top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

htpasswd permissions using apache

0 votes

I have a an htpasswd file that I want to have locked down so that it cannot be read on the filesystem by anyone other than the owner and Apache. Apache is version 2.2.3 running on RedHat Linux 5.9.

The permissions I have set are as follows:

drwxr-xr-x 6 root root 4096 May 7 10:19 /www
drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc
drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache
drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config
-rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd

The httpd server starts as root and runs under the apache account as a member of the apache group. Under this permission structure, the web server will prompt the user for authentication, but throws an internal server error after the attempted login.

The error log shows this:

[Wed Jul 03 10:58:12 2013] [error] [client] (13)Permission denied: Could not open password file: /www/etc/apache/config/htpasswd
[Wed Jul 03 10:58:12 2013] [crit] [client] configuration error: couldn't check user. No user file?: /restricted/testfile.html

If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx), there's no more internal server error. Changing the owner from webowner to apache also resolves the issue. However, neither of these options meets my needs in terms of file-security.

posted Jul 3, 2013 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button
Are you using SELinux?
No, SELinux is disabled.

2 Answers

+1 vote

May be you should double check what MPM are you using and if the User directive is supported.
I don't know exactly why you're experiencing this problem but if you grant the execute permission to others at config directory this shouldn't lead in any security issue.

answer Jul 3, 2013 by anonymous
0 votes

have you double-checked the effective user/group of your processes?

# ps -ax -o pid,euser,egroup,args|grep httpd
answer Jul 4, 2013 by anonymous
Similar Questions
0 votes

I got an cgi-script which is creating a file. This file need 775 permissions (rwxrwxr-x). I need to get the apache to create this file with 775 permissions.

I researched, but 90% of all those solutions doesn't work for me or those "init scripts" doesn't even exists on my openSUSE 13.1 64-Bit.

I found out, that /usr/sbin/apache2 should be my "init script". I added umask 002 there, but it doesn't changed anything. I still have rw-r--r-- instead of rwxrwxr-x permissions.

Please help me out?

+2 votes

I need help in order to configure these api's in eclipse.

+2 votes

I'm using multi ipaddress setup with virtual hosts to support different certificates.

For one of the hosts we currently don't have DNS pointing to the right IP so I edited my hosts file to point at the relevant IP. This host has a GlobalSign extended cert. We want to check the setup before going live.

On windows I checked that all the popular browsers see my extended certificate and see green url bars ok.

On linux chromium shows green, but on one machine firefox shows untrusted and on another it shows green.

Is there a way to check the certificate setup from a linux box without having the correct dns in place? I normally use GlobalSign's test stuff, but that won't work without the right dns in place.

0 votes

We are currently using HTTP connector in tomcat 7.42 and planning to switch to AJP NIO connector. When I was reading through the docs I found "WARNING: The NIO connector for AJP is experimental."

This made me think that NIO connector might not be mature at this point. Can somebody who had experience with NIO connector let me know if it is stable and any pitfalls I should be aware of?

Stable enough to be used on enterprise apps which is expected to get thousands of requests in a hour?

Any information would be helpful.

+1 vote

I did not find a solution for this:

I want to restrict access to certain files to requests coming from the same public ip address the server is running on, like so:

order deny,allow
deny from all
allow from xx.xx.xx.xx

To make it more maintainable I would like to use the %{SERVER_ADDR} environment variable, but this does not work:

order deny,allow
deny from all
allow from %{SERVER_ADDR}

I tried syntax variations, also combined with SetEnfIf but still no success. How can I allow access only if REMOTE_ADDR == SERVER_ADDR ?