httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] how would I serve up an upload/download directory for each user
Date Thu, 06 Mar 2008 18:31:43 GMT
On Thu, Mar 6, 2008 at 1:25 PM, Tim Edwards <t.edwards@tideway.com> wrote:

> I'm trying to use Apache to essentially replicate the functionality of our
> FTP server (we've found a lot of customers have corporate policies/firewalls
> stopping them accessing FTP but not http/s). The idea is that each customer
> has a Linux user created for them and can login with Apache setup to use
> mod_auth_shadow. However I want each user to have a directory into which
> they can upload files, as well as download. I can see a few possibilities:
>
> * Use mod_userdir so each user has a https://servername.com/~username site.
> My problem with this is that I'd have to give the apache user rights to
> write to user's home directories to allow uploads, I'm not sure if this is a
> good idea security-wise. However this server is single-purpose – no one
> except administrators will be logging into it or interacting with it in any
> way except through httpd.
>
>
>
> * Use some kind of module that allows apache to spawn a sub-process running
> as the user who logged in through mod_auth_shadow. Does such a module exist?
>
>
>
> * Give up on the idea of using user's home dirs and create a setup with
> virtual hosts and a directory owned by the apache user. Eg. have all user's
> files under /var/www/users/<username> and have a virtual host for each
> /var/www/users/<username> dir. I'm not sure how to do this in any automated
> fashion though – is there a way to coerce mod_userdir into working like
> this?

You should probably start by reading this:
http://wiki.apache.org/httpd/PrivilegeSeparation

Then you need to ask youself: do the users absolutely need to be able
to access the uploaded content through their unix logins as well as
through apache? If they don't, then just let apache manage all the
authorization process internally under its own userid.

If they do need direct access to these files, then you basically have
two choices: 1) use a CGI script to do the file management, and have
this cgi script switch users using suexec or cgiwrap; 2) setup a
separate apache install (not just a vhost) for each user and run that
install under that user. The technique is described here:
http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message