[linux-help] Re: web server security
[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
John Reinke wrote:
>
> I finally sat down and learned how to set up htaccess and htpasswd for
> password protecting web pages. While it shouldn't have surprised me, I
> hadn't realized that since the web server would have to read the web pages
> AND the password files, all these files must have 644 permissions. This is
> not good, since anyone with access to the system can access the supposedly
> password protected web pages!
not exactly since the webserver most read them, make them 700 and make
them owned by the user the webserver runs as,
nobody in redhat, www-user in debian. That way only the webserver can
read them.
>
> Are there an alternative way to set this up to make it more secure? Are
> there any alternatives to htaccess for protecting web pages?
sort of, you can add all sorts of authentication in your programs, there
are versions that can get there passwords from a database instead, look
at some of the apache modules that do this.
>
> Thanks,
> John
>
> -- This is the linux-help@xxxxxxxxx list. To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
--
Clint Brubakken
Developer, Computer Science Services Group, LLC
President Air Capital Linux Users Group
Wichita, KS
cabrubak@xxxxxxx
---
"The IETF motto is 'rough consesus and running code'"
-- Scott Bradner (Open Sources, 1999 O'Reilly and Associates)
-- This is the linux-help@xxxxxxxxx list. To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
|
|
