Hi, May be you should double check what MPM are you using and if the User directive is supported. http://httpd.apache.org/docs/2.2/mod/mpm_common.html#user
I don't know exactly why you're experiencing this problem but if you grant the execute permission to others at config directory this shouldn't lead in any security issue. Best regards, Vincenzo On 03/lug/2013, at 18:40, "Isenhower, Dave" <dave.isenho...@siemens.com> wrote: > Hi, > > I have a an htpasswd file that I want to have locked down so that it cannot > be read on the filesystem by anyone other than the owner and Apache. Apache > is version 2.2.3 running on RedHat Linux 5.9. > > The permissions I have set are as follows: > > drwxr-xr-x 6 root root 4096 May 7 10:19 /www > drwxrwxr-x 3 webowner apache 4096 May 7 10:03 /www/etc > drwxrwxr-x 4 webowner apache 4096 Jun 7 18:01 /www/etc/apache > drwxrwx--- 6 webowner apache 4096 Jun 7 18:01 /www/etc/apache/config > -rw-rw---- 1 webowner apache 123 Jun 7 18:01 /www/etc/apache/config/htpasswd > > The httpd server starts as root and runs under the apache account as a member > of the apache group. Under this permission structure, the web server will > prompt the user for authentication, but throws an internal server error after > the attempted login. > > The error log shows this: > > [Wed Jul 03 10:58:12 2013] [error] [client 127.0.0.1] (13)Permission denied: > Could not open password file: /www/etc/apache/config/htpasswd > [Wed Jul 03 10:58:12 2013] [crit] [client 127.0.0.1] configuration error: > couldn't check user. No user file?: /restricted/testfile.html > > If I give read access to others on htpasswd (chmod o+r) and the config > directory (chmod o+rx), there's no more internal server error. Changing the > owner from webowner to apache also resolves the issue. However, neither of > these options meets my needs in terms of file-security. > > I'm stumped and would appreciate any help. > > Thanks, > Dave > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >
