# Clarify instructions for permissions for xymonpasswd xymongroups files 

--- a/xymond/etcfiles/xymon-apache-secure.DIST
+++ b/xymond/etcfiles/xymon-apache-secure.DIST
@@ -33,8 +33,19 @@ ScriptAlias @SECUREXYMONCGIURL@ "@SECURE
     Require ip 127.0.0.1/8 ::1/128
 
     # Password file where users with access to these scripts are kept.
-    # Create it with "htpasswd -c @INSTALLETCDIR@/xymonpasswd USERNAME"
-    # Add more users / change passwords with "htpasswd @INSTALLETCDIR@/xymonpasswd USERNAME"
+    # Although expected in $XYMONHOME/etc/ by the useradm and chpasswd
+    # scripts, files here can be read with the "config" message type, 
+    # which allows status-privileged clients to read arbitrary regular files 
+    # from the directory. 
+    # 
+    # This file should be owned and readable only by the apache server user,
+    # and ideally merely a symlink to a location outside of $XYMONHOME/etc/
+    # 
+    # Create it with:
+    #	htpasswd -c @INSTALLETCDIR@/xymonpasswd USERNAME
+    #	chown apache:apache @INSTALLETCDIR@/xymonpasswd
+    #	chmod 640 @INSTALLETCDIR@/xymonpasswd
+    # Add more users / change passwords with: "htpasswd @INSTALLETCDIR@/xymonpasswd USERNAME"
     #
     # You can also use a group file to restrict admin access to members of a
     # group, instead of anyone who is logged in. In that case you must setup
