[1788] in WWW Security List Archive
so shoot me now...
daemon@ATHENA.MIT.EDU (Liz Stokes)
Thu Apr 4 17:20:24 1996
From: Liz Stokes <ilaine@panix.com>
To: www-security@ns2.rutgers.edu
Date: Thu, 4 Apr 1996 14:32:05 -0500 (EST)
In-Reply-To: <no.id> from "ilaine" at Apr 4, 96 01:24:07 pm
Errors-To: owner-www-security@ns2.rutgers.edu
ilaine wrote:
> Assuming all the users have a group in common, say, 'users'. Make the
> .htpasswd file owned by group users with group read (write,ex) off. Only
> the browser will be able to read it, and I believe it knows better than to
> hand back the text. Shoot my now if I'm wrong :-)
Ok, apache at least is *not* smart enough not to ship out the passwd
file. However it's simple enough to keep it in a different directory with a
.htaccess denying GET to anyone and everyone. This does not prevent the
server from using it for passwd checks.
--
Liz Stokes
ilaine@panix.com
