Hi, I needed to "protect" a URI of my webserver. Since the Base64 encoding of mod_auth seemed too revealing to me, and on the other hand SSL/TLS too involved I looked for something in between and came accross mod_auth_digest.
With mod_auth_digest comes the utility program htdigest to create and maintain a password file with MD5 hashes similar to htpasswd of mod_auth for Base64. When I created my first passwd file with htdigest I was baffled to realize that the htdigest binary from my installation produced a passwd file with suid, sgid and the sticky bit set. Ugh, what the hack is any sbit necessary for a flat password file? e.g. # ls -ld /tmp drwxrwxrwt 6 root root 1024 Feb 21 10:31 /tmp # htdigest -c /tmp/bogus.passwd Rotten\ Vault visitor Adding password for visitor in realm Rotten Vault. New password: Re-type new password: # ls -l /tmp/bogus.passwd -rwsr-sr-t 1 root root 54 Feb 21 10:34 /tmp/bogus.passwd Needless to say that I immediately revoked those bits by # chmod u-sx,g-sx,o-xt /tmp/bogus.passwd # ls -l /tmp/bogus.passwd -rw-r--r-- 1 root root 54 Feb 21 10:34 /tmp/bogus.passwd without breaking the functionality of MD5 Digest authentication at all. root's umask during htdigest invocation was # umask 0022 I consider this in my view redundant sbit setting as a severe security infringement (think of a DMZ webserver for the WWW) I have to admit that I initially installed the Apache from the Fedora Core 3 prebuilt RPMs # rpm -qf $(which htdigest) httpd-2.0.52-3 # uname -srv Linux 2.6.9-1.667smp #1 SMP Tue Nov 2 14:59:52 EST 2004 # cat /etc/redhat-release Fedora Core release 3 (Heidelberg) Now I'm very much inclined to compile any Apache for public servicing from the source tarballs with no dso and only statically compiled in modules. Or did I miss something, and there is a hidden sense behind all this? Regards Ralph --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
