httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Isenhower, Dave" <>
Subject [users@httpd] htpasswd permissions
Date Wed, 03 Jul 2013 16:40:21 GMT

I have a an htpasswd file that I want to have locked down so that it cannot be read on the
filesystem by anyone other than the owner and Apache.  Apache is version 2.2.3 running on
RedHat Linux 5.9.  

The permissions I have set are as follows:

drwxr-xr-x 6 root     root   4096 May  7 10:19 /www
drwxrwxr-x 3 webowner apache 4096 May  7 10:03 /www/etc
drwxrwxr-x 4 webowner apache 4096 Jun  7 18:01 /www/etc/apache
drwxrwx--- 6 webowner apache 4096 Jun  7 18:01 /www/etc/apache/config
-rw-rw---- 1 webowner apache 123  Jun  7 18:01 /www/etc/apache/config/htpasswd

The httpd server starts as root and runs under the apache account as a member of the apache
group.  Under this permission structure, the web server will prompt the user for authentication,
but throws an internal server error after the attempted login.

The error log shows this:

[Wed Jul 03 10:58:12 2013] [error] [client] (13)Permission denied: Could not open
password file: /www/etc/apache/config/htpasswd
[Wed Jul 03 10:58:12 2013] [crit] [client] configuration error:  couldn't check
user.  No user file?: /restricted/testfile.html

If I give read access to others on htpasswd (chmod o+r) and the config directory (chmod o+rx),
there's no more internal server error.  Changing the owner from webowner to apache also resolves
the issue.  However, neither of these options meets my needs in terms of file-security.

I'm stumped and would appreciate any help.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message