Use of the Access Control Editor

by Colin McCormack


Several directories and domains, such as /status /debug and /admin must be protected, or the installation will not be secure from remote attack. As distributed, Tclhttpd defaults to safe but restrictive permissions.

Opening access to these sensitive facilities on a new installation requires that the admin create system-wide user and group files, and .htaccess files in the various directories which need to be protected.

The Access Control Editor maintains:

.htaccess file

The per-directory control file, as detailed here

group file

consisting of lines formatted as: group_name: member, member ...

user file

consisting of lines formatted as user_name: password

As it is necessary to have an administrative password before safely administering access control, some bootstrapping is required.

Bootstrapping New Installations

To begin to administer access control through the editor one may log in as the user webmaster with the password in /tmp/tclhttpd.default.

The first thing one should do is decide where the installation's user and group files will reside and create a password for webmaster.

Note: It is crucial that the user file not be visible from the web - it must not reside under the document root!

Once the user and group files are created and populated with values, you can secure the Access Control Editor by editing the directory htaccess.

Having secured /htaccess, one can freely use it to secure any directory or domain.

Configuration Options

Several configuration options in tclhttpd.rc control how authentication occurs:

The default webmaster password.

If this is undefined, a new random password is created in /tmp/tclhttpd.default every time the server is restarted. If it is defined, it is the plaintext default password for a user called webmaster, who has (by default) complete access to the Access Control Editor.

After boostrapping, it would be advisable to set this value to ""


The default name of the file containing web user passwords (note, this should be different from your system's default password file, if any)


The default name of a file containing web groups.

Last modified: Tue Mar 23 01:47:39 EST 2004
HomeStatusLearnCGI TestsTemplatesAccess ControlReference Manual