Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'WebDAV Tutorial: a warning' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
WebDAV Tutorial: a warning
Authored by: jima on Jul 28, '02 05:33:55AM

Yes, it's a bad idea to have the password file in a publicly accessable directory, but the .htaccess has to be there to protect the directory (unless you do it in the httpd.conf).

So on OS X a safer place to put the password file is in /Library/Webserver. Just don't put it anywhere in /Libabry/Webserver/Documents. Use this to create a new password file called .htpasswd:
<pre>htpasswd -c /Library/Webserver/.htpasswd username</pre>And to add new users just remove the "-c". Also it's a good idea to prepend a dot (".") to your password file name so that they are hidden.

Note that the way Elander described this part in his tutorial is much better -- not only is the password file in a non-public directory (as above), but instead of using a .htaccess file it's was done in the httpd.conf. I don't know if it's more secure not using the .htaccess file, but I do know that it's MUCH faster. Still you should use hidden names for the password files.

Jima



[ Reply to This | # ]
WebDAV Tutorial: a warning
Authored by: Elander on Jul 28, '02 10:38:33AM

You hit the nail there: the .htaccess file is publicly accessible. Not only that, it has to be read by the Apache server, so every user -- or scripts uploaded by users -- can read it. The "invisibilty" offers no real protection, it only hides the file from Finder view. Unless you change the file permissions to exclude the Apache server from also altering the file, your system is wide open!

Using httpd.conf, and a password file outside the server hierarchy is thus less unsafe. Unless you screw up the permissions yourself of course... ;-D

In short: don't use ".htaccess" and be careful when you choose passwords and assign privileges!



[ Reply to This | # ]