Security and Apache: An Essential Primer - page 7
Maxwell's Demon and Hat ColourBelow is a list of the security-related modules that are included as part of the standard Apache distribution.
- This is the only module in the standard Apache distribution which applies mandatory controls. It allows you to list hosts, domains, and/or IP addresses or networks that are permitted or denied access to documents.
- This is the basis for most Apache security modules; it uses ordinary text
files for the authentication database. Entries are of the form
username:password"; additional fields may follow the password, separated from it by a colon, but they're ignored.
- This module is essentially the same as
mod_auth, except that the authentication credentials are stored in a Berkeley DB file format. The directives contain the additional letters "DB" (e.g.,
mod_auth_db, save that credentials are stored in a DBM file.
- This module mimics the behavior of anonymous FTP; rather than having a
database of valid credentials, it recognizes a list of valid usernames
(i.e., the way an FTP server recognizes
anonymous) and grants access to any of those with essentially any passwords. This module is more useful for logging access to resources and keeping robots out than it is for actual access control.
- Whereas the other discretionary control modules supplied with Apache all
support Basic authentication,
mod_auth_digestis currently the sole supporter of the Digest mechanism. It underwent some serious revamping in 1999, and the new version is currently considered 'experimental,' but no problems have been identified with the new code and it's likely to be moved back into the standard stable soon. Like
mod_auth, the credentials used by this module are stored in a text file. Digest database files are managed with the
mod_digestis much more involved than setting up Basic authentication; please see the module documentation for details.
Allowing Users to Control Access to Their Own Documents
All of the security-related module directives can be used in per-directory
.htaccess files. However, in order for Apache to pay attention to
them, the directories in question need to be within the scope of a
AllowOverride directive that includes the
(for discretionary controls) or
Limit (for mandatory controls)
keywords. For instance, a standard Linux installation of Apache can enable this
with the following lines in the
AllowOverride AuthConfig Limit
Using Your System Passwd File
This is a common request, and an incredibly bad idea: "How can I use my system's
/etc/passwd file as my Web authentication database?"
The simple answer is: you don't. I'll just list a couple of reasons:
- If someone manages to crack the username and password of someone accessing a Web page, that person can now log onto your system. (Remember, most of the Web authentication uses the Basic method, which is incredibly simple to crack.)
- Unlike your system's login system, which will probably kick you out, disconnect you, lock your account, or do something equally extroverted and paranoid (and log the fact!) if you misspell your password a few times in a row, there are no such controls on the Web. So someone could very easily write a script that just banged away on your system, trying endless combinations of usernames and passwords, and nothing would automatically perk up and make rude noises.
If you still want to to it after reading the above and the
additional information in the Apache FAQ, well, on your own head be it. You can
do it with
mod_access, and that's all I'm going to say about it.
And that's probably already too much, too.
- Skip Ahead
- 1. Maxwell's Demon and Hat Colour
- 2. Maxwell's Demon and Hat Colour
- 3. Maxwell's Demon and Hat Colour
- 4. Maxwell's Demon and Hat Colour
- 5. Maxwell's Demon and Hat Colour
- 6. Maxwell's Demon and Hat Colour
- 7. Maxwell's Demon and Hat Colour
- 8. Maxwell's Demon and Hat Colour
- 9. Maxwell's Demon and Hat Colour