On 11-Nov-2009, at 18:04, André Warnier wrote: > LuKreme wrote: >> any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file. > What do you mean there is nowhere else ? > What about under /usr/local/www, and name it example.com.davpasswd for instance. At least it would not be directly under your DocumentRoot, in an area potentially accessible by users. It's SUPPOSED to be accessible to the users. It's THEIR web space. If they want to change the webDAV passwords they are free to do so. However, I have to admit that currently there's no method for them to do so (I keep meaning to get around to setting something up). > Apache will never serve a file starting with a dot, maybe. > But since you have the / locations open to DAV, have you checked if someone (authenticated) can upload a file called .htdavpass ? > Or download it through DAV ? It doesn't show up at all via webDAV and the file is owned by root, so no, there is no way for them to change it. > AuthUserFile /usr/local/www/example.net/.htdavpass > > So it is not really surprising if user jeans cannot acces a site for which the password file is not the same as the one user jeans' password was created in, is it ? I simply forgot to obfuscate the domain in question on the htpass line. The paths are identical (and copied and pasted). Also, I am not getting a password error, I am getting [error] [client 71.229.144.93] client denied by server configuration: /usr/local/www/example.net/ -- Humans are always slightly lost. It's a basic characteristic. It explains a lot about them. --Lords and Ladies --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|