[Techtalk] htaccess and cgi scripts

Maria McKinley maria at shadlen.org
Wed Nov 21 02:15:03 UTC 2007 

Thanks Tricia,

Looks like this well take care of it, thanks. I originally got confused 
about where the problem was, because I had caused some other problems 
with her site by changing stuff in httpd.conf.

~maria

Tricia Bowen wrote:
> You need a .htaccess file in the images directory of your
> protected_images and a .htaccess for your protected_cgi scripts.
> Similar to the following:
> 
> images/all unprotected images here
> images/protected/.htaccess and all protected images
> 
> cgi/all unprotected cgis
> cgi/protected/.htaccess and all protected scripts
> --Tricia
> 
> On Nov 19, 2007 6:46 PM, Maria McKinley <maria at shadlen.org> wrote:
>> Thanks Tricia,
>>
>> Somehow your email got me thinking in a completely different direction,
>> and I managed to get rid of the test user error (there is a user test on
>> our system, that had an .htaccess that was set up incorrectly), but this
>> is actually an unrelated problem, and still having problems with
>> security with the cgi user. I think that the problem might be that I
>> think that not all of the directories that have files that are being
>> called by her cgi scripts have an htaccess file (actually the cgi-bin
>> directory itself doesn't have auth stuff in its htaccess, should it?).
>> If you are trying to load a page that is password-protected, but the
>> page is loading images that are not, would it try to load the images
>> anyway?
>>
>> I'm thinking she has stuff arranged poorly. I think that she should have
>> a separate folder in http for all of the things she wants to be password
>> protected, and put all of her cgi stuff in there (including the cgi
>> directory?), and have this root directory have an auth htaccess file.
>>
>> thanks for the help,
>> maria
>>
>>
>> Tricia Bowen wrote:
>>> Maria,
>>> What's the content of your .htpasswd file? Do you have a user named
>>> "test" listed there?
>>> --Tricia
>>>
>>> On Nov 19, 2007 6:10 AM, Maria McKinley <maria at shadlen.org> wrote:
>>>
>>>> Is it possible that it is something in the cgi scripts themselves? Other
>>>> cgi-scripts run fine, although they are not in the home directories
>>>> (stuff like mailman). The htaccess files do look fine, and I didn't find
>>>> any hidden that I didn't already know about. I am perplexed about the
>>>> user test, but that could also be a red herring.
>>>>
>>>> Here is the relevant part of httpd.conf
>>>>
>>>> <Directory /home/*/http>
>>>>    AllowOverride FileInfo AuthConfig Limit
>>>>    Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
>>>>    <Limit GET POST OPTIONS PROPFIND>
>>>>        Order allow,deny
>>>>        Allow from all
>>>>    </Limit>
>>>>    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
>>>>        Order deny,allow
>>>>        Deny from all
>>>>    </Limit>
>>>> </Directory>
>>>>
>>>> The htaccess file in the user's cgi bin is just:
>>>>
>>>> AddHandler cgi-script .cgi
>>>>
>>>> And then some proper htaccess with auth stuff in some other http
>>>> directories.
>>>>
>>>> I am using ScriptAlias for the cgi directory, but everything looks fine
>>>> there, and my other cgi scripts seem fine, although it looks like they
>>>> do internal error handling.
>>>>
>>>> I did notice a config file in /etc/apache/conf.d,
>>>> /etc/apache/conf.d/php4.conf. I'm not sure what it does, and couldn't
>>>> find anything about it on the apache web site, and nothing useful with
>>>> google.
>>>>
>>>> Thanks for any pointers.
>>>>
>>>> cheers,
>>>> maria
>>>>
>>>>
>>>> Adric Net wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> It may be  a little tricky to track down. Check not only that
>>>>> directory but every directory up from it for .htaccess
>>>>> as they can be anywhere (!) and then double check all the apache
