Web Password and Group Files for Apatche Web Server ------------------------------------------------------------------------------- WARNING: Web Passwords are NOT secure!! Note that your web username and password will be sent in every HTTP request you make to the protected area. This password while not in plain clear text is only binary to text encoded! If anyone can grab the first packet of your HTTP request (most request are only one packet) they have your password! As such Web passwords SHOUND NOT BE YOUR LOGIN PASSWORD!!!! Note however that web passwords over a HTTPS protocol (secure http communications) is encrypted along with the rest of your web request. As such network snooper will NOt be able to get your password for a Web server using SSL encryption. ------------------------------------------------------------------------------- Using a Web Passwd file for a sub-directory of web pages. In the www sub-directory you wish to protect, create a ".htaccess" file with something like these lines... =======8<-------- # # Limit access to this directory # AuthType Basic AuthName "Name of Area they need a password for" AuthDBMUserFile /full/path/to/DBMfile require valid-user =======8<-------- Note a full path to the {DBMfile} you created (without any .pag or .dir suffixes) must be given above. SECURITY: make sure that the AuthDBMUserFile (what ever you call it) is stored either outside the document tree of the web-server; or a name starting with ".ht" which apatche web servers will never serve to clients. Otherwise, clients may be able to download the AuthDBMUserFile to crack it. Typically the password database file is named ".htpasswd" which generates the files ".htpasswd.dir" and ".htpasswd.pag". The require command above could also specify a specific set of users instead of any "valid-user" as above. require user {user} or require user {user} {user} {user} ... WARNING: if the AuthDBMUserFile is NOT readable by the web server, it does not know what restrictions you may have in the file. Due to this it will disallow ALL accees to the directory!!!!! Web designers in CIT can now jump down to "w3passwd" command below. Other people in the world can jump down to the apacthe supplied "dbmmanage" command. ------------------------------------------------------------------------------- Setting up a Web Password file (dbmmanage) WARNING: On CIT machines a new password management program is used called ``w3passwd'' (see below) arguments are simular but not exactly the same. Use it instead of ``dbmmanage'' or ``htpasswd'' which are simpler and less useful apatche web server supplied commands. Also the newer Apatche installation provides a ``htpasswd'' command to be used instead of ``dbmmanage''. ----- Use the perl script /opt/apache/bin/dbmmanage to create web password database. For Example dbmmanage {DBMfile} adduser {person} {passwd} [{group}[,{group}]] Note: the user and password is what will be typed in to netscape and as such can be whatever you like. The name of the DBMfile password file is the file name base to use. It will create two files with ".dat" and ".pag" suffixes. This should be OUTSIDE all web directories if posible. The DBMfile name can be anything you like or even anywhere, however it is recommended that it be OUTSIDE the www sub-directory tree, like your primary home directory. A DBM group file can also be used to allow people to be placed in multiple web groups but I have not done this and dbmmanage does not generate DBMgroup files. Other dbmmanage functions dbmmanage {DBMfile} add {person} {encripted-passwd} [{group}] dbmmanage {DBMfile} delete {person} dbmmanage {DBMfile} view The encripted-passwd is in the normal UNIX passwd encription format, which is hidden from view in the shadow password file. Any good UNIX programming book will explain how these are generated using C-library functions (or perl the function links). ------------------------------------------------------------------------------- Setting up a Web Password file (w3passwd) ``w3passwd'' is an enhanced version of the old ``dbmmanage'' program allowing more control of DBM password files. It allows easy duming and loading or text versions of the file into the dbm file, and easier viewing deleteing and editing all with appropriate write locks for a multitasking environment. If you just type the command you will get a summery of options w3passwd To first create the password file use (NOTE: {DBMfile} is given WITHOUT any suffixes, like .dir or .pag), and should match the full file pathname what you place in the ".htaccess" file. w3passwd {DBMfile} create To this to add a users and their passwords with w3passwd {DBMfile} passwd {user} At that point w3passwd will ask you to type in the passwd twice just as the normal UNIX password program does. Other command options commonly used... w3passwd {DBMfile} delete {user} w3passwd {DBMfile} edit [{user}] w3passwd {DBMfile} view ------------------------------------------------------------------------------- Grouping