Red Hat, help with Apache access denied errors while running Twiki

brettreyu · 09-14-2007, 04:47 PM

This is going to be a little long winded but here goes.

We are running a TWiki page on a server located on our internal network. Users visit twiki.ourlocation.com from anywhere and input their username and password to gain access. The username and password is stored in a .htpasswd file.

Everything was working fine until I attempted to add myself to the part of twiki.conf that allows access to the configure script in Twiki. I saved, restarted apache, and then all logins broke. Nobody can login now, been working with Twiki people in IRC but nothing has helped.

Here is the twiki.conf file

Quote:

# Autogenerated httpd.conf file for TWiki.
# Generated at http://twiki.org/cgi-bin/view/TWiki/...onfigGenerator

# Block access to typical spam related attachments
# Except the TWiki directory which is read only and does have attached html files.
SetEnvIf Request_URI "twiki/pub/.*\.[hH][tT][mM]?$" blockAccess
SetEnvIf Request_URI "twiki/pub/TWiki/.*\.[hH][tT][mM]?$" !blockAccess

#Block access from badly behaving robots and site sucking type programs.
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^$ blockAccess

# The ScriptAlias defines the bin directory as a directory where CGI
# scripts are allowed.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/twiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias /twiki/bin "/var/www/html/twiki/bin"

# The Alias defines a url that points to the root of the twiki installation.
# It is used to access files in the pub directory (attachments etc)
# It must come _after_ the ScriptAlias.
Alias /twiki "/var/www/html/twiki"

# This specifies the options on the TWiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/var/www/html/twiki/bin">
AllowOverride All
Order Allow,Deny
Allow from all
Deny from env=blockAccess

Options ExecCGI FollowSymLinks
SetHandler cgi-script

# Password file for TWiki users
AuthUserFile /var/www/html/twiki/.htpasswd
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic

# File to return on access control error (e.g. wrong password)
# By convention this is the TWikiRegistration page, that allows users
# to register with the TWiki. Apache requires this to be a *local* path.
ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
SetHandler cgi-script
Order Deny,Allow
Deny from all
Allow from 192.168.1.127 , 124.0.0.1
Require user "UserName removed"
Satisfy Any
</FilesMatch>

<FilesMatch "^(view)$">
SetHandler cgi-script
Order Deny,Allow
Deny from all
Allow from 192.168.1.127 , 124.0.0.1
Require valid-user
Satisfy Any
</FilesMatch>

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|.*auth).*">
require valid-user
</FilesMatch>

</Directory>

# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are *not* protected by TWiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/html/twiki/pub">
Options None
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess

# Disable execusion of PHP scripts
php_admin_flag engine off

# This line will redefine the mime type for the most common types of scripts
# It will also deliver HTML files as if they are text files
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi
</Directory>

# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
<Directory "/var/www/html/twiki/pub/Trash">
deny from all
</Directory>

# Security note: All other directories should be set so
# that they are *not* visible as URLs, so we set them as =deny from all=.
<Directory "/var/www/html/twiki/data">
deny from all
</Directory>

<Directory "/var/www/html/twiki/templates">
deny from all
</Directory>

<Directory "/var/www/html/twiki/lib">
deny from all
</Directory>

<Directory "/var/www/html/twiki/locale">
deny from all
</Directory>

<Directory "/var/www/html/twiki/tools">
deny from all
</Directory>

Here is the error that I receive in /var/log/httpd/error_log

Quote:

[Fri Sep 14 07:27:01 2007] [error] [client 192.168.1.1] (13)Permission denied: Could not open password file: /var/www/html/twiki/.htpasswd
[Fri Sep 14 07:27:01 2007] [error] [client 192.168.1.1] access to /twiki/bin/view failed, reason: verification of user id 'BrettHancock' not configured

Weird thing that I noticed is the .htpasswd file is displaying a 2 for the name of the file is also in green.

Quote:

-rwxr-xr-x 2 apache apache 4051 Sep 14 06:58 .htpasswd

I've tried nearly everything I can think of and am completely at a loss. I don't think it's a Twiki problem, I think it's an Apache problem or the .htpasswd file is corrupted somehow. Any help is appreciated. Thanks!

btmiller · 09-14-2007, 07:49 PM

The 2 is the link count to the file. This means two names link to the inode of the file. The .htpasswd should not be executable. With a link count of 2 and the execute bit set that file almost looks like a directory (a directory always has a link count of at least 2, one for the dir name and one for . in the directory). What does "file .htpasswd" (no quotes) show ? Have you inspected the contents of .htpasswd to make sure they have the correct format?