a way to put the file on the server easily so that you and user httpd can view the file, but not others. It would involve having a group that contains just you and the httpd user.

So in short, moving the file to the users home directory is no more secure then leaving it where it is.

Cheers,

Alex
--
Gossamer Threads Inc.

I'm not an expert but aren't passwords coded any way? If so then is doen't matter where the script is placed !

Yes, it's a small risk, but given enough time you can break the coded passwords.

Cheers,

Alex
--
Gossamer Threads Inc.