httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter Somogyi <psomo...@gamax.hu>
Subject Re: make use of fs ACLs
Date Tue, 05 Jun 2007 16:41:40 GMT
Hi Nick,

> > We would like to have an autoindex-like file serving functionality of
> > apache web server that avoids usage of .htaccess file, but uses
> > filesystem's ACLs instead. Moreover we don't want to require wwwrun
> > to be allowed in every file/dir ACLs.
> >
> > For authentication we'd use e.g. mod_auth_external + pwauth.
>
> Please read up on why that's a huge security hole (I think it's
> described somewhere in apache's own documentation).

Sorry, could you point there please? (I've already spent 4 hours for google 
and grep on trunk, asked expert people here but couldn't find anything.)
Do you mean the hole is in the auth way (we can use mod_auth_pam instead), or 
in using fs ACLs instead of .htaccess?
Thank you in advance.

>
> >	 a newly written tool
> > which _becomes_ the authenticated user and lists directory content.
>
> That's what suexec (and its many cousins) are for.
Thanks, however I wanted my question to be applied to fs ACL usage solution 
existence, not to becoming a user. Sorry for the misunderstanding.

BTW. this feature already exists for OpenAFS, but there permission is linked 
with a PAG, not with a local user.

Peter

Mime
View raw message