Re: Some recommendations on file locations sought
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Will Maier wrote: On Fri, Sep 22, 2006 at 01:29:56PM -0700, John Draper wrote: Here is what I did... htpasswd -c /var/www/conf/auth/passwd edp I set the password here chown root.nogroup /var/www/conf/auth/passwd chmod 640 /var/www/conf/auth/passwd What user/group are you running httpd as? Is that user a member of nogroup? Can that user read the file? www Yes, but is that user a member of 'nogroup'? You've made your passwd file accessible to root and nogroup. Since apache runs as www, it will not be able to read passwd unless it is a member of nogroup. It seems like you followed the examples in the Apache documentation for setting up authentication verbatim. A good thing, but you have to take into consideration where that procedure differs for apache on your target platform (in other words, what OpenBSD does different from their stock apache example). Did you look at the error_log? Yes - it didn't give me any meaningful information - but I did manage to get a workaround to work, by changing the permissions, but it was ust guesswork, as if there are wrong permissions, the system is never going to let me know. Correct permissions are a matter of logic. It's a credential store, so it doesn't need to be (shouldn't be) accessible to any user at large. root will always be able to access it, and you need apache to be able to access it. Since apache should not be able to modify the file, granting read priviliges is what you want (not write). If your permission change was to grant other access to the file, you've granted access to any possible uid on the system - bad idea. So 0640 is probably fine, as long as the '4' applies to the group that the www user belongs to: $ id www uid=67(www) gid=67(www) groups=67(www) Notice 'nogroup' doesn't appear there. # chown root:www /var/www/conf/auth/passwd # chmod 0640 /var/www/conf/auth/passwd DS
Re: Some recommendations on file locations sought
Will Maier wrote: On Fri, Sep 22, 2006 at 01:29:56PM -0700, John Draper wrote: Here is what I did... htpasswd -c /var/www/conf/auth/passwd edp I set the password here chown root.nogroup /var/www/conf/auth/passwd chmod 640 /var/www/conf/auth/passwd What user/group are you running httpd as? Is that user a member of nogroup? Can that user read the file? www [...] But the Apache rejects my password. I tried it several times, same thing, rejection. Did you look at the error_log? Yes - it didn't give me any meaningful information - but I did manage to get a workaround to work, by changing the permissions, but it was ust guesswork, as if there are wrong permissions, the system is never going to let me know. John
Re: Some recommendations on file locations sought
Hi again. Issue NOT resolved yet... (sigh) Well - I thought it works, but (sigh) it don't work. I can get to the site via the URL, and indeed apache asks for the username and password, but it rejects it, and won't let me on the site Here is what I did... htpasswd -c /var/www/conf/auth/passwd edp I set the password here chown root.nogroup /var/www/conf/auth/passwd chmod 640 /var/www/conf/auth/passwd Setting the Config to use this file --- Directory /var/www/cgi-bin/secure AuthType Basic AuthName Password Required AuthUserFile /var/www/conf/auth/passwd Require valid-user /Directory But the Apache rejects my password. I tried it several times, same thing, rejection. Is there anything I overlooked? Why would it reject my password I would use this URL when accessing the site... http://MYIP/cgi-bin/secure/sm.py The browser would prompt me for a username, I typed in edp and the same password I used above... The password prompt just comes back, asking for the password again. Why is it rejecting access? John
Re: Some recommendations on file locations sought
On Fri, Sep 22, 2006 at 01:29:56PM -0700, John Draper wrote: Here is what I did... htpasswd -c /var/www/conf/auth/passwd edp I set the password here chown root.nogroup /var/www/conf/auth/passwd chmod 640 /var/www/conf/auth/passwd What user/group are you running httpd as? Is that user a member of nogroup? Can that user read the file? [...] But the Apache rejects my password. I tried it several times, same thing, rejection. Did you look at the error_log? -- o--{ Will Maier }--o | web:...http://www.lfod.us/ | [EMAIL PROTECTED] | *--[ BSD Unix: Live Free or Die ]--*
Re: Some recommendations on file locations sought
Jack J. Woehr wrote: On Sep 20, 2006, at 3:11 PM, John Draper wrote: According to the Apache docs (I couldn't find anything in the OpenBSD Site), they recommend I setup the path to the passwd file in /usr/local/apache/passwd Since we're chrooted, how about: /var/www/usr/local/apache/passwd Basic rule of the chrooted server: /var/www == / I'm actually still under development, and am not running it under chrooted environment at present. I might change my mind later, as soon as I know whats up with the rest of the group I'm working with. Thanx for the path information, this is just what I needed. John
Re: Some recommendations on file locations sought
Spruell, Darren-Perot wrote: From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I looked in the OpenBSD FAQ and documentation area, and cannot seem to find out the best place to keep my apache password files. According to the Apache docs (I couldn't find anything in the OpenBSD Site), they recommend I setup the path to the passwd file in [snip] I'm at a loss on which directory to create my passwd directory... Would I create it in the /usr/lib or the /usr/local, or /usr/sbin, or does it matter? You'll find nothing because there is no such hard requirement. You can configure the path yourself in your .conf file, so they can be in an arbitrary location. That said, if you are using the chroot configuration (recommended) you'll probably need them under /var/www/. Ok, This was also recommended by Jack as well, and that's where I'm putting it. So since /var/www/conf/ is where the rest of the apache configuration lives, you could do a subdirectory under there and use that. Something like /var/www/conf/auth/ or whatever you like. Ok, sounds like a plan. John
