httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Noah Misch <n...@cs.caltech.edu>
Subject RFC: Act as Authenticated User
Date Sun, 25 Apr 2004 02:20:28 GMT
Hello,

I wish to make users' Unix home directories available to them via WebDAV.  Since
the Apache HTTP Server supports WebDAV, SSL, and a variety of authentication
schemes, it seemed an appropriate basis, but it does not appear to fit the bill
because it always runs under a particular user account.  It needs to access the
exact set of files the user can access, and when it writes files it must write
them as the authenticated user; it would therefore need to either run as the
authenticated user or simulate that fact.

Other people have noted and/or addressed this issue.  MoulDAVia is a server
designed for this purpose.  Others[1] have achieved this functionality with
apache when an AFS server shares the files to publish, as httpd can retrieve
krb5 tokens for multiple AFS users.  A message[2] on the dav-dev mailing list
summarizes the issues for regular Unix filesystems.

The best way I have thought to achieve this functionality in Apache is to add an
option, say "SetuidIfAuthenticated."  With that directive set, Apache will
retain access to root privileges until it has authenticated the user.  It will
then getpwnam(3) the authenticated user name and switch to the resulting UID.
If the authenticated user does not correspond to a Unix user, Apache will report
an error and fall back on the account given in the User directive.

I have not studied the Apache code at all, so I can't say offhand whether this
approach will require changes to the Apache core or whether a module alone could
implement the functionality.

Is that is a good approach to the need I described?  If it requires changes to
the Apache core, might they be acceptable for inclusion in the standard
codebase?  Might any associated module become part of the standard set?

Thanks.

[1] http://www.cpan.org/modules/by-module/Apache/Apache-AuthKrb5Afs-1.0.readme
[2] http://mailman.lyra.org/pipermail/dav-dev/1999-March/000170.html

Mime
View raw message