RE: [users@httpd] htpasswd permissions
Jens and Vincenzo, You both got me on the right track. Yes, there was a Group directive that was set to "nobody". I didn't even realize that the processes could run under a group that the User was not a member of. Once I updated the Group to "apache", everything worked fine! Thanks! Dave -Original Message- From: Jens-U. Mozdzen [mailto:jmozd...@nde.ag] Sent: Thursday, July 04, 2013 5:29 AM To: users@httpd.apache.org Subject: Re: [users@httpd] htpasswd permissions Hi Dave, Zitat von "Isenhower, Dave" : > We’re running prefork. I can see the processes running under the > correct user: > > $ ps -ef | grep httpd > apache 14638 26766 0 11:32 ?00:00:00 /usr/sbin/httpd -d > /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f > /www/etc/apache/config/httpd.conf > > $ groups apache > apache : apache > > Even adding read and execute to others on the config directory isn’t > sufficient. I still have to add read to the htpasswd file itself. > > Thanks, > Dave have you double-checked the effective user/group of your processes? # ps -ax -o pid,euser,egroup,args|grep httpd Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Re: mod_status shows weird numbers in "Total Accesses"
On Wed, Jul 3, 2013 at 7:00 AM, Asaf Dalet wrote: > As i previously mentioned, the apache is actually Oracle-HTTP-Server version > 10.1.3.4.0 > > Asaf > Hi Asaf It's very unlikely that you will be able to entice someone to look in to this very ancient version of Apache for a bug not relating to security. If your client requires that this problem be resolved, I suggest getting in contact with the vendor. Cheers Tom - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] mod_lua, authz and merging of directives
Hi, I have a question concernings authz providers, mod_lua and the merging of Require directives. I have a lua authz Provider which is configured like that: - LuaRoot /PATH/conf/lua LuaScope thread LuaAuthzProvider authzassets authnz.lua check_authz_ok LuaAuthzProvider authz authnz.lua check_authz LuaHookCheckUserID authnz.lua check_user_id early AuthName foo AuthType Basic Require authz Redaktion AuthName foo AuthType Basic Require authzassets AuthName foo AuthType Basic Require authz Sapdoku - If I write it like that it doesn't work. The last Require directive per authz provider wins. So all users in the group Sapdoku can also access other /admin areas. If instead I write: - LuaRoot /PATH/conf/lua LuaScope thread LuaAuthzProvider authzassets authnz.lua check_authz_ok LuaAuthzProvider authz authnz.lua check_authz LuaAuthzProvider authz2 authnz.lua check_authz LuaHookCheckUserID authnz.lua check_user_id early AuthName foo AuthType Basic Require authz Redaktion AuthName foo AuthType Basic Require authzassets AuthName foo AuthType Basic Require authz2 Sapdoku - everything works as expected. If I read the code in mod_lua.c right (function lua_authz_parse) then the last Require directive per authz provider will win. I had expected that I would see the same merging as if I had used e.g the file authz provider. Is the configuration with multiple authz providers the only way? KP - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] htpasswd permissions
Hi Dave, Zitat von "Isenhower, Dave" : We’re running prefork. I can see the processes running under the correct user: $ ps -ef | grep httpd apache 14638 26766 0 11:32 ?00:00:00 /usr/sbin/httpd -d /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f /www/etc/apache/config/httpd.conf $ groups apache apache : apache Even adding read and execute to others on the config directory isn’t sufficient. I still have to add read to the htpasswd file itself. Thanks, Dave have you double-checked the effective user/group of your processes? # ps -ax -o pid,euser,egroup,args|grep httpd Regards, Jens - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] htpasswd permissions
Hi, together with User directive there should be defined also the Group directive. I'm not sure if you double checked it, are they both defined? User apache Group apache Just another thing, maybe a silly question, have you checked if there is a symbolic link in the path ? /www/etc/apache/config/htpasswd Best regards, Vincenzo On 03/lug/2013, at 20:03, "Isenhower, Dave" wrote: > We’re running prefork. I can see the processes running under the correct > user: > > $ ps -ef | grep httpd > apache 14638 26766 0 11:32 ?00:00:00 /usr/sbin/httpd -d > /www/etc/apache/config -c Pidfile /web/logs/pid-files/httpd.pid -f > /www/etc/apache/config/httpd.conf > > $ groups apache > apache : apache > > Even adding read and execute to others on the config directory isn’t > sufficient. I still have to add read to the htpasswd file itself. > > Thanks, > Dave > > From: Vincenzo D'Amore [mailto:v.dam...@gmail.com] > Sent: Wednesday, July 03, 2013 1:49 PM > To: users@httpd.apache.org > Cc: users@httpd.apache.org > Subject: Re: [users@httpd] htpasswd permissions > > Hi, > > May be you should double check what MPM are you using and if the User > directive is supported. > http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user > > > I don't know exactly why you're experiencing this problem but if you grant > the execute permission to others at config directory this shouldn't lead in > any security issue. > > Best regards, > Vincenzo > > > > On 03/lug/2013, at 18:40, "Isenhower, Dave" > wrote: > > Hi, > > I have a an htpasswd file that I want to have locked down so that it cannot > be read on the filesystem by anyone other than the owner and Apache. Apache > is version 2.2.3 running on RedHat Linux 5.9. > > The permissions I have set are as follows: > > drwxr-xr-x 6 root root 4096 May 7 10:19 /www > drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc > drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache > drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config > -rw-rw 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd > > The httpd server starts as root and runs under the apache account as a member > of the apache group. Under this permission structure, the web server will > prompt the user for authentication, but throws an internal server error after > the attempted login. > > The error log shows this: > > [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: > Could not open password file: /www/etc/apache/config/htpasswd > [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: > couldn't check user. No user file?: /restricted/testfile.html > > If I give read access to others on htpasswd (chmod o+r) and the config > directory (chmod o+rx), there's no more internal server error. Changing the > owner from webowner to apache also resolves the issue. However, neither of > these options meets my needs in terms of file-security. > > I'm stumped and would appreciate any help. > > Thanks, > Dave > > - > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org
