[thelist] Root and .htaccess

Steve Lewis nepolon at worlddomination.net
Mon Jul 21 19:29:46 CDT 2003


Elias Griffin wrote:

>*Now*... as the system stands which is
>the best practice A or B?
>  
>
Doesn't give us too much choice, but it seems clear to me what the 
answer is.
You want as few people to have root access as possible.

To go a tiny bit further, you probably could invest a small amount of 
time/money to get a SuExec'ed CGI script put together that can add a new 
user to the password file. Then add a new <directory> to apache that 
only allows connections from specitic workstations by IP and still 
requires yet another username and password lookup to reach.  Put 
'authorized account managers' in that password file.

Now you won't need to give root access to anyone, Apache will not need 
to run as root, and you have a trusted method (SuExec) for executing a 
single specific command as root that is protected both by htaccess and 
by host IP.

--Steve



More information about the thelist mailing list