[1787] in WWW Security List Archive
Re: Is password good enough?
daemon@ATHENA.MIT.EDU (Liz Stokes)
Thu Apr 4 16:02:01 1996
From: Liz Stokes <ilaine@panix.com>
To: riddle@is.rice.edu (Prentiss Riddle)
Date: Thu, 4 Apr 1996 13:24:07 -0500 (EST)
Cc: robertm@teleport.com, www-security@ns2.rutgers.edu,
jazayeri@hpcc117.corp.hp.com
In-Reply-To: <199604041425.IAA05286@is.rice.edu> from "Prentiss Riddle" at Apr 4, 96 08:25:10 am
Errors-To: owner-www-security@ns2.rutgers.edu
Prentiss Riddle wrote:
>
> Also, if you have many users with shell access they can probably look
> directly (bypassing HTTP) at whatever files you're protecting with
> password access. (Assuming you run your web server as "nobody" or some
> other low-privileged pseudouser.) So password access control may be of
> limited usefulness within an organization, at least in an environment
> where many people have accounts on your server box.
Assuming all the users have a group in common, say, 'users'. Make the
.htpasswd file owned by group users with group read (write,ex) off. Only
the browser will be able to read it, and I believe it knows better than to
hand back the text. Shoot my now if I'm wrong :-)
--
Liz Stokes
ilaine@panix.com
