By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,290 Members | 1,253 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,290 IT Pros & Developers. It's quick & easy.

problems with basic authentication .htpasswd called from php exec()

P: n/a
Hello,

I'm trying to use php to update my htpasswd file.

I have my permissions on .htpasswd set to 777, so it should be wide
open. From the command line (when logged into the server as "nobody",
my server's web user) I can get the htpasswd.exe to run without a
problem, but when passed through my php exec() function the .htpasswd
file does not change. I'm not getting any errors, but I'm not getting
any action either.

I'd really appreciate anything anyone could suggest - I feel like I'm
banging my head against a wall here.
Thanks,
Jen

Jul 17 '05 #1
Share this Question
Share on Google+
3 Replies


P: n/a
>I'm trying to use php to update my htpasswd file.

I have my permissions on .htpasswd set to 777, so it should be wide
open.
Apache tends to react to excessive permissions on files (or on
directories containing them) by refusing to use them. Setting a
CGI or the directory it's in to mode 777 is a great way to make it
not work. I'm not sure what the situation would be with a
world-writable .htpasswd file.
From the command line (when logged into the server as "nobody",
my server's web user) I can get the htpasswd.exe to run without a
problem, but when passed through my php exec() function the .htpasswd
file does not change. I'm not getting any errors, but I'm not getting
any action either.
How did you invoke htpasswd? htpasswd on UNIX tends to prompt on
/dev/tty, *NOT* stdin, which means that if you tried sending in
the password on stdin, it won't work. Maybe Windows is trying
to get it from the console (and failing). Try putting all the info
needed on the command line (with the -b flag), if you aren't already.
I'd really appreciate anything anyone could suggest - I feel like I'm
banging my head against a wall here.


Gordon L. Burditt
Jul 17 '05 #2

P: n/a
Thanks Gordon,

I invoked htpasswd by using the exec() function in PHP like this:
exec("/usr/local/apache/current/bin/htpasswd -b .htpasswd $email
$password");

when the same thing is entered at the command line:
/usr/local/apache/current/bin/htpasswd -b .htpasswd my_email
my_password
it works!

Do you think my problem here is the 777 mod on the .htpasswd file? I
figured I'd open it all the way for testing purposes, and lock it down
after I get it running, but maybe I'm shooting myself in the foot.
any suggestions?

Jul 17 '05 #3

P: n/a
>I invoked htpasswd by using the exec() function in PHP like this:
exec("/usr/local/apache/current/bin/htpasswd -b .htpasswd $email
$password");
Some warnings here:

1) If safe mode is on, you only get to run stuff out of a specific
directory, and all of the args get quoted into one big arg, which
won't work. And I'm not sure how you can make it work without
some kind of wrapper script in the safe mode execution directory.

2) This command gets passed to the shell, and as such, wildcards
get expanded by the shell. Expect trouble here if $password contains
stuff like *, ?, &, spaces, parentheses, brackets, braces, quotes,
semicolons, etc. The same goes for $email, but that's less likely
to have problems. Also, a password like:
foo`rm -rf *`bar
could wreak havoc.

Try:
$emailquoted = shellescapearg($email);
$passwordquoted = shellescapearg($password);exec("/usr/local/apache/current/bin/htpasswd -b .htpasswd $emailquoted
$passwordquoted");
3) What is the current working directory when htpasswd is executed?
Are you sure? ".htpasswd" is a relative path name. Maybe you should
pass an absolute path name.

4) Are you sure you have permissions on htpasswd (the command) and all
of the directories up to /?
when the same thing is entered at the command line:
/usr/local/apache/current/bin/htpasswd -b .htpasswd my_email
my_password
it works!
Are you running as the same user that Apache runs as? If not, try
it that way.
Do you think my problem here is the 777 mod on the .htpasswd file? I
No, the 777 is a reason why Apache might refuse to use it, not why
htpasswd would refuse to modify it. I think.
figured I'd open it all the way for testing purposes, and lock it down
after I get it running, but maybe I'm shooting myself in the foot.
any suggestions?


Gordon L. Burditt
Jul 17 '05 #4

This discussion thread is closed

Replies have been disabled for this discussion.