You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Markus Mayer <my...@gmx.at> on 2005/07/25 16:11:36 UTC
[users@httpd] file security for apache/ftp users
Hi all,
I have a problem at the moment which has certainly been solved elsewhere,
however I don't find an answer using google.
We have an apache server running on a Unix system (AIX now, Solaris soon)
where users upload their web data using ftp. Our problem is that our current
scheme on the ftp side enables most users to see other users documents if
they know the exact path to that users documents. For example:
drwxrws--x 12 12286 35020 1536 Jul 08 16:37 group86
drwx-----x 2 12083 12083 512 Feb 07 13:13 user083
drwx-----x 4 12143 12143 512 Mar 02 2004 user143
drwx-----x 2 12321 12321 512 Jan 05 2001 user321
User and group names have been changed, however you get the idea. All users
are stored in an ldap database and authenticate against that. There are no
system users or groups. Each user gets their own unique numerical userid and
groupid. The groups are done so that multiple users can be a group member.
All group members need to have full access to the directory and its contents.
If, for example, user143 comes in using ftp and knows that inside group86
there is a document called group86/authorised/secure_document.pdf, they can
get to that document even if there is a .htaccess file in authorised
protecting access through apache. This applies to all other users too. Of
course this is unacceptable.
We did try changing all users to have their group as apache which works find
for individual users, however it breaks our groups:
drwxrws--x 12 12286 apache 1536 Jul 08 16:37 group86
In the above example, the group members are no longer able to write to the
directory, which is of course also not what we want.
Several of us here have been trying to work out a solution, however none is
forthcoming. We need to keep all user authentication data on our ldap server
and there should be no system groups or users outside what is absolutely
necessary to run the server. This is a problem someone else has surely
already solved, and I would greatly appreciate some information on how we can
solve this too. I'll even appreciate an RTFM if someone would just tell me
which FM to R...
regards
Markus.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org