Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: pass (asf.osuosl.org: domain of mymaillists@gmx.at designates
 213.165.64.20 as permitted sender)
From: Markus Mayer <mymaillists@gmx.at>
To: users@httpd.apache.org
Date: Mon, 25 Jul 2005 16:11:36 +0200
User-Agent: KMail/1.8
MIME-Version: 1.0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200507251611.36230.mymaillists@gmx.at>
Subject: [users@httpd] file security for apache/ftp users

Hi all,

I have a problem at the moment which has certainly been solved elsewhere, 
however I don't find an answer using google.

We have an apache server running on a Unix system (AIX now, Solaris soon) 
where users upload their web data using ftp.  Our problem is that our current 
scheme on the ftp side enables most users to see other users documents if 
they know the exact path to that users documents.  For example:

drwxrws--x  12 12286    35020      1536 Jul 08 16:37 group86
drwx-----x   2 12083    12083         512 Feb 07 13:13 user083
drwx-----x   4 12143    12143         512 Mar 02 2004  user143
drwx-----x   2 12321    12321         512 Jan 05 2001  user321

User and group names have been changed, however you get the idea.  All users 
are stored in an ldap database and authenticate against that.  There are no 
system users or groups.  Each user gets their own unique numerical userid and 
groupid.  The groups are done so that multiple users can be a group member. 
All group members need to have full access to the directory and its contents.

If, for example, user143 comes in using ftp and knows that inside group86 
there is a document called group86/authorised/secure_document.pdf, they can 
get to that document even if there is a .htaccess file in authorised 
protecting access through apache.  This applies to all other users too.  Of 
course this is unacceptable.

We did try changing all users to have their group as apache which works find 
for individual users, however it breaks our groups:

drwxrws--x  12 12286    apache      1536 Jul 08 16:37 group86

In the above example, the group members are no longer able to write to the 
directory, which is of course also not what we want.

Several of us here have been trying to work out a solution, however none is 
forthcoming.  We need to keep all user authentication data on our ldap server 
and there should be no system groups or users outside what is absolutely 
necessary to run the server.  This is a problem someone else has surely 
already solved, and I would greatly appreciate some information on how we can 
solve this too.  I'll even appreciate an RTFM if someone would just tell me 
which FM to R...

regards
Markus.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org