* Philippe Vogel wrote on Fri, Sep 10, 2004 at 10:31 +0200:
AuthType Basic
(which means clear text unless https is used, just BTW)
#use the intended webuser here! chown .ht* wwwrun:nogroup
yeah, especially not "nogroup" because that group shouldn't own files.
chmod o+r .htaccess chmod o+r .htpasswd
I must admit that I also dislike o+r, because trival passwords are quickly cracked when the crypt string is known and many people reuse passwords all over (not only for some web pages where it may not matter). I propose to use <webmaster>:<wwwrun> with mode 0640. However, tihs depends if you have users on the web server, e.g. when they access ~/public_html or such. That files should of course belong to that user :)
Now you should have password protected Webfolders. If not you have to change apache config file which settings can be changed by .htaccess files (there should be an example in the config!).
Yeah, but also take care that by this you don't allow users to much! If they can add FollowSymLinks (instead of symlinks if owner match) they can read files the webserver has access to - and who knows what else :)
We got a webscript at our university for making .htaccess authentification. You better shange .passwd to .htpasswd. Here you find it (german version, but it is self explaining):
http://www.uni-duisburg.de/HRZ/services/alle/internet/www/htaccess/
It is really amazing what people automate... In the past a simple $EDITOR was sufficient for adminstration, now you need a graphical browser :-) SCNR. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.