You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "James B. Byrne" <by...@harte-lyne.ca> on 2014/01/21 18:39:27 UTC
[users@httpd] Apache Directory Level access control
CentOS-6.5-i86_64
httpd-2.2.15 (CentOS)
I have a problem with configuring directory access using groups. We have a
site with multiple sub-directories. We have several groups defined. We have
the entire site protected at the root by digest authentication and some of the
sub-directories protected by:
<Directory /protect/directory/path>
Require group xxxxx
</Directory>
All directives are contained in the virtual web site configuration file. We
are not using .htaccess files.
However, if one can authenticate at the root then one gets access to all the
sub-directories regardless of the authenticated user's group membership. How
does one configure this so that authentication at the root is still restricted
by group membership in the sub-directories?
I tried putting a 'Require all denied' directive in the site root along with
Require group directives everywhere else but that blocks all access for all
users even in the protected directories. No-one can get access.
The information I can find through web searching does not reveal to me what my
error is. The configuration file looks like this:
<Directory />
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
# Require all denied
# Require group staff
# AllowOverride AuthConfig FileInfo Indexes Limit Nonfatal=[] Options
# AllowOverride None
Order allow,deny
allow from all
Satisfy All
Options Indexes MultiViews
IndexOptions FancyIndexing
AddDefaultCharset UTF-8
Dav On
# No Sever Minimum Timeout on locks - let WebDaV clients decide
DAVMinTimeout 0
DAVDepthInfinity Off
LimitXMLRequestBody 96000000
</Directory>
<Directory /HLL_Operations>
Require group management staff
</Directory>
I have tried replicating the authentication directives in each sub-directory
but the result is the same.
<Directory /HLL_Administration/Protect>
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /HLL_Administration/Protect
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
Require group protected
</Directory>
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Directory Level access control
Posted by "James B. Byrne" <by...@harte-lyne.ca>.
On Tue, January 21, 2014 15:33, Pete Houston wrote:
> On Tue, Jan 21, 2014 at 03:17:35PM -0500, James B. Byrne wrote:
>> . . .
>> DocumentRoot /var/data/hll_dav/upload
>
> In that case your Directory section should be:
>
> <Directory /var/data/hll_dav/upload/HLL_Operations>
> Require group management staff
> </Directory>
>
> See the documentation at
> http://httpd.apache.org/docs/2.2/mod/core.html#directory for how
> Directory sections are specified. You must use the absolute path.
>
Thank you so much. I had been looking at this all day and could not just see
the problem, which is blindingly obvious now that someone has pointed it out
to me.
Thanks again,
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Directory Level access control
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Tue, Jan 21, 2014 at 03:17:35PM -0500, James B. Byrne wrote:
>
> On Tue, January 21, 2014 14:58, Pete Houston wrote:
> > On Tue, Jan 21, 2014 at 12:39:27PM -0500, James B. Byrne wrote:
> >> <Directory /HLL_Operations>
> >> Require group management staff
> >> </Directory>
> >
> > Do you really have a directory at the very top level of your O/S
> > filesystem called /HLL_Operations? It seems more likely that this will
> > be in some subdirectory where all your other web content will be
> > (typically under /var/www/html). What is your DocumentRoot?
> >
> > Pete
>
> . . .
> DocumentRoot /var/data/hll_dav/upload
In that case your Directory section should be:
<Directory /var/data/hll_dav/upload/HLL_Operations>
Require group management staff
</Directory>
See the documentation at
http://httpd.apache.org/docs/2.2/mod/core.html#directory for how
Directory sections are specified. You must use the absolute path.
HTH,
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Re: [users@httpd] Apache Directory Level access control
Posted by "James B. Byrne" <by...@harte-lyne.ca>.
On Tue, January 21, 2014 14:58, Pete Houston wrote:
> On Tue, Jan 21, 2014 at 12:39:27PM -0500, James B. Byrne wrote:
>> <Directory /HLL_Operations>
>> Require group management staff
>> </Directory>
>
> Do you really have a directory at the very top level of your O/S
> filesystem called /HLL_Operations? It seems more likely that this will
> be in some subdirectory where all your other web content will be
> (typically under /var/www/html). What is your DocumentRoot?
>
> Pete
. . .
DocumentRoot /var/data/hll_dav/upload
<Directory />
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
Require all denied
Require group staff
AllowOverride All
Order allow,deny
allow from all
Satisfy All
Options Indexes MultiViews
IndexOptions FancyIndexing
AddDefaultCharset UTF-8
Dav On
# No Sever Minimum Timeout on locks - let WebDaV clients decide
DAVMinTimeout 0
DAVDepthInfinity Off
LimitXMLRequestBody 96000000
</Directory>
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache Directory Level access control
Posted by Pete Houston <ph...@openstrike.co.uk>.
On Tue, Jan 21, 2014 at 12:39:27PM -0500, James B. Byrne wrote:
> <Directory /HLL_Operations>
> Require group management staff
> </Directory>
Do you really have a directory at the very top level of your O/S
filesystem called /HLL_Operations? It seems more likely that this will
be in some subdirectory where all your other web content will be
(typically under /var/www/html). What is your DocumentRoot?
Pete
--
Openstrike - improving business through open source
http://www.openstrike.co.uk/ or call 01722 770036 / 07092 020107
Re: [users@httpd] Apache Directory Level access control
Posted by "James B. Byrne" <by...@harte-lyne.ca>.
On Tue, January 21, 2014 12:39, James B. Byrne wrote:
> CentOS-6.5-i86_64
> httpd-2.2.15 (CentOS)
>
> I have a problem with configuring directory access using groups. We have a
> site with multiple sub-directories. We have several groups defined. We have
> the entire site protected at the root by digest authentication and some of the
> sub-directories protected by:
>
> <Directory /protect/directory/path>
> Require group xxxxx
> </Directory>
>
> All directives are contained in the virtual web site configuration file. We
> are not using .htaccess files.
>
The documentation website for Apache-httpd-2.2 says this:
https://httpd.apache.org/docs/2.2/howto/htaccess.html#page-header
When (not) to use .htaccess files
In general, you should only use .htaccess files when you don't have access to
the main server configuration file. There is, for example, a common
misconception that user authentication should always be done in .htaccess
files, and, in more recent years, another misconception that mod_rewrite
directives must go in .htaccess files. This is simply not the case. You can
put user authentication configurations in the main server configuration, and
this is, in fact, the preferred way to do things. Likewise, mod_rewrite
directives work better, in many respects, in the main server configuration.
However, my experience indicates that this statement is simply wrong when it
speaks of authentication in the main configuration file.
Contents of virtual host configuration file:
<Directory />
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
Require all denied
</Directory>
<Directory /HLL_Administration/Payroll>
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /HLL_Administration/Payroll
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
Require group payroll
</Directory>
No .htaccess file in directory.
Result, no-one can authenticate.
Contents of virtual host configuration file:
<Directory />
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
Require all denied
</Directory>
<Directory /HLL_Administration/Payroll>
</Directory>
With .htaccess file containing:
<---
AuthType Digest
AuthName ca.harte-lyne
AuthDigestDomain /HLL_Administration/Payroll
AuthDigestProvider file
AuthUserFile /etc/httpd/access.d/.htdigest
AuthGroupFile /var/data/hll_dav/htgroup
Require group payroll
--->
And authentication works as expected. Users in the payroll group can
authenticate and users outside the payroll group cannot.
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org