>Number: 2086 >Category: mod_auth-any >Synopsis: password file relative to server root not specified correctly >in module?? >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Mon Apr 20 17:20:01 PDT 1998 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: linux 1.2.13 through 2.0.33 i386 not compiler or lib related >Description: server running linux 1.2.13 apache 1.2.4 AuthUserFile docs say: Filename is the path to the user file. If it is not absolute it is treated as relative to the ServerRoot.
So in ".htaccess" containing AuthFileName <relative path to> If ServerRoot is specified as: ServerRoot /usr/local/etc/httpd then only directories specified as ./httpd/foo1/foo2/foo3 may be used to specify the location of the UserAccessFile Specifying ./foo1/UserAccessFile does not work when the file is in /usr/local/etc/httpd/foo1 it must be specified as ./httpd/foo1/UserFile This would seem to violate the statement from the documentation in addition: if UserAccessFile is placed in all directories from /usr/local/etc down thru /usr/local/etc/httpd/htdocs/foo1/foo2/....etc specifying AuthUserFile UserAccessFile or AuthUserFile ./UserAccessFile or AuthUserFile ./foo1/UserAccessFile "never works" >How-To-Repeat: See above and another example, different server running i386 linux 2.0.33 .htaccess in user directory /home/foouser/public_html/foo1 placing the UserAccessFile in /usr/local/etc/httpd/conf AuthUserFile ./httpd/conf/UserAccessFile "works" AuthUserFile ./conf/UserAccessFile "does not work" -------------------- placeing the file in the ServerRoot (/usr/local/etc/httpd) AuthUserFile ./httpd/UserAccessFile "works" AuthUserFile UserAccessFile "does not work" >Fix: Sorry, I am not a C programmer I keep thinking I've missed something here but I've tested and it repeats on different machines, different versions of apache and Linux >Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ]
