You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by André <di...@masse.de> on 2006/04/04 03:31:00 UTC
[users@httpd] On access decrypted svn repository served through apache autenticated
through pam - I'm stuck
Hi all,
I really like apache, subversion and encryption. Maintaining files
through subversion + apache already works very well, but sensitive files
have to be encrypted. Encrypting files before check-in is cumbersome and
makes your respository a binary mess.
I thought apache could help decrypting files (like a svn repository) on
authentication. Unfortunately I could not find a working solution
anywhere and nothing about impersonation, thus I tried it myself. This
is what I tried:
encfs (encrypted user land file system) + libpam_encfs (decrypts home
directories on the fly) + libapache2-mod-auth-pam (autentication with pam)
1. automatic mounting of the encrypted directory (/var/www/encrypted) on
login (from shell) works
2. autentification through pam on a website (through apache) works
3. both combined - does not work:
reading the supposedly mounted directory from apache does not work, the
file does not appear in directory listings
I tried many user/group/permission combinations and now I am a bit stuck.
What I did not yet try is to recompile apache with -DBIG_SECURITY_HOLE
to access everything from root, I guess this is discouraged :-)
I guess this might have to with privilege seperation:
http://oss.metaparadigm.com/apache-privsep/
Would that patch help me? Is there anything like that for Apache2?
Does anyone know of any alternative?
Regards,
André
ps. My /etc/pam.d/apache2
@include common-auth
@include common-account
auth required pam_encfs.so
session required pam_encfs.so
Snipplet from enabled site:
AuthType Basic
AuthName "Secure"
Require user encrypted
AuthPAM_Enabled on
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org