LuKreme wrote:
any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file.
What do you mean there is nowhere else ?What about under /usr/local/www, and name it example.com.davpasswd for instance. At least it would not be directly under your DocumentRoot, in an area potentially accessible by users.
Apache will never serve a file starting with a dot, maybe.But since you have the / locations open to DAV, have you checked if someone (authenticated) can upload a file called .htdavpass ?
Or download it through DAV ? (I don't know the answer, but it might be interesting) Now about the rest : ...The .htdavpass file for the second domain contains the user jeans and a password and was setup with the command
htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans <PASSWORD>
but then :
<location />
...
AuthUserFile /usr/local/www/example.net/.htdavpass
So it is not really surprising if user jeans cannot acces a site for
which the password file is not the same as the one user jeans' password
was created in, is it ?
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|