You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Tom Alsberg <al...@cs.huji.ac.il> on 2008/04/02 15:52:17 UTC
[users@httpd] User/group authorization for sub-directory locations
Is it possible to override Require statements of parent Location
sections in a Location section of a sub-tree?
I'm trying to see if we can use the user/group authorization
facilities to control access for users to a (non-public) tree served
by our web server.
More fine-grained needs may come later, but right now the basic
requirement is that only one group of users will have access to the
whole tree, and then grant some users and groups access to areas
(i.e. direct or indirect sub-trees) within the tree.
We use the external mod_auth_pam to authenticate our users (they all
have actual Unix user accounts in the network, and obviously we don't
want to duplicate their information in a htpasswd file), and
mod_auth_sys_group to have Apache recognize our Unix groups.
In real life this will be served by an Apache module with some HTTP
methods to read and others to write, and additional configuration to
determine the actual data server. However to cut the mess and
demonstrate what I'm trying, here's the relevant part of a very
minimal configuration I'm experimenting with:
<Location /local>
Require group system
</Location>
This should grant by default only group system access to everything
served under http://server/local.
Now, say that there is some subtree, http://server/local/buz, which
should in general be accessible to group buzzers. If I add a section
like:
<Location /local/buz>
Require group buzzers
</Location>
This will further restrict access to /local/buz, denying it to not in
group buzzers, even if they are in group system. However what I am
trying to achieve is the opposite - allow access to anybody in group
buzzers, in addition to those in group system which are granted access
by the Require line in the /local location.
I tried putting "Satisfy Any" in the /local/buz Location, which
granted access to people in group buzzers even if they are not in
group system, but also overrode the restriction anywhere else in
/local.
According to the documentation example
"Removing controls in subdirectories" in
http://httpd.apache.org/docs/2.2/mod/core.html#require,
it is possible to use "Satisfy Any" in a directory section to remove
restrictions on a parent directory. However, in this specific case
Directory sections cannot be used, because the objects are not served
from an actual directory on the local filesystem, but using DAV,
mod_perl and some rewrite rules. Looking at the source, it appears
that the rules for the order of matching Location rules are different
from those of matching Directory rules.
Any ideas, suggestions, or insights? I'm trying to avoid having to
write a new authz module, so for now I'll try to insert some debug
logging lines into the ap_hook_auth_checker function in
mod_auth_sys_group to see what require rules it considers for every
request.
Thanks,
-- Tom
--
Tom Alsberg - hacker (being the best description fitting this space)
Web page: http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER: The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org