[3066] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Prentiss Riddle)
Wed Sep 25 11:43:41 1996
From: Prentiss Riddle <riddle@is.rice.edu>
To: JOHNAL@attachmate.com (John Allen)
Date: Wed, 25 Sep 1996 08:55:11 -0500 (CDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <c=US%a=_%p=Attachmate%l=EXCH-BEL3-960924161320Z-2865@exch-bel1.attachmate.com> from "John Allen" at Sep 24, 96 09:13:20 am
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Tue Sep 24 14:01:57 1996
> From: John Allen <JOHNAL@attachmate.com>
> To: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>
> Subject: Any known holes in .htaccess/.htpasswd directory security?
> Date: Tue, 24 Sep 1996 09:13:20 -0700
>
> As the subject says, are there any known holes in the
> .htaccess/.htpasswd directory security setup? Can't think of any, but my
> ISP won't implement it 'cause they're afraid of potential security
> holes. Thanks!
In terms of security holes that would threaten the integrity of your
ISP's machines, none that I've heard of.
However, there is one small loophole in off-the-shelf NCSA httpd
.htaccess/.htpasswd security which you should bear in mind: while the
.htaccess/.htpasswd mechanism may successfully protect unauthorized
access to your data via the HTTP protocol, it won't by itself protect
your data from local access by your fellow users at your ISP. Commonly
httpd servers are set up to run under a non-privileged userid so that
they can only see files which are world-readable on the local file
system. It is possible to get around this by playing games with group
permissions (or by running httpd as root, a *bad* idea!) but your ISP
may not want to bother.
If you are serving out highly sensitive data which require
near-bulletproof security, you may need to spend the bucks to get your
ISP to provide you with your own filesystem (or better yet your own
machine).
-- Prentiss Riddle ("aprendiz de todo, maestro de nada") riddle@rice.edu
-- RiceInfo Administrator, Rice University / http://is.rice.edu/~riddle
-- Opinions expressed are not necessarily those of my employer.
