httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From TJB <tjb00...@gmail.com>
Subject [users@httpd] 2.2.4 Require file-group seems to forget user authentication
Date Fri, 11 May 2007 01:23:52 GMT
Hello List:

My goal is to base web access control on the underlying Unix file system
group access. I'm using:

- AuthzUnixgroup (Third-party module which effectively replaces AuthGroupFile
  with /etc/group.  http://www.unixpapa.com/mod_authz_unixgroup/)
- Apache's "Require file-group" mechanism (mod_authz_owner)

We experience two prohibitively annoying side-effects of this, and I need
help with #2:

1) Every request for a missing file results in a request for
reauthentication. To solve this, I've added rewrite rules which check for
file existence. If a requested file doesn't exist, it rewrites the
request to an informative php script.  This works well.

2) A request for an existing file to which the authenticated user is
not authorized results in the desired request for reauthentication and
access denial.  However, when the user then returns to a file to which
s/he is authorized, s/he is again forced to reauth.  It's as if the
user's login is forgotten after every step out-of-bounds.

Is this the expected behavior for "Require file-group"?  If so, can
anyone recommend a friendlier work-around?

--

We're at: Solaris8, apache-2.2.4, SSL is enabled.

#############################################################################
<Directory /web/htdocs/TJB_TEST >
AllowOverride None
order deny,allow
deny from all
allow from .example.com
Options SymLinksIfOwnerMatch IncludesNOEXEC Indexes

DirectoryIndex /DirectoryIndexer.php

AuthName "TJB_TEST Access Controls Test"
AuthType Basic
AuthBasicProvider file
AuthUserFile /web/conf/Password.cfg

AuthzOwnerAuthoritative on
AuthzUnixgroup on

Require file-group
Satisfy all
</directory>
#############################################################################


Thanks!
--Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message