[users@httpd] User/group authorization for sub-directory locations

[Tom Alsberg <al...@cs.huji.ac.il>]

Is it possible to override Require statements of parent Location 
sections in a Location section of a sub-tree?

I'm trying to see if we can use the user/group authorization 
facilities to control access for users to a (non-public) tree served 
by our web server.

More fine-grained needs may come later, but right now the basic 
requirement is that only one group of users will have access to the 
whole tree, and then grant some users and groups access to areas 
(i.e. direct or indirect sub-trees) within the tree.

We use the external mod_auth_pam to authenticate our users (they all 
have actual Unix user accounts in the network, and obviously we don't 
want to duplicate their information in a htpasswd file), and 
mod_auth_sys_group to have Apache recognize our Unix groups.

In real life this will be served by an Apache module with some HTTP 
methods to read and others to write, and additional configuration to 
determine the actual data server.  However to cut the mess and 
demonstrate what I'm trying, here's the relevant part of a very 
minimal configuration I'm experimenting with:

<Location /local>
	Require group system
</Location>

This should grant by default only group system access to everything 
served under http://server/local.

Now, say that there is some subtree, http://server/local/buz, which 
should in general be accessible to group buzzers.  If I add a section 
like:

<Location /local/buz>
	Require group buzzers
</Location>

This will further restrict access to /local/buz, denying it to not in 
group buzzers, even if they are in group system.  However what I am 
trying to achieve is the opposite - allow access to anybody in group 
buzzers, in addition to those in group system which are granted access 
by the Require line in the /local location.

I tried putting "Satisfy Any" in the /local/buz Location, which 
granted access to people in group buzzers even if they are not in 
group system, but also overrode the restriction anywhere else in 
/local.

According to the documentation example 
"Removing controls in subdirectories" in 
http://httpd.apache.org/docs/2.2/mod/core.html#require, 
it is possible to use "Satisfy Any" in a directory section to remove 
restrictions on a parent directory.  However, in this specific case 
Directory sections cannot be used, because the objects are not served 
from an actual directory on the local filesystem, but using DAV, 
mod_perl and some rewrite rules.  Looking at the source, it appears 
that the rules for the order of matching Location rules are different 
from those of matching Directory rules.

Any ideas, suggestions, or insights?  I'm trying to avoid having to 
write a new authz module, so for now I'll try to insert some debug 
logging lines into the ap_hook_auth_checker function in 
mod_auth_sys_group to see what require rules it considers for every 
request.

  Thanks,
  -- Tom

-- 
  Tom Alsberg - hacker (being the best description fitting this space)
  Web page:	http://www.cs.huji.ac.il/~alsbergt/
DISCLAIMER:  The above message does not even necessarily represent what
my fingers have typed on the keyboard, save anything further.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org