You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Steve Dalton <st...@gmail.com> on 2009/02/05 09:01:09 UTC
Re: [users@httpd] How to serve up different content depending on
authenticated user
Thanks guys
I managed to do something similar in the end, using the prefix user_ for
each user directory then adding .htaccess to root dir of:
AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/passwd/htpasswd
Require valid-user
RewriteEngine on
RewriteCond $1 !^user_
RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
The only problem with this is that any user could access other users
directories... so I then had to add an additional .htaccess of
require user spidie
to the user_spidie directory... etc etc.
Hopefully there is a better way to automate this - I don't like the extra
.htaccess as if the file accidentally gets deleted the directory is open to
valid users again.
Steve
On Thu, Feb 5, 2009 at 5:44 PM, André Warnier <aw...@ice-sa.com> wrote:
> Matt McCutchen wrote:
>
>> On Thu, 2009-02-05 at 15:13 +1000, Steve Dalton wrote:
>>
>>> I'm running apache 2.2 on Ubuntu and I need to serve up a different
>>> directory depending on the user that is authorised with the server.
>>> I've check the mailing list and apache docs but haven't found much so
>>> far - I may just not have the proper search terms though (I don't know
>>> how best to describe it)
>>>
>>> eg.
>>>
>>> http://spidie@foo.com -> /var/www/private/spidie
>>> http://fred@foo.com -> /var/www/private/fred
>>>
>>
>> How about this:
>>
>> RewriteEngine On
>> RewriteRule ^(.*)$ /var/www/private/%{REMOTE_USER}/$1
>>
>> The above assuming that indeed the users are "authorised" (or rather in
> this case "authenticated") by the time the rule kicks in.
> But since the users can only be authenticated based on some "Auth..."
> section with a "Require ..." , where would these rules be ?
> Isn't there some chicken-and-egg situation there ?
>
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
I did have a signature, but the dog ate it.
google:steve.dalton | skype:spidieman | msn: msn@steve.dalts.net |
yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Steve Dalton <st...@gmail.com>.
Yes - I have it in the virtual host config for the particular named host
(ie. the config in the sites-enabled directory on ubuntu) . It's running on
the SSL part of the site (the non-SSL is a drupal site). It does work.
I see what you mean on the .htaccess... great!
Steve
On Mon, Feb 9, 2009 at 1:16 PM, Matt McCutchen <ma...@mattmccutchen.net>wrote:
> On Mon, 2009-02-09 at 12:31 +1000, Steve Dalton wrote:
> > RewriteRule ^(.*)$ /var/www/accesstest/%{LA-U:
> > REMOTE_USER}/$1
> >
> > didn't work for me. But
> >
> > RewriteEngine on
> > RewriteCond %{ENV:REDIRECT_PREFIXED_USER} !1
> > RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_
> > USER}/$1 [E=PREFIXED_USER:1]
> >
> > worked a treat - I didn't put it in .htaccess - just in the vhost.
>
> By "vhost", I meant in (or in a file included by) your main httpd.conf .
> Do you mean the top-level htaccess file? Because I would be really
> surprised if the %{REMOTE_USER} reference worked in the main
> configuration.
>
> Rewrite rules in the main configuration run only once, at an early stage
> of request processing before %{REMOTE_USER} has been determined.
> Rewrite rules in htaccess files run at a late stage where the only way
> they can perform a rewrite is to issue an internal redirect, which
> restarts the process from the beginning, hence the possibility of
> looping.
>
> > Each user directory still has to have a .htaccess to have the correct
> > "require user <user>" in it.
>
> I don't believe this is necessary for security: since your rule will
> always prepend the name of the logged-in user (and the environment
> variable that disables it can't be set by a client), I don't see a way
> one user could access another user's directory. Individual "require
> user" directives may still be a worthwhile second line of defense.
>
> > Unless someone has a better idea...? Can you specify the "require
> > user" part somewhere in vhost config based on the directory that you
> > are currently in?... the directory name will always be the same as the
> > user.
>
> I was going to suggest a rewrite rule that would raise error 401
> (Authorization Required) if the %{REMOTE_USER} doesn't match the
> directory, but I realized that wouldn't really add anything to what you
> are already doing.
>
> --
> Matt
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
I did have a signature, but the dog ate it.
google:steve.dalton | skype:spidieman | msn: msn@steve.dalts.net |
yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Matt McCutchen <ma...@mattmccutchen.net>.
