From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Will Maier wrote:> > >On Fri, Sep 22, 2006 at 01:29:56PM -0700, John Draper wrote: > > > > > >>Here is what I did... > >> > >>htpasswd -c /var/www/conf/auth/passwd edp < I set the > password here > > >> > >>chown root.nogroup /var/www/conf/auth/passwd chmod 640 > >>/var/www/conf/auth/passwd > >> > >> > > > >What user/group are you running httpd as? Is that user a member of > >nogroup? Can that user read the file? > > > > > "www"
Yes, but is that user a member of 'nogroup'? You've made your passwd file accessible to root and nogroup. Since apache runs as www, it will not be able to read passwd unless it is a member of nogroup. It seems like you followed the examples in the Apache documentation for setting up authentication verbatim. A good thing, but you have to take into consideration where that procedure differs for apache on your target platform (in other words, what OpenBSD does different from their stock apache example). > >Did you look at the error_log? > > > > > Yes - it didn't give me any meaningful information - but I > did manage to get a workaround to work, by changing the > permissions, but it was ust guesswork, as if there are > wrong permissions, the system is never going to let me know. Correct permissions are a matter of logic. It's a credential store, so it doesn't need to be (shouldn't be) accessible to any user at large. root will always be able to access it, and you need apache to be able to access it. Since apache should not be able to modify the file, granting read priviliges is what you want (not write). If your permission change was to grant "other" access to the file, you've granted access to any possible uid on the system - bad idea. So 0640 is probably fine, as long as the '4' applies to the group that the www user belongs to: $ id www uid=67(www) gid=67(www) groups=67(www) Notice 'nogroup' doesn't appear there. # chown root:www /var/www/conf/auth/passwd # chmod 0640 /var/www/conf/auth/passwd DS
