[Techtalk] htaccess and cgi scripts

Maria McKinley maria at shadlen.org
Mon Nov 19 23:46:03 UTC 2007

Thanks Tricia,

Somehow your email got me thinking in a completely different direction, 
and I managed to get rid of the test user error (there is a user test on 
our system, that had an .htaccess that was set up incorrectly), but this 
is actually an unrelated problem, and still having problems with 
security with the cgi user. I think that the problem might be that I 
think that not all of the directories that have files that are being 
called by her cgi scripts have an htaccess file (actually the cgi-bin 
directory itself doesn't have auth stuff in its htaccess, should it?). 
If you are trying to load a page that is password-protected, but the 
page is loading images that are not, would it try to load the images 

I'm thinking she has stuff arranged poorly. I think that she should have 
a separate folder in http for all of the things she wants to be password 
protected, and put all of her cgi stuff in there (including the cgi 
directory?), and have this root directory have an auth htaccess file.

thanks for the help,

Tricia Bowen wrote:
> Maria,
> What's the content of your .htpasswd file? Do you have a user named
> "test" listed there?
> --Tricia
> On Nov 19, 2007 6:10 AM, Maria McKinley <maria at shadlen.org> wrote:
>>Is it possible that it is something in the cgi scripts themselves? Other
>>cgi-scripts run fine, although they are not in the home directories
>>(stuff like mailman). The htaccess files do look fine, and I didn't find
>>any hidden that I didn't already know about. I am perplexed about the
>>user test, but that could also be a red herring.
>>Here is the relevant part of httpd.conf
>><Directory /home/*/http>
>>    AllowOverride FileInfo AuthConfig Limit
>>    Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
>>        Order allow,deny
>>        Allow from all
>>    </Limit>
>>        Order deny,allow
>>        Deny from all
>>    </Limit>
>>The htaccess file in the user's cgi bin is just:
>>AddHandler cgi-script .cgi
>>And then some proper htaccess with auth stuff in some other http
>>I am using ScriptAlias for the cgi directory, but everything looks fine
>>there, and my other cgi scripts seem fine, although it looks like they
>>do internal error handling.
>>I did notice a config file in /etc/apache/conf.d,
>>/etc/apache/conf.d/php4.conf. I'm not sure what it does, and couldn't
>>find anything about it on the apache web site, and nothing useful with
>>Thanks for any pointers.
>>Adric Net wrote:
>>>It may be  a little tricky to track down. Check not only that
>>>directory but every directory up from it for .htaccess
>>>as they can be anywhere (!) and then double check all the apache
>>>configs (might be more than just httpd.conf).
>>>find /web -type f -name ".htaccess" -exec grep AuthUserFile {} \;
>>>will search the entire tree /web for htaccessfiles and print out the
>>>AuthUserFile lines from all of them that it finds. This will show you
>>>all the htpasswd files you may have to check. Of course if DIgest,
>>>SQL, LDAP, etc Auth are being used you'll need to alter the search a
>>>The username will eventually submit to logic, but I'm less sure that
>>>the redirects will ;) Are you using ScriptAlias for the cgi directory?
>>>That may complicate things some ... Sorry, I am just waking up :/
>>>On Nov 18, 2007, at 5:52 PM, Maria McKinley wrote:
>>>>Hi there,
>>>>I have a user who is using cgi scripts and is using .htpasswd to only
>>>>allow authorized users. For some reason, using the Auth stuff is
>>>>differently in her cgi stuff than in directories with html. In other
>>>>directories, if you hit cancel when given the username and password
>>>>authorization window, you get the 401 Authorization Required window.
>>>>her cgi pages, you don't get an error message, it reloads the page you
>>>>were on, but changes the url to the one you were requesting. So, it
>>>>doesn't load the unauthorized page, but it isn't necessarily clear
>>>>it hasn't. Also, there is at least one page that if I put in the
>>>>url, it
>>>>will load one image, and ask for a password. Every time you hit cancel
>>>>on this page, it attempts to load images (you end up with question
>>>>marks), until all of the question marks are loaded and then it stops
>>>>asking for a password. The htaccess file for the authorization is
>>>>exactly the same as other directories that act properly.
>>>>The only thing strange I have found (and I have not looked at her code
>>>>in detail), are these error messages:
>>>>[Sun Nov 18 14:37:33 2007] [error] [client] user test
>>>>found: /~churchland/lip_samson/lip_samson.html
>>>>[Sun Nov 18 14:37:37 2007] [error] [client] user test
>>>>found: /~churchland/lip_samson/lip_samson.html
>>>>[Sun Nov 18 14:38:20 2007] [error] [client] user test
>>>>found: /~churchland/lip_samson/samsondays/011706/011706_polar.gif
>>>>[Sun Nov 18 14:38:20 2007] [error] [client] user test
>>>>found: /~churchland/lip_samson/samsondays/011706/011706_error.gif
>>>>[Sun Nov 18 14:38:22 2007] [error] [client] user test
>>>>found: /~churchland/lip_samson/samsondays/011706/011706_polar.gif
>>>>I don't know why it is looking for user test, these files are owned by
>>>>churchland, and there is nothing in the html or cgi scripts about an
>>>>user test.
>>>>Any ideas where to look? I didn't see anything weird in httpd.conf.
>>>>Techtalk mailing list
>>>>Techtalk at linuxchix.org
>>>Techtalk mailing list
>>>Techtalk at linuxchix.org
>>Techtalk mailing list
>>Techtalk at linuxchix.org

More information about the Techtalk mailing list