User Access You can add users to various `groups'. This is usefull to allow you to restrict access to a particular area of the web server to just a few users from the current Web Password File being used. Groups may be specified in a separate DBM "groups" file, but is more commonly done in the same DBM password file used to provide the password. This is done by providing a new colon separated field in the DBM password file immediately following the users encrypted password. This field contains a comma separated list of all the groups a user belongs to. EG: DBMkey (IE the user login name) -> {encrypted_password}:{group},{group},{group}: Any other fields after the comma separated groups list is ignored by the web server can can be used for extra user information by other programs. IE it could be used for things like: last access, last password change, other access rights, user preferences, etc etc etc. This is left up to the various CGI programs to implement. To sepecify the file the groups a user belongs to you use... =======8<-------- AuthDBMGroupFile /full/path/to/DBMfile =======8<-------- As mentioned this is commonly uses the exact same entry as that for AuthDBMUserFile and the password file. If you do decide to use a separate DBM file for the Web Groups the DBM format is exactly the same as that for the AuthDBMUserFile but the "password" field is ignored. After adding the above to ".htaccess" file you can specify which groups are allow access in that same ".htaccess" file or in ".htaccess" files in lower sub-directories with this require command... require group {group} or require group {group},{group},{group} w3passwd also has commands to allow you to set the group users belong to which is understood by the apatche server, when enabled with the AuthDBMGroupFile ".htaccess" file. See the apache server documentation on the web. w3passwd {DBMfile} group {user} {group} or for multiple groups w3passwd {DBMfile} group {user} {group},{group},... ------------------------------------------------------------------------------- Web Passwords and CGI scripts If you run a CGI script in an password secured area, the script is passwd an extra environment variable ``REMOTE_USER'' which is the username the user used when he typed in his password. The CGI script could then use this information to output information specific for each user. Or record information for that user. For more information see... http://www.apache.org/docs/misc/FAQ.html#remote-user-var There is however no simple way for a CGI script to access the groups a user belongs to, or to retrive or update any extra fields in the password file. In fact their is no simple way to retrieve the location of the current DBM password file in effect either. Knowing how to access the file directly from CGI scripts can be very useful, we have used it to store seconadary permissions and the users Full name for a friendlier interface. ------------------------------------------------------------------------------- More Information on Web Passwords For more information on using DBM password files in Apatche Web servers look at the following artical from apatche week... http://www.apacheweek.com/features/dbmauth Note that on our site we use the more advanced local perl script w3passwd instead of the apatche supplied dbmmanage script. ------------------------------------------------------------------------------- WARNING: File Permissions The web server (apatche "httpd") generally runs as the user ``nobody'' for security reasons. As such ALL files which it much have access to, must also be readable by the user nobody. These file thus requires to be ``world readable'' and can be made readable with the command chmod a+r files... NOTE: for access the directory path down to the file must also be accessable! chmod a+x directories... and optionally readable for directory listings chmod a+r directories... This includes :- html documents, images, passwd database, and .htaccess file. WARNING: if ".htpasswd" is NOT readable by the web server, it does not know what restrictions you may have in the ".htpasswd file. Due to this it will disallow ALL accees to the directory!!!!! You home directory also needs to be accessable as well as the WWW directory "www" or "public_html" depending on your server. For example (adjust to suit) :- chmod 644 ~/public_html/.htaccess ~/www_passwd.dir ~/www_passwd.pag chmod 755 ~/public_html chmod 711 ~ If you want to restrict access to the data your cgi scripts is handling then either a SuEXEC program needs to be installed into the apache webserver OR your CGI program will need to be SUID to some user or group which does provide access. WARNING; SUID can make security of a cgi program even worse, and break ins will be at the user owning the script and not "nobody". Use only if needed and then know what you are doing and the risks involved. -------------------------------------------------------------------------------