On Mon, 2009-02-09 at 12:31 +1000, Steve Dalton wrote:
> RewriteRule ^(.*)$ /var/www/accesstest/%{LA-U:
> REMOTE_USER}/$1
>
> didn't work for me. But
>
> RewriteEngine on
> RewriteCond %{ENV:REDIRECT_PREFIXED_USER} !1
> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_
> USER}/$1 [E=PREFIXED_USER:1]
>
> worked a treat - I didn't put it in .htaccess - just in the vhost.
By "vhost", I meant in (or in a file included by) your main httpd.conf .
Do you mean the top-level htaccess file? Because I would be really
surprised if the %{REMOTE_USER} reference worked in the main
configuration.
Rewrite rules in the main configuration run only once, at an early stage
of request processing before %{REMOTE_USER} has been determined.
Rewrite rules in htaccess files run at a late stage where the only way
they can perform a rewrite is to issue an internal redirect, which
restarts the process from the beginning, hence the possibility of
looping.
> Each user directory still has to have a .htaccess to have the correct
> "require user <user>" in it.
I don't believe this is necessary for security: since your rule will
always prepend the name of the logged-in user (and the environment
variable that disables it can't be set by a client), I don't see a way
one user could access another user's directory. Individual "require
user" directives may still be a worthwhile second line of defense.
> Unless someone has a better idea...? Can you specify the "require
> user" part somewhere in vhost config based on the directory that you
> are currently in?... the directory name will always be the same as the
> user.
I was going to suggest a rewrite rule that would raise error 401
(Authorization Required) if the %{REMOTE_USER} doesn't match the
directory, but I realized that wouldn't really add anything to what you
are already doing.
--
Matt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Steve Dalton <st...@gmail.com>.
Thanks Matt
RewriteRule ^(.*)$ /var/www/accesstest/%{LA-U:REMOTE_USER}/$1
didn't work for me. But
RewriteEngine on
RewriteCond %{ENV:REDIRECT_PREFIXED_USER} !1
RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1 [E=PREFIXED_USER:1]
worked a treat - I didn't put it in .htaccess - just in the vhost.
Each user directory still has to have a .htaccess to have the correct
"require user <user>" in it. I will just copy this in when the skeleton
directory is created. Regular users don't have write access to the
directories - so the only person that could possibly accidentally delete it
is the administrator. I will probably just change the owner to root only and
group read by the admin to prevent this.
Unless someone has a better idea...? Can you specify the "require user" part
somewhere in vhost config based on the directory that you are currently
in?... the directory name will always be the same as the user.
Steve
On Fri, Feb 6, 2009 at 12:42 PM, Matt McCutchen <ma...@mattmccutchen.net>wrote:
> On Thu, 2009-02-05 at 20:10 +1000, Steve Dalton wrote:
> > Matt - That method didn't work for me... it got into an internal
> > recursion and bombed out after 10 redirects. I think you do perhaps
> > need to test for something to stop it going on forever.
>
> Does this happen even with the rule in the vhost configuration? (I was
> pretty sure rules there were executed only once.) If so, please set
> "RewriteLogLevel 9" and post the portion of your rewrite_log
> corresponding to one request so I can see what happened.
>
> On Thu, 2009-02-05 at 06:18 -0500, Eric Covener wrote:
> > Needs lookahead (LA) to see %{REMOTE_USER} in per-vhost Rewrite.
>
> Indeed, I missed that in the docs. If you stick with the rule in the
> vhost configuration, it should become:
>
> RewriteRule ^(.*)$ /var/www/accesstest/%{LA-U:REMOTE_USER}/$1
>
> Or you could put the rule in htaccess and find a proper solution to
> avoid looping without letting users access each others' directories.
> What I do on my Web site is condition the rule on a custom environment
> variable being unset and have the rule set that variable. (Unlike the
> "user_" prefix, clients can't set environment variables.) Note that an
> internal redirect prepends REDIRECT_ to environment variable names. For
> instance, you could do:
>
> RewriteEngine on
> RewriteCond %{ENV:REDIRECT_PREFIXED_USER} !1
> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
> [E=PREFIXED_USER:1]
>
> > Andre - I think you are right... that's why you still need to have a
> > "Require user <user>" in a seperate directive for each directory....
>
> No, Eric is right:
>
> On Thu, 2009-02-05 at 06:32 -0500, Eric Covener wrote:
> > In per-vhost rewrite, you've replaced the bit of code that would
> kick
> > that request out with a 400 by using rewrite. However, the ..'s
> have
> > still been flattened before the rewrite starts. You would see a
> > relative path such as "index.html" as the URI in your rule.
