This question about Configuration: Answered
password change or user registration overwrites configuration password in .htpasswd
I just set up my first Foswiki installation witch configuration site I secured according to
ProtectingYourConfiguration. As described I restricted access to /bin/configuration to a non wiki user whose password I add manually to the .htpasswd. My problem is that every time a new user registers to my wiki or someone changes his password the .htpasswd is rebuild and the configuration user gets lost. Is there a way to anchor this information in the .htpasswd?
Giving access to /bin/configuration to a registered wiki user didn't work either.
I use Foswiki 1.0.8 on Ubuntu 9.10.
my .htpasswd (md5 encoded):
WikiUser:Enter your System.LoginName. (Typically First name and last name, no space, no dots, capitalized, e.g. !JohnSmith, unless you chose otherwise). Visit System.UserRegistration if you do not have one.:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:mail@server.com
siteadmin:yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
my apache.conf:
(...)
<Directory "/path/to/foswiki/bin">
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess
Options +ExecCGI -FollowSymLinks
SetHandler cgi-script
<Files "foswiki.fcgi">
SetHandler fcgid-script
</Files>
# Password file for Foswiki users
AuthUserFile /path/to/foswiki/data/.htpasswd
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic
# File to return on access control error (e.g. wrong password)
ErrorDocument 401 /foswiki/System/UserRegistration
# Limit access to configure to specific IP address(es) or user(s).
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
# cf. http://foswiki.org/Support/ProtectingYourConfiguration for details.
<FilesMatch "^(configure)$">
SetHandler cgi-script
Order Deny,Allow
Deny from all
Require user siteadmin
Satisfy Any
</FilesMatch>
</Directory>
(...)
Thanks
--
PhilippWeber - 19 Jan 2010
? The .htpasswd should not be rebuilt. I just checked, and the code reads the .htpasswd, but doesn't remove existing users unless explicitly told to.
You reported this some time ago; have you found a solution since?
--
CrawfordCurrie - 11 Mar 2010
I still see this behavior even after updating to 1.0.9. A non wiki user will be removed from the .htpasswd in the
foswiki/data
directory every time a wiki user registers or changes his password. Is there a way to redirect the access controll for the configure script to another .htpasswd file?
As a workaround I have to add the siteadmin user manually to
foswiki/data/.htpasswd
before changing the configuration or restrict configuration access to a certain IP.
--
PhilippWeber - 22 Mar 2010
I've tried to recreate this on the latest pre 1.1.4 trunk code. The file is sorted, so lower-case users end up at the end, but users are not removed from the file. I did find that a user without any password set will be written back out with a realm. But all users were there.
There has been a lot of work done on
HtpasswdUser.pm - hopefully this is resolved.
Another workaround if it is still happening would be to point the authentication for configure to a different htpasswd file. But you really shouldn't need to do this.
--
GeorgeClark - 02 Aug 2011