Re: Some recommendations on file locations sought
Jack J. Woehr wrote: On Sep 20, 2006, at 3:11 PM, John Draper wrote: According to the Apache docs (I couldn't find anything in the OpenBSD Site), they recommend I setup the path to the passwd file in /usr/local/apache/passwd Since we're chrooted, how about: /var/www/usr/local/apache/passwd I checked - I don't have a usr directory in my www directory... Am I supposed to create one?I did find a users directory, and assumed this was just a typo, but when I went to make a passwd in there, I got the following: # htpasswd -c /var/www/users/ edp /var/www/users/: cannot open file /var/www/users/ for write access fopen: Is a directory Does this mean my permissions are wrong? Is this right? What am I doing wrong? John
Re: Some recommendations on file locations sought
On Sep 21, 2006, at 12:37 PM, John Draper wrote: usr/local/apache/passwd I checked - I don't have a usr directory in my www directory... Am I supposed to create one? Yes, if you use a chroot'ed directory scheme, you just re-create everything from the real directory layout that you happen to need for your application. E.g., I run Ruby sometimes, so I had to create /usr/local/bin, /usr/local/lib, etc. under /var/www # htpasswd -c /var/www/users/ edp Try 'man htpasswd' htpasswd [-c] [-d | -l | -m | -p] passwordfile username htpasswd -b [-c] [-d | -l | -m | -p] passwordfile username password htpasswd -n [-d | -l | -m | -p] username htpasswd -bn [-d | -l | -m | -p] username password e.g, htpasswd /var/www/users/foopasswordfile edp -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Some recommendations on file locations sought
Hi, This finally works... So ignore that last message I first went to conf directory, created an auth directory, and I'm putting it in there. htpasswd -c /var/www/conf/auth/passwd edp # Here is where I set the permissions.. chown root.nogroup /var/www/conf/auth/passwd chmod 640 /var/www/conf/auth/passwd Now, I need to setup the httpd.conf entry, and this is what I intend to use... Any comments? So, I would add this... Directory /var/www/cgi-bin/secure AuthType Basic AuthName Password Required AuthUserFile /var/www/conf/auth/passwd Require valid-user /Directory To my httpd.conf file, right? I think this in effect just tells apache that anything I put into the secure directory, is going to ask for a username (edp) and password I had setup to use via htpasswd. Is this the recommended way to do this? Then from root, I would do... apachectl restart Thanx John
Re: Some recommendations on file locations sought
On Thu, Sep 21, 2006 at 11:51:17AM -0700, John Draper wrote: Hi, This finally works... So ignore that last message I first went to conf directory, created an auth directory, and I'm putting it in there. htpasswd -c /var/www/conf/auth/passwd edp # Here is where I set the permissions.. chown root.nogroup /var/www/conf/auth/passwd chmod 640 /var/www/conf/auth/passwd Now, I need to setup the httpd.conf entry, and this is what I intend to use... Any comments? So, I would add this... Directory /var/www/cgi-bin/secure AuthType Basic AuthName Password Required AuthUserFile /var/www/conf/auth/passwd Require valid-user /Directory To my httpd.conf file, right? I think this in effect just tells apache that anything I put into the secure directory, is going to ask for a username (edp) and password I had setup to use via htpasswd. Is this the recommended way to do this? Then from root, I would do... apachectl restart Aside from the last command not working when running Apache under chroot, which you should do, yes. Joachim
Re: Some recommendations on file locations sought
Jack J. Woehr wrote: On Sep 21, 2006, at 12:37 PM, John Draper wrote: usr/local/apache/passwd I checked - I don't have a usr directory in my www directory... Am I supposed to create one? Yes, if you use a chroot'ed directory scheme, you just re-create everything from the real directory layout that you happen to need for your application. E.g., I run Ruby sometimes, so I had to create /usr/local/bin, /usr/local/lib, etc. under /var/www yea I know _ I tried it already, but in the interest of just getting the work done so I can get paid, and since at this time, security is not an issue at this time, I'm planning to chroot things later - and by that time, I will know exacly what libraries to move into the chrooted environment. I'm mostly a Mac Guy, programming in Python (Server work) or Objective C (Client work) and also in C++ in the case where I use Non-Mac Open Source stuff which I can build on the Mac using the normal make stuff And the GUI stuff I do in Cocoa and Objective C. I can even integrate Objective C code with C++ in same code module - which is kinda neat... I get best of both worlds... I get dynamic binding via Objective C and the power of C++ when I need it. Seems these suggestions are working - thanx guys.. John
Re: Some recommendations on file locations sought
On 2006/09/21 14:53, John Draper wrote: yea I know _ I tried it already, but in the interest of just getting the work done so I can get paid, and since at this time, security is not an issue at this time, but wait! www.webcrunchers.com says, We are starting new projects relating to computer security [...] 2004. I'm planning to chroot things later If you don't do it now, you'll then have a working site that you'll probably have to break to chroot, so it'll never get done.