> >
> > If you had only per-directory rules, the core code that maps URIs
> to
> > the filesystem would return 400 before you got to them
>
> Specifically, ap_process_request_internal calls ap_getparents to strip
> all .. components before any filesystem walking or rewriting occurs:
>
> http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/server/request.c
>
> Thus, users can't circumvent your rule using "..".
>
> That said, if you use the htaccess RewriteRule, it will run at a very
> late stage of request processing, so a client who specifies another
> user's directory might trigger something in an htaccess file there
> before your RewriteRule has a chance to prepend the client's own
> directory. Thus, you should be careful what you allow in htaccess files
> in user directories. On the other hand, the use of lookahead in the
> vhost RewriteRule may raise a similar issue unless you put the user
> directories outside the document root. (I'm not totally sure of my
> reasoning here; corrections welcome.)
>
> > it's a pain but the only way I can see it working. I think perhaps you
> > could write a macro to automatically add this directive for each
> > directory - but I haven't got into that yet.
>
> That may still be worth doing as a second line of defense. Try this:
>
> sed -re 's,^(.*):.*$,<Directory /var/www/accesstest/\1>\nRequire user
> \1\n</Directory>,' </var/www/passwd/htpasswd
>
> --
> Matt
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
I did have a signature, but the dog ate it.
google:steve.dalton | skype:spidieman | msn: msn@steve.dalts.net |
yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Matt McCutchen <ma...@mattmccutchen.net>.
On Thu, 2009-02-05 at 20:10 +1000, Steve Dalton wrote:
> Matt - That method didn't work for me... it got into an internal
> recursion and bombed out after 10 redirects. I think you do perhaps
> need to test for something to stop it going on forever.
Does this happen even with the rule in the vhost configuration? (I was
pretty sure rules there were executed only once.) If so, please set
"RewriteLogLevel 9" and post the portion of your rewrite_log
corresponding to one request so I can see what happened.
On Thu, 2009-02-05 at 06:18 -0500, Eric Covener wrote:
> Needs lookahead (LA) to see %{REMOTE_USER} in per-vhost Rewrite.
Indeed, I missed that in the docs. If you stick with the rule in the
vhost configuration, it should become:
RewriteRule ^(.*)$ /var/www/accesstest/%{LA-U:REMOTE_USER}/$1
Or you could put the rule in htaccess and find a proper solution to
avoid looping without letting users access each others' directories.
What I do on my Web site is condition the rule on a custom environment
variable being unset and have the rule set that variable. (Unlike the
"user_" prefix, clients can't set environment variables.) Note that an
internal redirect prepends REDIRECT_ to environment variable names. For
instance, you could do:
RewriteEngine on
RewriteCond %{ENV:REDIRECT_PREFIXED_USER} !1
RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1 [E=PREFIXED_USER:1]
> Andre - I think you are right... that's why you still need to have a
> "Require user <user>" in a seperate directive for each directory....
No, Eric is right:
On Thu, 2009-02-05 at 06:32 -0500, Eric Covener wrote:
> In per-vhost rewrite, you've replaced the bit of code that would kick
> that request out with a 400 by using rewrite. However, the ..'s have
> still been flattened before the rewrite starts. You would see a
> relative path such as "index.html" as the URI in your rule.
>
> If you had only per-directory rules, the core code that maps URIs to
> the filesystem would return 400 before you got to them
Specifically, ap_process_request_internal calls ap_getparents to strip
all .. components before any filesystem walking or rewriting occurs:
http://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x/server/request.c
Thus, users can't circumvent your rule using "..".
That said, if you use the htaccess RewriteRule, it will run at a very
late stage of request processing, so a client who specifies another
user's directory might trigger something in an htaccess file there
before your RewriteRule has a chance to prepend the client's own
directory. Thus, you should be careful what you allow in htaccess files
in user directories. On the other hand, the use of lookahead in the
vhost RewriteRule may raise a similar issue unless you put the user
directories outside the document root. (I'm not totally sure of my
reasoning here; corrections welcome.)
> it's a pain but the only way I can see it working. I think perhaps you
> could write a macro to automatically add this directive for each
> directory - but I haven't got into that yet.
That may still be worth doing as a second line of defense. Try this:
sed -re 's,^(.*):.*$,<Directory /var/www/accesstest/\1>\nRequire user \1\n</Directory>,' </var/www/passwd/htpasswd
--
Matt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Steve Dalton <st...@gmail.com>.
Matt - That method didn't work for me... it got into an internal recursion
and bombed out after 10 redirects. I think you do perhaps need to test for
something to stop it going on forever.
