Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : possible for multiple sites on same server to "share" one .htpasswd file?

[frameRelay]

the subject pretty much sums it up, is there a method or solution for multiple websites (whic reside on the same dedicated server) to share just one .htpasswd, or automate the mirroring of said .htpasswd file?

if so any suggestions for methodology or products that would facilitate this action would be most welcome, thx in advance friends..!

[mistwang]

Just pointing to the same .htpasswd file in "AuthUserFile" directives. Should not be a problem at all.

[frameRelay]

Quote:

Originally Posted by mistwang

Just pointing to the same .htpasswd file in "AuthUserFile" directives. Should not be a problem at all.

thx for your speedy reply friend, i will research the AuthUserFile reference and see what i can find. can i ask you this then... would it be possible to just have one .htpasswd located somewhere safe/deep, and have both sites use symbolic links to point to that one? the issue i have w/ just sharing one of them is that both are modified externally by scripts, so if there is a way to just have one .htpasswd file that can be modified and accessed by both websites transparently that would be ideal...

thx again for your help and have a good one friend..!

[mistwang]

You don't have to use symbolic links, just point to the location of the file directly.

For the sake of security, just make the .htpasswd file only readable by the user that web server run as, and run PHP and CGIs with suEXEC, so the .htpasswd file is not readable from PHP and CGI.

[frameRelay]

Quote:

Originally Posted by mistwang

You don't have to use symbolic links, just point to the location of the file directly.

For the sake of security, just make the .htpasswd file only readable by the user that web server run as, and run PHP and CGIs with suEXEC, so the .htpasswd file is not readable from PHP and CGI.

thx once again for your reply, but unfortunately i cannot modify the path pointed to the current two .htpasswd's in some of the scripts in question, hence the wish to replace them both w/ symbolic links if possible, both pointing to (and being able to write to) the one real .htpasswd..

[mistwang]

You can use symbolic link if you need to. But it will not make the .htpasswd file safer in term of security.

So, you are not using web server's builtin password protection feature, it was inside the script, right?
Then, you have to be careful with the file permission of the .htpasswd, it has to be readable to the user that the script run as.

[frameRelay]

Quote:

Originally Posted by mistwang

You can use symbolic link if you need to. But it will not make the .htpasswd file safer in term of security.

So, you are not using web server's builtin password protection feature, it was inside the script, right?
Then, you have to be careful with the file permission of the .htpasswd, it has to be readable to the user that the script run as.

thx again for your time mistwang... yes, i rely on a secondary .php script on my server for each website that logs password pair usage and locks shared accounts when needed. would going the route w/ symbolic links for both sites where the .htpasswd would be markedly 'unsafe' in practice? and would this method allow the one real .htpasswd file to be modified by scripts from either website?

thx again..!

[mistwang]

You are welcome!

Quote:

Originally Posted by frameRelay

would going the route w/ symbolic links for both sites where the .htpasswd would be markedly 'unsafe' in practice?

Using symbolic links have no impact on security of the target file.

Quote:

would this method allow the one real .htpasswd file to be modified by scripts from either website?

No. As long as the file permission of the real .htpasswd file is set to readonly to users that the scripts run as.

[frameRelay]

hmm... i really need the .htpasswd to be modifiable by the scripts from either website, both to add new password pairs and to remove them, am i looking in the wrong direction here for this task? really i am trying to find a way that doesn't involve changing the existing scripts, the .htpasswd is currently set at 666 and the scripts can change it properly now, would having the symbolic links pointing to the new location w/ it also set as 666 not work then..?

[mistwang]

Quote:

Originally Posted by frameRelay

hmm... i really need the .htpasswd to be modifiable by the scripts from either website, both to add new password pairs and to remove them, am i looking in the wrong direction here for this task? really i am trying to find a way that doesn't involve changing the existing scripts, the .htpasswd is currently set at 666 and the scripts can change it properly now, would having the symbolic links pointing to the new location w/ it also set as 666 not work then..?

I thought you want to secure the .htpasswd file.
Yes, it should still work via symbolic links if permission of .htpasswd is set to 0666.

[frameRelay]

Quote:

Originally Posted by mistwang

I thought you want to secure the .htpasswd file.
Yes, it should still work via symbolic links if permission of .htpasswd is set to 0666.

thx again... yes, the goal is not to enhance security per say (although i'd hate to do anything that hampered current security!) but to allow two different websites w/ their own set of .php scripts to both make changes to the one .htpasswd file on the fly, in effect mirroring changes to the file so when a user is removed on one side they lose access at the other as well (and vice-versa)... i will speak w/ my host about setting up the links in the fashion and greatly appreciate your time and insight friend..!