httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <>
Subject Re: make use of fs ACLs
Date Tue, 05 Jun 2007 10:47:31 GMT
On Mon, 4 Jun 2007 18:06:22 +0200
Peter Somogyi <> wrote:

> Hi,
> We would like to have an autoindex-like file serving functionality of
> apache web server that avoids usage of .htaccess file, but uses
> filesystem's ACLs instead. Moreover we don't want to require wwwrun
> to be allowed in every file/dir ACLs.
> For authentication we'd use e.g. mod_auth_external + pwauth.

Please read up on why that's a huge security hole (I think it's
described somewhere in apache's own documentation).

>	 a newly written tool
> which _becomes_ the authenticated user and lists directory content.

That's what suexec (and its many cousins) are for.

Nick Kew

Application Development with Apache - the Apache Modules Book

View raw message