Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'WebDAV Tutorial: a warning' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
WebDAV Tutorial: a warning
Authored by: Elander on Jul 27, '02 11:19:01AM

Although the tutorial mentioned above (www.goliveheaven.com) is pretty good, it contains one thing that is generally considered a "bad idea". They use ".htaccess" files to provide access control.

A ".htaccess" file sits in the directory it is intended to protect, which is generally accepted as a potential risk. Most security experts advise against using them. That's why I included a bit in my tip to place the password files outside the hierarchy of folders contained in the servers root folder. Doing so makes it more difficult for the evil doers to get at it (unless they hack webmin of course).

I know I'm being paranoid, but in this day and age that is a profitable condition. Remember, just because your'e paranoid it doesn't mean that everybody else isn't trying to hurt you...

Also, my tip requires you to do a lot of "sudo" commands. You really shoudn't just take them for granted. The command "sudo" is inherently dangerous and you should figure out what those commands are doing before you try them. You don't know me, so why should you trust me?

;-)



[ Reply to This | # ]
WebDAV Tutorial: a warning
Authored by: jima on Jul 28, '02 05:33:55AM

Yes, it's a bad idea to have the password file in a publicly accessable directory, but the .htaccess has to be there to protect the directory (unless you do it in the httpd.conf).

So on OS X a safer place to put the password file is in /Library/Webserver. Just don't put it anywhere in /Libabry/Webserver/Documents. Use this to create a new password file called .htpasswd:
<pre>htpasswd -c /Library/Webserver/.htpasswd username</pre>And to add new users just remove the "-c". Also it's a good idea to prepend a dot (".") to your password file name so that they are hidden.

Note that the way Elander described this part in his tutorial is much better -- not only is the password file in a non-public directory (as above), but instead of using a .htaccess file it's was done in the httpd.conf. I don't know if it's more secure not using the .htaccess file, but I do know that it's MUCH faster. Still you should use hidden names for the password files.

Jima



[ Reply to This | # ]
WebDAV Tutorial: a warning
Authored by: Elander on Jul 28, '02 10:38:33AM

You hit the nail there: the .htaccess file is publicly accessible. Not only that, it has to be read by the Apache server, so every user -- or scripts uploaded by users -- can read it. The "invisibilty" offers no real protection, it only hides the file from Finder view. Unless you change the file permissions to exclude the Apache server from also altering the file, your system is wide open!

Using httpd.conf, and a password file outside the server hierarchy is thus less unsafe. Unless you screw up the permissions yourself of course... ;-D

In short: don't use ".htaccess" and be careful when you choose passwords and assign privileges!



[ Reply to This | # ]