Andre - I think you are right... that's why you still need to have a
"Require user <user>" in a seperate directive for each directory.... it's a
pain but the only way I can see it working. I think perhaps you could write
a macro to automatically add this directive for each directory - but I
haven't got into that yet.
Steve
On Thu, Feb 5, 2009 at 6:41 PM, André Warnier <aw...@ice-sa.com> wrote:
> Matt McCutchen wrote:
>
>> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>>
>>> I managed to do something similar in the end, using the prefix user_
>>> for each user directory then adding .htaccess to root dir of:
>>>
>>> AuthType Basic
>>> AuthName "Restricted Files"
>>> AuthUserFile /var/www/passwd/htpasswd
>>> Require valid-user
>>>
>>> RewriteEngine on
>>> RewriteCond $1 !^user_
>>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
>>> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
>>>
>>> The only problem with this is that any user could access other users
>>> directories... so I then had to add an additional .htaccess of
>>> require user spidie
>>>
>>> to the user_spidie directory... etc etc.
>>>
>>
>> If you put the rewrite rules in the main server configuration rather
>> than an htaccess file, you don't have to worry about them being run
>> multiple times, so you can drop the user_ prefix and condition. You
>> don't need to condition on %{REMOTE_USER} either because rewrite rules
>> don't run until after the user gains authorization. The rule I gave
>> earlier (updated for your directory name) should just work:
>>
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
>> (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
I did have a signature, but the dog ate it.
google:steve.dalton | skype:spidieman | msn: msn@steve.dalts.net |
yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 5, 2009 at 3:41 AM, André Warnier <aw...@ice-sa.com> wrote:
> Matt McCutchen wrote:
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
> (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?
In per-vhost rewrite, you've replaced the bit of code that would kick
that request out with a 400 by using rewrite. However, the ..'s have
still been flattened before the rewrite starts. You would see a
relative path such as "index.html" as the URI in your rule.
If you had only per-directory rules, the core code that maps URIs to
the filesystem would return 400 before you got to them
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Steve Dalton <st...@gmail.com>.
Thanks Matt
I'll try that - looks a lot simpler... I'll also give it a good testing...:)
Steve
On Thu, Feb 5, 2009 at 6:41 PM, André Warnier <aw...@ice-sa.com> wrote:
> Matt McCutchen wrote:
>
>> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>>
>>> I managed to do something similar in the end, using the prefix user_
>>> for each user directory then adding .htaccess to root dir of:
>>>
>>> AuthType Basic
>>> AuthName "Restricted Files"
>>> AuthUserFile /var/www/passwd/htpasswd
>>> Require valid-user
>>>
>>> RewriteEngine on
>>> RewriteCond $1 !^user_
>>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
>>> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
>>>
>>> The only problem with this is that any user could access other users
>>> directories... so I then had to add an additional .htaccess of
>>> require user spidie
>>>
>>> to the user_spidie directory... etc etc.
>>>
>>
>> If you put the rewrite rules in the main server configuration rather
>> than an htaccess file, you don't have to worry about them being run
>> multiple times, so you can drop the user_ prefix and condition. You
>> don't need to condition on %{REMOTE_USER} either because rewrite rules
>> don't run until after the user gains authorization. The rule I gave
>> earlier (updated for your directory name) should just work:
>>
>> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>>
>> (Not trying to be sarcastic here, it's a genuine question)
>
> What happens if Evil Hacker me, logs in as user1 and then request in my
> browser http://foo.com/../user2/index.html ?
> Taken literally, the RewriteRule above should rewrite this as
> /var/www/accesstest/user1/../user2/index.html
> no ?
> Is some other inner security measure stripping that .. somewhere ?
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
I did have a signature, but the dog ate it.
google:steve.dalton | skype:spidieman | msn: msn@steve.dalts.net |
yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by André Warnier <aw...@ice-sa.com>.
Matt McCutchen wrote:
> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>> I managed to do something similar in the end, using the prefix user_
>> for each user directory then adding .htaccess to root dir of:
>>
>> AuthType Basic
>> AuthName "Restricted Files"
>> AuthUserFile /var/www/passwd/htpasswd
>> Require valid-user
>>
>> RewriteEngine on
>> RewriteCond $1 !^user_
>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
>> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
>>
>> The only problem with this is that any user could access other users
>> directories... so I then had to add an additional .htaccess of
>>
>> require user spidie
>>
>> to the user_spidie directory... etc etc.
