.htpasswd file cannot be moved?

It seems to be the case that the .htpasswd file must be created by DH and cannot be placed outside/above my web-accessible directory. Is this how it works?

I was trying to move my .htpasswd file to a directory outside my web accessible location but it never works. It asks repeatedly for the user/password. Once I change the .htaccess to point to the .htpasswd created by DH, it works. After being sure everything else is the same, it appears the only thing that’s different is the file’s group name. (I think I’m using the right terms.)

Thanks for your help,

We’re using .htpasswd file in our home directory just fine, so I would suggest that it is supposed to work. What do you have in the .htaccess file? What’s going on with the groups?

Nothing like someone telling me they can do what I cannot to make me dig some more :wink:

It appears that it does work but the new .htpasswd file that’s created or moved outside of the web accessible space needs permissions of 444, not 440 as originally created by the DH web panel. Just curious why this is.

The 440 permissions work fine if the .htpasswd is in the same directory as the .htaccess file (is that the right conclusion??). At least it works fine when I go through the web panel.

And my conclusion about the group name needing to come from DH was not correct.

Thanks for your reply.

Out of curiosity, are you running PHP as an Apache module?

I don’t know. How could I tell? If it takes doing something special to do this, I don’t think I am. And I’m not using any PHP explicitly in my testing, in case that wasn’t clear.

I don’t believe there’s any reason why the permissions of the .htpasswd file should need to be different in different filesystem locations.

Also, note that we automatically restrict access to files starting with .ht so keeping the file under your web area is still relatively ‘safe’, if that’s what you’re worried about. You should try to download the file yourself to see if it works or not.

  • Dallas
  • DreamHost Head Honcho/Founder

Oopsies, you’re right. I was thinking of something else altogether.

My thought in moving the .htpasswd out of web access area was that it would seem to be more secure. No, I cannot get to the file in the traditional ways but I thought this move would help prevent some untraditional ways I don’t know about. I thought this was going to be an appropriate little 1-minute tweak. Maybe I’ll just leave it where it is :wink: