.htpassword and user permissions

hairydog · 21 November 2023 18:42

This is posted as a reminder to myself and a heads-up to any readers.

I wanted to password-protect a web directory, so I used sudo to create an .htpasswd file outside the webroot (in the config directory) and an .htaccess in the relevant webroot directory

And of course, that didn’t work. Apache said “500 error”. As eny fule noes, Apache needs to read the .htpassd file that Root was keeping to itself.

So I did a quick sudo chown www-data:www-data .htpasswd and everything was fine. For a little while, then it wasn’t.

When I looked, some Sympl thing had changed .htpasswd ownership to sympl:sympl. I realised that switching it back to www-data:www-data would be a Sisyphean task, because cron stays up all night.

So I tried a compromise - chown sympl:www-data - that seems to be the sweet spot. It works like that and doesn’t seem to get changed back!

hairydog · 21 November 2023 19:00

Hmm… Maybe not. It had changed back to sympl:sympl.

So I tried chmod 664, which worked until it was changed again.

Now I’ve admitted defeat and moved .htpasswd from …/config to …/public Hopefully it’ll stay owned by www-data:www-data there.

Anahata · 22 November 2023 19:07

Yes, you’ll be safe there. Buried in the Wiki is a description of sympl-filesystem-security. By default this sets everything under …/public to www-data:www-data (unless you make an entry in …/config to specify a different user and group.)

As long as your .htpasswd is not in …/public/htdocs, nobody with a web browser will be able to read it directly.