[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] no longer need password
- Subject: Re: [cobalt-security] no longer need password
- From: "Michael Stauber" <cobalt@xxxxxxxxxxxxxx>
- Date: Fri, 11 Jan 2002 18:13:01 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Kai,
> A few weeks ago I restored a raq4r and it was done without too much
> difficulty. But there are about 160 sites on that server, and most of
> them have something wrong in .htaccess or something. They no longer
> need password looking at stats
My first suspicion would be that some permissions got screwed up when
you restored the websites back onto the server.
The question is also which Webalizer-Package you use. There are several
Weblizer-PKGs available, with different implementations of where the
stats directory is located.
One placeferent implementations of where the stats directory is located.
One places the stats in /home/sites/siteXX/web/stats/ and the other one
in /home/sites/siteXX/users/stats/web/
The later implementation might have problems if the .htaccess file in
the web directory is owned by someone else than the person who owns that
"user" directory, I assume.
However, there might be one very easy way to fix this in one go:
Webalizer re-creates the .htaccess files each run - if they do not
already exist. So what you could do is to run a search on /home/sites/
to locate all .htaccess files and to delete those belonging to
Webalizer. Make sure you do not outright delete all of 'em, because
Frontpage and/or your users might have create a few extras.
Some shell wizards on the list might strangle me for the suggestion, but
for this kind of search and replace I'd suggest "Midnight Commander". It
has a nice search function which panelizes the search result and makes
it easy to find, tag and delete just the right files.
You can grab the RPM here:
ftp://fr2.rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/mc-4.5.42-10.i386.rpm
It will install fine on a RaQ4. On a RaQ3 you'll need the RPM for gpm as
well. You'll need a telnet or SSH client which supports use of the
F-keys (f1-f10) to properly use Midnight Commander. To start the
programm just type "mc" once the RPM is installed.
> and when trying to password protect a directory using
> .htacccess file the server act like there is no password protection.
Could be a syntax error in the .htaccess file or a permission problem
with the .htaccess file.
> The weird thing is that some sites are ok, and on some of the others
you get
> asked for password when entering stats, but it allso accept username and
> password taken from sites located nearby and give them access.
Does the .htaccess file ask for a specific username, or does it check
for memberships in a specific group? Look at the .htaccess file in an
editor to find that information.
s the stats in /home/sites/siteXX/web/stats/ and the other one in
/home/sites/siteXX/users/stats/web/
The later implementation might have problems if the .htaccess file in
the web directory is owned by someone else than the person who owns that
"user" directory, I assume.
However, there might be one very easy way to fix this in one go:
Webalizer re-creates the .htaccess files each run - if they do not
already exist. So what you could do is to run a search on /home/sites/
to locate all .htaccess files and to delete those belonging to
Webalizer. Make sure you do not outright delete all of 'em, because
Frontpage and/or your users might have create a few extras.
Some shell wizards on the list might strangle me for the suggestion, but
for this kind of search and replace I'd suggest "Midnight Commander". It
has a nice search function which panelizes the search result and makes
it easy to find, tag and delete just the right files.
You can grab the RPM here:
ftp://fr2.rpmfind.net/linux/redhat/6.2/en/os/i386/RedHat/RPMS/mc-4.5.42-10.i386.rpm
It will install fine on a RaQ4. On a RaQ3 you'll need the RPM for gpm as
well. You'll need a telnet or SSH client which supports use of the
F-keys (f1-f10) to properly use Midnight Commander. To start the
programm just type "mc" once the RPM is installed.
> and when trying to password protect a directory using
> .htacccess file the server act like there is no password protection.
Could be a syntax error in the .htaccess file or a permission problem
with the .htaccess file.
> The weird thing is that some sites are ok, and on some of the others
you get
> asked for password when entering stats, but it allso accept username and
> password taken from sites located nearby and give them access.
Does the .htaccess file ask for a specific username, or does it check
for memberships in a specific group? Look at the .htaccess file in an
editor to find that information.
Here is a sample .htaccess file, which will only allow one specific user
access:
order allow,deny
allow from all
require user admin
Authname Cobalt
Authtype Basic
The one below will allow all valid users from a specific group:
order allow,deny
allow from all
require group site11
Authname Cobalt
Authtype Basic
If you restored your websites from a backup and the site uses this
authentication scheme, then you've got problems.
Example: www.customer-one.com used to be site11 on the old server.
Now, after the restore of the backup its site34. But it still has the
.htaccess file in it, which will allow only valid members from site11 to
see the stats.
So check your .htaccess files to see what kind auf authentication you
have in there. If it asks for "group" and not a specific username, then
you're screwed and have to either fix 'em all manually, or you delete
'em all and wait for Webalizer to recreate the .htaccess files upon its
next run.
--
With best regards,
Michael Stauber
SOLARSPEED.NET