Re: Some recommendations on file locations sought
On Sep 20, 2006, at 3:11 PM, John Draper wrote: According to the Apache docs (I couldn't find anything in the OpenBSD Site), they recommend I setup the path to the passwd file in /usr/local/apache/passwd Since we're chrooted, how about: /var/www/usr/local/apache/passwd Basic rule of the chrooted server: /var/www == / -- Jack J. Woehr Director of Development Absolute Performance, Inc. [EMAIL PROTECTED] 303-443-7000 ext. 527
Re: Some recommendations on file locations sought
John Draper [EMAIL PROTECTED] wrote: I looked in the OpenBSD FAQ and documentation area, and cannot seem to find out the best place to keep my apache password files. Somewhere in the chroot dir (/var/www) but not in the actual document root. Stick them in /var/www/conf or make a /var/www/passwd dir if you want, it doesn't matter. Adam
Re: Some recommendations on file locations sought
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] I looked in the OpenBSD FAQ and documentation area, and cannot seem to find out the best place to keep my apache password files. According to the Apache docs (I couldn't find anything in the OpenBSD Site), they recommend I setup the path to the passwd file in [snip] I'm at a loss on which directory to create my passwd directory... Would I create it in the /usr/lib or the /usr/local, or /usr/sbin, or does it matter? You'll find nothing because there is no such hard requirement. You can configure the path yourself in your .conf file, so they can be in an arbitrary location. That said, if you are using the chroot configuration (recommended) you'll probably need them under /var/www/. So since /var/www/conf/ is where the rest of the apache configuration lives, you could do a subdirectory under there and use that. Something like /var/www/conf/auth/ or whatever you like. DS
Re: Some recommendations on file locations sought
John Draper wrote: Can someone please make a recommendation, or point me to any docs that might be in the OpenBSD Site... the only docs I could find is in the FAQ, and it only mentions operation of the server in chrooted mode, but nothing on setting it up. All is ready and the server does already run in chrooted mode. If you need to put password for your server use by .htaccess for example, you need to make sure you put it in the space accessible by apache in chrooted mode. So, the default is to be inside /var/www, so you can put your password file(s) there, or you can even add a directory for your own use like /var/www/password and put your password file there in .htpasswd for example. Just make sure it is accessible by apache, but NOT is the web space of your site(s), meaning if your sites are configure to use /var/www/mysite, then DON'T put your password in that directory or any part of sub of it! Users accessible web space is not the same as server accessible space. Then your .htaccess setup would point to that file to check your users or password. If you have a lots of users, you can also use the dbm feature as well already there too. Best, Daniel
Re: Some recommendations on file locations sought
On Wed, 20 Sep 2006, Daniel Ouellet wrote: John Draper wrote: Can someone please make a recommendation, or point me to any docs that might be in the OpenBSD Site... the only docs I could find is in the FAQ, and it only mentions operation of the server in chrooted mode, but nothing on setting it up. Assuming you run more than one virtual site, a good convention is: chroot: /var/www Site Home: /var/www/MySite1 HTML Docs: /var/www/MySite1/html Logs (if separate) /var/www/MySite1/logs Password file: /var/www/MySite1/password Note that the file 'pasword' is visible to Apache (inside the chroot), but is **NOT** visible to the home directory for that virtual host. (man htpasswd to manipulate password file) Lee Leland V. Lammert[EMAIL PROTECTED] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net