[Techtalk] htaccess and cgi scripts

Tricia Bowen tricia.bowen at gmail.com
Tue Nov 20 14:03:48 UTC 2007 

You need a .htaccess file in the images directory of your
protected_images and a .htaccess for your protected_cgi scripts.
Similar to the following:

images/all unprotected images here
images/protected/.htaccess and all protected images

cgi/all unprotected cgis
cgi/protected/.htaccess and all protected scripts
--Tricia

On Nov 19, 2007 6:46 PM, Maria McKinley <maria at shadlen.org> wrote:
> Thanks Tricia,
>
> Somehow your email got me thinking in a completely different direction,
> and I managed to get rid of the test user error (there is a user test on
> our system, that had an .htaccess that was set up incorrectly), but this
> is actually an unrelated problem, and still having problems with
> security with the cgi user. I think that the problem might be that I
> think that not all of the directories that have files that are being
> called by her cgi scripts have an htaccess file (actually the cgi-bin
> directory itself doesn't have auth stuff in its htaccess, should it?).
> If you are trying to load a page that is password-protected, but the
> page is loading images that are not, would it try to load the images
> anyway?
>
> I'm thinking she has stuff arranged poorly. I think that she should have
> a separate folder in http for all of the things she wants to be password
> protected, and put all of her cgi stuff in there (including the cgi
> directory?), and have this root directory have an auth htaccess file.
>
> thanks for the help,
> maria
>
>
> Tricia Bowen wrote:
> > Maria,
> > What's the content of your .htpasswd file? Do you have a user named
> > "test" listed there?
> > --Tricia
> >
> > On Nov 19, 2007 6:10 AM, Maria McKinley <maria at shadlen.org> wrote:
> >
> >>Is it possible that it is something in the cgi scripts themselves? Other
> >>cgi-scripts run fine, although they are not in the home directories
> >>(stuff like mailman). The htaccess files do look fine, and I didn't find
> >>any hidden that I didn't already know about. I am perplexed about the
> >>user test, but that could also be a red herring.
> >>
> >>Here is the relevant part of httpd.conf
> >>
> >><Directory /home/*/http>
> >>    AllowOverride FileInfo AuthConfig Limit
> >>    Options MultiViews Indexes SymLinksIfOwnerMatch ExecCGI
> >>    <Limit GET POST OPTIONS PROPFIND>
> >>        Order allow,deny
> >>        Allow from all
> >>    </Limit>
> >>    <Limit PUT DELETE PATCH PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
> >>        Order deny,allow
> >>        Deny from all
> >>    </Limit>
> >></Directory>
> >>
> >>The htaccess file in the user's cgi bin is just:
> >>
> >>AddHandler cgi-script .cgi
> >>
> >>And then some proper htaccess with auth stuff in some other http
> >>directories.
> >>
> >>I am using ScriptAlias for the cgi directory, but everything looks fine
> >>there, and my other cgi scripts seem fine, although it looks like they
> >>do internal error handling.
> >>
> >>I did notice a config file in /etc/apache/conf.d,
> >>/etc/apache/conf.d/php4.conf. I'm not sure what it does, and couldn't
> >>find anything about it on the apache web site, and nothing useful with
> >>google.
> >>
> >>Thanks for any pointers.
> >>
> >>cheers,
> >>maria
> >>
> >>
> >>Adric Net wrote:
> >>
> >>>Hi,
> >>>
> >>>It may be  a little tricky to track down. Check not only that
> >>>directory but every directory up from it for .htaccess
> >>>as they can be anywhere (!) and then double check all the apache
> >>>configs (might be more than just httpd.conf).
> >>>
> >>>find /web -type f -name ".htaccess" -exec grep AuthUserFile {} \;
> >>>
