httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: [PATCH] Enhancement to mod_auth
Date Sat, 08 Sep 2001 05:31:12 GMT
From: "Rodent of Unusual Size" <Ken.Coar@Golux.Com>
Sent: Friday, September 07, 2001 5:25 AM


> * On 2001-08-10 at 19:43,
>   Rodent of Unusual Size <Ken.Coar@golux.com> excited the electrons to say:
> > 
> > In response to a private query, I worked up a little patch
> > to add an enhancement to mod_auth: in addition to 'require valid-user'
> > and 'require user xxx yyy zzz' the enhanced version recognises
> > 'require owner'.  The idea is that access is granted if the
> > user is authenticated AND matches the username of the owner of
> > the file.

I've seen similar requests for require group.  While you are cautiously
modifing the 1.3 code base, would you please consider both?

I'm -1 for the similiar SymLinkIfGroupMatch semantic in 1.3 (that dir_walk
code is frankly too fragile) but I'll look at that semantic in 2.0.

Other than that, coolness, but please document that this is not a SECURE
method from a multi-user system, since anyone can create an .htpasswd file
that might cause the user to appear as a root or admin user, but is not.

This must be documented as a convience facility, not a security facility.



Mime
View raw message