httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André <...@masse.de>
Subject [users@httpd] On access decrypted svn repository served through apache autenticated through pam - I'm stuck
Date Tue, 04 Apr 2006 01:31:00 GMT
Hi all,
I really like apache, subversion and encryption. Maintaining files 
through subversion + apache already works very well, but sensitive files 
have to be encrypted. Encrypting files before check-in is cumbersome and 
makes your respository a binary mess.

I thought apache could help decrypting files (like a svn repository) on 
authentication.  Unfortunately I could not find a working solution 
anywhere and nothing about impersonation, thus I tried it myself. This 
is what I tried:

encfs (encrypted user land file system) + libpam_encfs (decrypts home 
directories on the fly) + libapache2-mod-auth-pam (autentication with pam)

1. automatic mounting of the encrypted directory (/var/www/encrypted) on 
login (from shell) works
2. autentification through pam on a website (through apache) works
3. both combined - does not work:
reading the supposedly  mounted directory from apache does not work, the 
file does not appear in directory listings

I tried many user/group/permission combinations and now I am a bit stuck.
What I did not yet try is to recompile apache with -DBIG_SECURITY_HOLE 
to access everything from root, I guess this is discouraged :-)

I guess this might have to with privilege seperation: 
http://oss.metaparadigm.com/apache-privsep/
Would that patch help me? Is there anything like that for Apache2?
Does anyone know of any alternative?

Regards,
André

ps. My /etc/pam.d/apache2
@include common-auth
@include common-account
auth required pam_encfs.so
session required pam_encfs.so

Snipplet from enabled site:
AuthType Basic
AuthName "Secure"
Require user encrypted
AuthPAM_Enabled on


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message