Comments on: .htaccess files and groups

Question: .htaccess files and groups

chillmost — Fri, 11 Jul 2008 06:37:30 -0800

I'm configuring some htaccess files for multiple directories and I'm having some problems incorporating groups of authorized users.

Say there's 4 directories with protected content in each: 2005, 2006, 2007, 2008

The people that have access are subscribers. Some users have access to all directories, and some users have access only for some. Access is granted based on password or IP address/range.

For this situation I have an .htaccess file similar this in each directory:

AuthType Basic
AuthName "2008 Subscriptions"
AuthUserFile /path/to/password/file/2008.pw
require valid-user
Satisfy any
order deny,allow
allow from 123.123.123.123
allow from 223.223.223.223
allow from 123.156.0.0/16
and so on
and so on
and so on
deny from all

This works perfectly for the situation described above.

The IP addresses in the .htaccess files and users in the password files are pretty static. Once they are in there, they usually stay. However, there is a small group of people, we'll call them editors, that is very dynamic. People are constantly being added to and removed from this list. These editors should have access to all 4 directories. Currently they are given access permission via the password file shown above. This means that if an editor is added or removed, I have to make the change in 4 different files. Sometimes they are accidentally not added or removed to all the lists and then they complain and somebody has to fix it with a lot of back and forth and yada yada.

I want to set up a group just for the editors. I want to have just one list that I have to edit instead of 4 whenever a change is made.

However, from what I find in my searching, the way to add groups is to add the line:

AuthGroupFile /path/to/editors/file/.htgroup

and inside this file add something like:

editors: john sally joe

My questions:
How do I assign passwords to these users?

Does this mean that in addition to maintaining this htgroup file, I need to assign and maintain another password file as well?
-If so, that isn't what I want because I only want to have to edit ONE file for the editors, NOT TWO.

Is this possible?
Am I going about this the wrong way?

By: teraflop

teraflop — Fri, 11 Jul 2008 09:50:36 -0800

First Apache verifies the user's credentials with the password file; then it checks the group file to see whether that user is authorized. As far as I can tell, it doesn't allow you to combine password and group information into one file. There is an option to do so with mod_auth_dbm, but I've never tried it. (What version of Apache are you running?)

Is editing two files (independent of the number of protected directories) really such a big deal? If it is, why not just create a simple shell script that modifies both files for you?

By: chillmost

chillmost — Sat, 12 Jul 2008 01:30:12 -0800

Is editing two files (independent of the number of protected directories) really such a big deal?

Yes. It increases the possibility of error that we are trying to reduce. If I understand you correctly, this would actually increase the number of files I would have to edit. It seems that the way we have it now is the easiest.
If it is, why not just create a simple shell script that modifies both files for you?

Because I don't know how. See you in a week with my new question about writing shell scripts. ;-)

Actually, I'll see if I can whip up a little php/mysql backend thingie that will regenerate the files every time a change is made.