>>>>> configs (might be more than just httpd.conf).
>>>>>
>>>>> find /web -type f -name ".htaccess" -exec grep AuthUserFile {} \;
>>>>>
>>>>> will search the entire tree /web for htaccessfiles and print out the
>>>>> AuthUserFile lines from all of them that it finds. This will show you
>>>>> all the htpasswd files you may have to check. Of course if DIgest,
>>>>> SQL, LDAP, etc Auth are being used you'll need to alter the search a
>>>>> bit.
>>>>>
>>>>> The username will eventually submit to logic, but I'm less sure that
>>>>> the redirects will ;) Are you using ScriptAlias for the cgi directory?
>>>>> That may complicate things some ... Sorry, I am just waking up :/
>>>>>
>>>>> hth,
>>>>> adric
>>>>>
>>>>>
>>>>> On Nov 18, 2007, at 5:52 PM, Maria McKinley wrote:
>>>>>
>>>>>
>>>>>> Hi there,
>>>>>>
>>>>>> I have a user who is using cgi scripts and is using .htpasswd to only
>>>>>> allow authorized users. For some reason, using the Auth stuff is
>>>>>> working
>>>>>> differently in her cgi stuff than in directories with html. In other
>>>>>> directories, if you hit cancel when given the username and password
>>>>>> authorization window, you get the 401 Authorization Required window.
>>>>>> In
>>>>>> her cgi pages, you don't get an error message, it reloads the page you
>>>>>> were on, but changes the url to the one you were requesting. So, it
>>>>>> doesn't load the unauthorized page, but it isn't necessarily clear
>>>>>> that
>>>>>> it hasn't. Also, there is at least one page that if I put in the
>>>>>> url, it
>>>>>> will load one image, and ask for a password. Every time you hit cancel
>>>>>> on this page, it attempts to load images (you end up with question
>>>>>> marks), until all of the question marks are loaded and then it stops
>>>>>> asking for a password. The htaccess file for the authorization is
>>>>>> exactly the same as other directories that act properly.
>>>>>>
>>>>>> The only thing strange I have found (and I have not looked at her code
>>>>>> in detail), are these error messages:
>>>>>>
>>>>>> [Sun Nov 18 14:37:33 2007] [error] [client 24.22.172.167] user test
>>>>>> not
>>>>>> found: /~churchland/lip_samson/lip_samson.html
>>>>>> [Sun Nov 18 14:37:37 2007] [error] [client 24.22.172.167] user test
>>>>>> not
>>>>>> found: /~churchland/lip_samson/lip_samson.html
>>>>>> [Sun Nov 18 14:38:20 2007] [error] [client 24.22.172.167] user test
>>>>>> not
>>>>>> found: /~churchland/lip_samson/samsondays/011706/011706_polar.gif
>>>>>> [Sun Nov 18 14:38:20 2007] [error] [client 24.22.172.167] user test
>>>>>> not
>>>>>> found: /~churchland/lip_samson/samsondays/011706/011706_error.gif
>>>>>> [Sun Nov 18 14:38:22 2007] [error] [client 24.22.172.167] user test
>>>>>> not
>>>>>> found: /~churchland/lip_samson/samsondays/011706/011706_polar.gif
>>>>>>
>>>>>> I don't know why it is looking for user test, these files are owned by
>>>>>> churchland, and there is nothing in the html or cgi scripts about an
>>>>>> user test.
>>>>>>
>>>>>> Any ideas where to look? I didn't see anything weird in httpd.conf.
>>>>>>
>>>>>> cheers,
>>>>>> maria
>>>>>>
>>>>>> _______________________________________________
>>>>>> Techtalk mailing list
>>>>>> Techtalk at linuxchix.org
>>>>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>>>> _______________________________________________
>>>>> Techtalk mailing list
>>>>> Techtalk at linuxchix.org
>>>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>>> _______________________________________________
>>>> Techtalk mailing list
>>>> Techtalk at linuxchix.org
>>>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>>>
>>>
>>>
>>>
>> _______________________________________________
>> Techtalk mailing list
>> Techtalk at linuxchix.org
>> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>>
> 
> 
>

More information about the Techtalk mailing list