> >>>will search the entire tree /web for htaccessfiles and print out the
> >>>AuthUserFile lines from all of them that it finds. This will show you
> >>>all the htpasswd files you may have to check. Of course if DIgest,
> >>>SQL, LDAP, etc Auth are being used you'll need to alter the search a
> >>>bit.
> >>>
> >>>The username will eventually submit to logic, but I'm less sure that
> >>>the redirects will ;) Are you using ScriptAlias for the cgi directory?
> >>>That may complicate things some ... Sorry, I am just waking up :/
> >>>
> >>>hth,
> >>>adric
> >>>
> >>>
> >>>On Nov 18, 2007, at 5:52 PM, Maria McKinley wrote:
> >>>
> >>>
> >>>>Hi there,
> >>>>
> >>>>I have a user who is using cgi scripts and is using .htpasswd to only
> >>>>allow authorized users. For some reason, using the Auth stuff is
> >>>>working
> >>>>differently in her cgi stuff than in directories with html. In other
> >>>>directories, if you hit cancel when given the username and password
> >>>>authorization window, you get the 401 Authorization Required window.
> >>>>In
> >>>>her cgi pages, you don't get an error message, it reloads the page you
> >>>>were on, but changes the url to the one you were requesting. So, it
> >>>>doesn't load the unauthorized page, but it isn't necessarily clear
> >>>>that
> >>>>it hasn't. Also, there is at least one page that if I put in the
> >>>>url, it
> >>>>will load one image, and ask for a password. Every time you hit cancel
> >>>>on this page, it attempts to load images (you end up with question
> >>>>marks), until all of the question marks are loaded and then it stops
> >>>>asking for a password. The htaccess file for the authorization is
> >>>>exactly the same as other directories that act properly.
> >>>>
> >>>>The only thing strange I have found (and I have not looked at her code
> >>>>in detail), are these error messages:
> >>>>
> >>>>[Sun Nov 18 14:37:33 2007] [error] [client 24.22.172.167] user test
> >>>>not
> >>>>found: /~churchland/lip_samson/lip_samson.html
> >>>>[Sun Nov 18 14:37:37 2007] [error] [client 24.22.172.167] user test
> >>>>not
> >>>>found: /~churchland/lip_samson/lip_samson.html
> >>>>[Sun Nov 18 14:38:20 2007] [error] [client 24.22.172.167] user test
> >>>>not
> >>>>found: /~churchland/lip_samson/samsondays/011706/011706_polar.gif
> >>>>[Sun Nov 18 14:38:20 2007] [error] [client 24.22.172.167] user test
> >>>>not
> >>>>found: /~churchland/lip_samson/samsondays/011706/011706_error.gif
> >>>>[Sun Nov 18 14:38:22 2007] [error] [client 24.22.172.167] user test
> >>>>not
> >>>>found: /~churchland/lip_samson/samsondays/011706/011706_polar.gif
> >>>>
> >>>>I don't know why it is looking for user test, these files are owned by
> >>>>churchland, and there is nothing in the html or cgi scripts about an
> >>>>user test.
> >>>>
> >>>>Any ideas where to look? I didn't see anything weird in httpd.conf.
> >>>>
> >>>>cheers,
> >>>>maria
> >>>>
> >>>>_______________________________________________
> >>>>Techtalk mailing list
> >>>>Techtalk at linuxchix.org
> >>>>http://mailman.linuxchix.org/mailman/listinfo/techtalk
> >>>
> >>>_______________________________________________
> >>>Techtalk mailing list
> >>>Techtalk at linuxchix.org
> >>>http://mailman.linuxchix.org/mailman/listinfo/techtalk
> >>
> >>_______________________________________________
> >>Techtalk mailing list
> >>Techtalk at linuxchix.org
> >>http://mailman.linuxchix.org/mailman/listinfo/techtalk
> >>
> >
> >
> >
> >
> _______________________________________________
> Techtalk mailing list
> Techtalk at linuxchix.org
> http://mailman.linuxchix.org/mailman/listinfo/techtalk
>



-- 
--Tricia

More information about the Techtalk mailing list