This question about Configuration: Answered

password change or user registration overwrites configuration password in .htpasswd

I just set up my first Foswiki installation witch configuration site I secured according to ProtectingYourConfiguration. As described I restricted access to /bin/configuration to a non wiki user whose password I add manually to the .htpasswd. My problem is that every time a new user registers to my wiki or someone changes his password the .htpasswd is rebuild and the configuration user gets lost. Is there a way to anchor this information in the .htpasswd?

Giving access to /bin/configuration to a registered wiki user didn't work either.

I use Foswiki 1.0.8 on Ubuntu 9.10.

my .htpasswd (md5 encoded):
WikiUser:Enter your System.LoginName. (Typically First name and last name, no space, no dots, capitalized, e.g. !JohnSmith, unless you chose otherwise). Visit System.UserRegistration if you do not have one.:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:mail@server.com
siteadmin:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

my apache.conf:
(...)

<Directory "/path/to/foswiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options +ExecCGI  -FollowSymLinks
    SetHandler cgi-script
    <Files "foswiki.fcgi">
        SetHandler fcgid-script
    </Files>


    # Password file for Foswiki users
    AuthUserFile /path/to/foswiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /foswiki/System/UserRegistration

    # Limit access to configure to specific IP address(es) or user(s).
    # Make sure configure is not open to the general public.
    # It exposes system details that can help attackers.
    # cf. http://foswiki.org/Support/ProtectingYourConfiguration for details.
    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Order Deny,Allow
        Deny from all
        Require user siteadmin
        Satisfy Any
    </FilesMatch>

</Directory>


(...)

Thanks

-- PhilippWeber - 19 Jan 2010

? The .htpasswd should not be rebuilt. I just checked, and the code reads the .htpasswd, but doesn't remove existing users unless explicitly told to.

You reported this some time ago; have you found a solution since?

-- CrawfordCurrie - 11 Mar 2010

I still see this behavior even after updating to 1.0.9. A non wiki user will be removed from the .htpasswd in the foswiki/data directory every time a wiki user registers or changes his password. Is there a way to redirect the access controll for the configure script to another .htpasswd file?

As a workaround I have to add the siteadmin user manually to foswiki/data/.htpasswd before changing the configuration or restrict configuration access to a certain IP.

-- PhilippWeber - 22 Mar 2010

I've tried to recreate this on the latest pre 1.1.4 trunk code. The file is sorted, so lower-case users end up at the end, but users are not removed from the file. I did find that a user without any password set will be written back out with a realm. But all users were there.

There has been a lot of work done on HtpasswdUser.pm - hopefully this is resolved.

Another workaround if it is still happening would be to point the authentication for configure to a different htpasswd file. But you really shouldn't need to do this.

-- GeorgeClark - 02 Aug 2011

QuestionForm edit

Subject Configuration
Extension
Version Foswiki 1.0.9
Status Answered
Related Topics
Topic revision: r4 - 02 Aug 2011, GeorgeClark - This page was cached on 12 Jan 2018 - 19:09.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License