New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Configuration: Answered

password change or user registration overwrites configuration password in .htpasswd

I just set up my first Foswiki installation witch configuration site I secured according to ProtectingYourConfiguration. As described I restricted access to /bin/configuration to a non wiki user whose password I add manually to the .htpasswd. My problem is that every time a new user registers to my wiki or someone changes his password the .htpasswd is rebuild and the configuration user gets lost. Is there a way to anchor this information in the .htpasswd?

Giving access to /bin/configuration to a registered wiki user didn't work either.

I use Foswiki 1.0.8 on Ubuntu 9.10.

my .htpasswd (md5 encoded):
WikiUser:Enter your System.LoginName. (Typically First name and last name, no space, no dots, capitalized, e.g. !JohnSmith, unless you chose otherwise). Visit System.UserRegistration if you do not have

my apache.conf:

<Directory "/path/to/foswiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options +ExecCGI  -FollowSymLinks
    SetHandler cgi-script
    <Files "foswiki.fcgi">
        SetHandler fcgid-script

    # Password file for Foswiki users
    AuthUserFile /path/to/foswiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /foswiki/System/UserRegistration

    # Limit access to configure to specific IP address(es) or user(s).
    # Make sure configure is not open to the general public.
    # It exposes system details that can help attackers.
    # cf. for details.
    <FilesMatch "^(configure)$">
        SetHandler cgi-script
        Order Deny,Allow
        Deny from all
        Require user siteadmin
        Satisfy Any




-- PhilippWeber - 19 Jan 2010

? The .htpasswd should not be rebuilt. I just checked, and the code reads the .htpasswd, but doesn't remove existing users unless explicitly told to.

You reported this some time ago; have you found a solution since?

-- CrawfordCurrie - 11 Mar 2010

I still see this behavior even after updating to 1.0.9. A non wiki user will be removed from the .htpasswd in the foswiki/data directory every time a wiki user registers or changes his password. Is there a way to redirect the access controll for the configure script to another .htpasswd file?

As a workaround I have to add the siteadmin user manually to foswiki/data/.htpasswd before changing the configuration or restrict configuration access to a certain IP.

-- PhilippWeber - 22 Mar 2010

I've tried to recreate this on the latest pre 1.1.4 trunk code. The file is sorted, so lower-case users end up at the end, but users are not removed from the file. I did find that a user without any password set will be written back out with a realm. But all users were there.

There has been a lot of work done on - hopefully this is resolved.

Another workaround if it is still happening would be to point the authentication for configure to a different htpasswd file. But you really shouldn't need to do this.

-- GeorgeClark - 02 Aug 2011

QuestionForm edit

Subject Configuration
Version Foswiki 1.0.9
Status Answered
Related Topics
Topic revision: r4 - 02 Aug 2011, GeorgeClark - This page was cached on 25 May 2018 - 01:43.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy