[thelist] Root and .htaccess

Mon Jul 21 22:58:02 CDT 2003

I'll say this again and I should have expected this but - this is not
the system I would design or keep and I'm not looking for suggestions on
how to improve it. Going forward I am not going to use .htaccess at all
so any suggestions to that end are wasted. It was kind of loaded
question (sorry) but the answer I wanted is just as I presented and it
is valid for me just as I described it I swear. Basically a question of
system security and data normalcy if you want to break it down. Try to
take the question at face value if you can.

Essence Blue

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Keith
Sent: Monday, July 21, 2003 10:53 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] Root and .htaccess

At 08:01 PM Monday 7/21/2003, you wrote:

>we have a .htaccess file in the main directory of the site that points 
>to a users file containing all usernames and shadowed passwords. You 
>add users to this list by logging on to root and executing the 
>_htpasswd_ command with the proper parameters.

Both A & B are BAD practice IMHO.

Never give root access to someone who is not a principal in the company
or 
the superuser employee. It's not just bad security, it's a really bad 
business practice. Ask the owner, "When things go bump in the night, and

they do, do you want to suspect an employee or find the problem?"

You do not need root access to create a password. Linux and Perl use the

same MD5 crypt() function to encrypt passwords. Your .htaccess file does

not need to read the username:password from the usertable for Linux
access. 
In fact, that's why .htpasswd exists, for basic authentication you
simply 
put the .htpasswd file in the same directory as your .htaccess file. In 
your .htaccess file tell it where to find the password file with:

AuthUserFile  /absolute_path_to/protected_directory/.htpasswd

To keep the .htpasswd file private add

<files .ht*>
Order allow,deny
Deny from all
</files>

to your .htaccess file. That denies access to the file via the browser,
and 
makes it just as secure as the Linux password file (which can be read by

any user on the box).

Create an HTML form with two fields: name=user & name=password

Submit to the following Perl script with POST method (you don't want
that 
password value hanging around in a query string in the location field, 
history, etc)

=================================================
#!/usr/bin/perl

$htpasswd_file = "protected_directory/.htpasswd";

read(STDIN, $input, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/,$input);
foreach $pair (@pairs){
   $pair =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   ($name, $value) = split(/=/,$pair,2);
   $value =~ tr/+/ /;
   $value =~ s/~!/ ~!/g;
     if ($value =~ /[;><\*`\|]/){exit}
$$name=$value;
}

$salt = substr($user,0,2);
$PASSWORD=crypt($password,$salt);

open(HT,">>$.htpasswd_file");
print HT "$user:$PASSWORD\n";
close(HT);

print "Content-type: text/html\n\n";
print "USER $user was added";

======================================================

Unless you are going to have more than 1,000 users on this one .htpasswd

file, don't waste your time and your client's money databasing the user 
names. I run up to 5,000 per .htpasswd before beginning to see any 
degredation. But keep this in mind when deciding whether to database or 
not, every request made to a Basic Authentication directory goes through

authentication. A page with 5 images inside that directory tree gets 6 
authentications - put the images outside that tree unless they are what
you 
are protecting.

FWIW, the above layout of putting the .htaccess and .htpasswd file in
the 
same directory passes both VISA and HIPPA security requirements.

Keith
====================
cache at dowebscentral.com

-- 
* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

Evolt.org conference in London, July 25-27 2003.  Register today at
http://evolt.org.uk

For unsubscribe and other options, including the Tip Harvester 
and archives of thelist go to: http://lists.evolt.org 
Workers of the Web, evolt ! 