You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Scott Gifford <sg...@suspectclass.com> on 2009/10/27 09:05:00 UTC
[users@httpd] Different Limit rules on the same directory with mod_ftp
Hello,
I'm using mod_ftp to provide authenticated FTP access to a Web
directory. It is mostly read-only, but a few users should have write
access to the directory. I am using mod_auth_mysql with groups for
authentication; there is a reader group and a writer group, and the
user with write access is in both groups.
Everything works OK if I just provide read access or write access, but
when I try to provide one group for write access and another for read
access, it ends up providing both groups with read-write access. My
rules look like this:
<Directory "/path/to/ftp">
Include mysql_auth.conf
<Limit MKD RMD STOR DELE RNFR>
require group writer
</Limit>
<LimitExcept MKD RMD STOR DELE RNFR>
Include idx_auth.conf
require group reader
</LimitExcept>
</Directory>
I am not really sure how to troubleshoot this.
Does anybody have a similar configuration working, or any other
advice?
Thanks!
---Scott.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Different Limit rules on the same directory with
mod_ftp
Posted by Scott Gifford <sg...@suspectclass.com>.
Nick Kew <ni...@webthing.com> writes:
> Scott Gifford wrote:
>> Hello,
>> I'm using mod_ftp to provide authenticated FTP access to a Web
>> directory. It is mostly read-only, but a few users should have write
>> access to the directory. I am using mod_auth_mysql with groups for
>
> What mod_auth_mysql?
>
> There are several third-party modules with that name.
I am using the Debian package libapache2-mod-auth-mysql, which is
targeted to Apache 2.2. The package is for version 4.3.9-11, and it
includes mod_auth_mysql.so and has a copyright of:
* Copyright (c) 2001 by J. R. Westmoreland <jr...@jrw.org>
* Portions Copyright (c) 2002-2004 by Matthew Palmer <mp...@debian.org>
> They are essentially obsoleted by the DBD framework in HTTPD/2.2.
> So you are probably using a module written for the HTTPD/2.0 authnz
> framework rather than the 2.2 one.
I could switch to the DBD framework if that is likely to help with the
problem at hand. I used this mod_auth_mysql module because it was
readily available in Debian and I was able to find some example code
and get it working quickly, but am otherwise not attached to it.
>> <Directory "/path/to/ftp">
>> Include mysql_auth.conf
>> <Limit MKD RMD STOR DELE RNFR>
>> require group writer
>> </Limit>
>> <LimitExcept MKD RMD STOR DELE RNFR>
>> Include idx_auth.conf
>> require group reader
>> </LimitExcept>
>> </Directory>
>
> What's in those Includes? <Limit> is not a general-purpose
> container, so it may not work as you expect on some or all
> of the contents of idx_auth.conf.
There is really only one file, I made an error cleaning up my email
message and changed the name in one place but not the other. It is
basically configuration options for mod_auth_mysql. I have tried
including it only in the containing <Directory> element, in both
<Limit> elements, and in just the second <Limit> element. Here are
the contents, with passwords elided:
# Disable other auth modules
AuthBasicAuthoritative Off
AuthUserFile /dev/null
# Configure Auth_MySQL
Auth_MySQL on
Auth_MySQL_Host localhost
Auth_MySQL_User apache_auth
Auth_MySQL_Password xxx
Auth_MySQL_DB idx_users
Auth_MySQL_Password xxx
Auth_MySQL_Group_Table users
Auth_MySQL_Username_Field user
Auth_MySQL_Password xxx
Auth_MySQL_Group_Field groups
Auth_MySQL_Encryption_Types Crypt
Auth_MySQL_Empty_Password xxx
Auth_MySQL_Authoritative on
AuthName "My Auth"
AuthType basic
What would be really useful is some hints for troubleshooting this. I
can't tell if mod_ftp is misbehaving, or mod_auth_mysql, or Apache, or
if everything is behaving as designed and I just misunderstand what
it's doing. I can't figure out a way to nail it down so I can take a
closer look at just one part.
Thanks for any advice!
----Scott.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Different Limit rules on the same directory with
mod_ftp
Posted by Nick Kew <ni...@webthing.com>.
Scott Gifford wrote:
> Hello,
>
> I'm using mod_ftp to provide authenticated FTP access to a Web
> directory. It is mostly read-only, but a few users should have write
> access to the directory. I am using mod_auth_mysql with groups for
What mod_auth_mysql?
There are several third-party modules with that name. They are
essentially obsoleted by the DBD framework in HTTPD/2.2. So you
are probably using a module written for the HTTPD/2.0 authnz
framework rather than the 2.2 one.
> <Directory "/path/to/ftp">
> Include mysql_auth.conf
> <Limit MKD RMD STOR DELE RNFR>
> require group writer
> </Limit>
> <LimitExcept MKD RMD STOR DELE RNFR>
> Include idx_auth.conf
> require group reader
> </LimitExcept>
> </Directory>
What's in those Includes? <Limit> is not a general-purpose
container, so it may not work as you expect on some or all
of the contents of idx_auth.conf.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org