Received: (qmail 73955 invoked by uid 501); 11 May 2001 03:28:41 -0000 Message-Id: <20010511032841.73951.qmail@apache.org> Date: 11 May 2001 03:28:41 -0000 From: Jason Nichols Reply-To: jedimaster@jcubed.com To: submit@bugz.apache.org Subject: .htaccess is using /etc/passwd as AuthUserFile despite definition in .htaccess file X-Send-Pr-Version: 3.110 >Number: 7699 >Category: mod_auth-any >Synopsis: .htaccess is using /etc/passwd as AuthUserFile despite definition in .htaccess file >Confidential: no >Severity: serious >Priority: medium >Responsible: apache >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Thu May 10 20:30:00 PDT 2001 >Closed-Date: Thu May 10 21:24:58 PDT 2001 >Last-Modified: Thu May 10 21:24:58 PDT 2001 >Originator: jedimaster@jcubed.com >Release: 1.3.9 >Organization: >Environment: Linux ns.jcubed.com 2.2.17-14 #1 Mon Feb 5 17:53:36 EST 2001 i686 unknown [root@ns members]# telnet jcubed.com 80 Trying 66.33.50.171... Connected to jcubed.com. Escape character is '^]'. HEAD / HTTP1.0/OK HTTP/1.1 200 OK Date: Fri, 11 May 2001 03:22:34 GMT Server: Apache/1.3.9 (Unix) (Red Hat/Linux) PHP/3.0.12 Connection: close Content-Type: text/html Connection closed by foreign host. [root@ns members]# >Description: The .htaccess file is not using the supplied AuthUserFile to get usernames/passwords. It is reverting to the /etc/passwd file on the system. Here is how my .htaccess file looks ############################## AuthName "J Cubed Sandbox Members Area" AuthType Basic AuthUserFile "/home/jason/members/Sandbox" Require valid-user ############################## Here is the entry for this directory: ############################## Options All AllowOverride All ############################## I created the password file, /home/jason/members/Sandbox using htpasswd to create a user 'test'. This user did not work. To make sure it was reading the correct file, I copied the /etc/passwd file over Sandbox. I could access the directory with any user I had on the system. I used htpasswd to add the 'test' user to this file. It would not work. I used htpasswd to change the password of an existing user. The new password would not work, but the system password would still grant me access. >How-To-Repeat: http://sandbox.jcubed.com/members >Fix: >Release-Note: >Audit-Trail: State-Changed-From-To: open-closed State-Changed-By: slive State-Changed-When: Thu May 10 21:24:57 PDT 2001 State-Changed-Why: Please download and compile Apache directly from http://www.apache.org/dist/ Apache as distributed from this site never has and never will authenticate out of /etc/passwd. However, some hacked versions of Apache distributed by other vendors may do this. In particular, I have seen reports of the Cobalt Cube version of Apache being modified to authenticate from /etc/passwd. Thanks for using Apache! >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]