>
> If you put the rewrite rules in the main server configuration rather
> than an htaccess file, you don't have to worry about them being run
> multiple times, so you can drop the user_ prefix and condition. You
> don't need to condition on %{REMOTE_USER} either because rewrite rules
> don't run until after the user gains authorization. The rule I gave
> earlier (updated for your directory name) should just work:
>
> RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
>
(Not trying to be sarcastic here, it's a genuine question)
What happens if Evil Hacker me, logs in as user1 and then request in my
browser http://foo.com/../user2/index.html ?
Taken literally, the RewriteRule above should rewrite this as
/var/www/accesstest/user1/../user2/index.html
no ?
Is some other inner security measure stripping that .. somewhere ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by André Warnier <aw...@ice-sa.com>.
Restarting at the beginning for a moment..
The aim is as follows :
- a user connects to http://foo.com/
- he must and gets authenticated (say as "evilhacker")
- following this, he should have access, and only access, to the
documents located under /var/www/usersites/evilhacker/ ,
- so that his next request to say "http://foo.com/mybankpins.html" gives
him the document /var/www/usersites/evilhacker/mybankpins.html
- and so that a request to, for instance
http://foo.com/../niceguy/mybankpins.html would not work.
- and if possible, we'd like to that without having to put a .htaccess
in each /var/www/usersites/*, with another Authxxxx & Require zzzz
I suppose this can be done with rewrites, but somehow I have this
feeling that it is very easy to make a mistake and leave some door open
for evilhacker to get a peek at what he shouldn't.
If I was thinking of this in mod_perl terms, I would think of some
solution whereby http://foo.com is a default VirtualHost to which
everyone connects at first and authenticates, then when there is a
user-id, calls would be redirected to another VirtualHost (*)(**), of
which dynamically the DocumentRoot would be set to
/var/www/usersites/(his user-id).
This way all the embedded paraphernalia of Apache would be playing along
to not let that person access something outside of his own DocumentRoot.
Now can some non-mod_perl Apache stuff achieve the same thing ?
(*) or maybe you don't even need that, and can do it all in the same host ?
(**) If it helps, this other VirtualHost might have a "fake" DNS name,
only available in the hosts file of the current host, so that people
from outside could not directly acess it, but it would recognise itself;
I'm not quite sure of that one, needs some more thought.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by André Warnier <aw...@ice-sa.com>.
Eric Covener wrote:
> On Thu, Feb 5, 2009 at 3:12 AM, Matt McCutchen <ma...@mattmccutchen.net> wrote:
>> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>>> I managed to do something similar in the end, using the prefix user_
>>> for each user directory then adding .htaccess to root dir of:
>>>
>>> AuthType Basic
>>> AuthName "Restricted Files"
>>> AuthUserFile /var/www/passwd/htpasswd
>>> Require valid-user
>>>
>>> RewriteEngine on
>>> RewriteCond $1 !^user_
>>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
>
> Needs lookahead (LA) to see %{REMOTE_USER} in per-vhost Rewrite.
>
>
Mmmm. That sounds like it packs a lot of information in a single
sentence. Back to the docs, guys.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Eric Covener <co...@gmail.com>.
On Thu, Feb 5, 2009 at 3:12 AM, Matt McCutchen <ma...@mattmccutchen.net> wrote:
> On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
>> I managed to do something similar in the end, using the prefix user_
>> for each user directory then adding .htaccess to root dir of:
>>
>> AuthType Basic
>> AuthName "Restricted Files"
>> AuthUserFile /var/www/passwd/htpasswd
>> Require valid-user
>>
>> RewriteEngine on
>> RewriteCond $1 !^user_
>> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
Needs lookahead (LA) to see %{REMOTE_USER} in per-vhost Rewrite.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to serve up different content depending on
authenticated user
Posted by Matt McCutchen <ma...@mattmccutchen.net>.
On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
> I managed to do something similar in the end, using the prefix user_
> for each user directory then adding .htaccess to root dir of:
>
> AuthType Basic
> AuthName "Restricted Files"
> AuthUserFile /var/www/passwd/htpasswd
> Require valid-user
>
> RewriteEngine on
> RewriteCond $1 !^user_
> RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
> RewriteRule (.*) /var/www/accesstest/user_%1/$1 [
>
> The only problem with this is that any user could access other users
> directories... so I then had to add an additional .htaccess of
>
> require user spidie
>
> to the user_spidie directory... etc etc.
If you put the rewrite rules in the main server configuration rather
than an htaccess file, you don't have to worry about them being run
multiple times, so you can drop the user_ prefix and condition. You
don't need to condition on %{REMOTE_USER} either because rewrite rules
don't run until after the user gains authorization. The rule I gave
earlier (updated for your directory name) should just work:
RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1
--
Matt
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org