httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] <Limit> and Satisfy in <Location> for mod_dav
Date Thu, 19 Sep 2013 06:30:41 GMT
Hi Chris,


On Tue, Sep 17, 2013 at 4:40 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> All,
>
> I'm having trouble getting <Limit> and Satisfy to work within a <Location>.
>
> I'm using Apache httpd 2.2.22 on Debian Wheezy.
>
> Now, "Satisfy" is not documented to work under <Location> elements, but
> also <Limit> is not documented to work under <Location>, and seems to
> work without a problem. I was wondering if it's just an accident that
> <Limit> works under <Location>, but that Satisfy can't, or the
> documentation is inaccurate, or if I simply can't do what I want to do.
>
> I am trying to protect a part of my filesystem that is accessible via
> WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be
> able to do this:
>
> <Directory /path/to/dav/some/subdir>
>   <Limit HEAD GET OPTIONS PROPFIND>
>     Satisfy Any
>     Require ldap-group cn=some-read-only-group
>     Require ldap-group cn=some-read-only-other-group
>   </Limit>
>   <LimitExcept HEAD GET OPTIONS PROPFIND>
>     Satisfy Any
>     Require ldap-group cn=some-read-write-group
>   </LimitExcept>
> </Directory>
>
>
> The closest thing I'm able to get working is this:
>
> <Location "/dav/Clinical/grants">
>   <Limit HEAD GET OPTIONS PROPFIND>
>     Require ldap-group cn=some-read-only-group
>   </Limit>
>  <LimitExcept HEAD GET OPTIONS PROPFIND>
>     Require ldap-group cn=some-read-write-group
>   </LimitExcept>
> </Location>
>
> It looks like I have to use <Location> instead of <Directory> because
> <Directory> does not protect directories being handled by mod_dav. Can
> someone confirm that?
>

I have a similar setting to this so I think your assumption is correct:

<Location "/protected">
  AuthType Basic
  AuthName "Secure Area"
  AuthBasicProvider ldap
  AuthLDAPURL  "ldap://localhost:4389/ou=users,o=company?uid"
  AuthLDAPBindDN uid=admin,ou=users,o=access
  AuthLDAPBindPassword password
  <Limit GET PUT>
    Require ldap-group cn=Admin, ou=groups, o=company
  </Limit>
  <LimitExcept GET PUT>
     Order Allow,Deny
     Deny from all
  </LimitExcept>
</Location>

<Location "/protected/users">
  <Limit GET>
    Require ldap-group cn=user1, ou=groups, o=company
    Require ldap-group cn=user2, ou=groups, o=company
  </Limit>
  <Limit PUT>
    Require ldap-group cn=user2, ou=groups, o=company
    Require ldap-group cn=user3, ou=groups, o=company
  </Limit>
  <LimitExcept GET PUT>
    Order Allow,Deny
    Deny from all
  </LimitExcept>
</Location>


> Whenever I use "Satisfy Any" anywhere, it appears to apply to a
> much-wider set of files than is specified in <Limit> or <Location>.
>
> Is there a way to do complicated permissions along with WebDAV?
>
> I'd appreciate any suggestions anyone might have.
>
> While I'm at it, I'd like to know whether path-ordering in httpd.conf
> will have any bearing on how the permissions are applied. Ideally, I'd
> like to be able to set permissions on a top-level directory, then
> override those permissions on a sub-directory -- not necessarily either
> widening or narrowing the permissions... I might want to do a little of
> both.
>

Yes, you are correct. I would also protect the top directory and then open
some directories for public access using "Satisfy Any", something like this:

<Directory /www/docs>
    AuthType Basic
    AuthName Documents
    AuthBasicProvider file
    AuthUserFile /usr/local/apache/passwd/passwords
    Require valid-user
</Directory>
<Directory /www/docs/public>
    # All access controls and authentication are disabled
    # in this directory
    Satisfy Any
    Allow from all
</Directory>


>
> -chris
>
> I think there is a new stuff in 2.4, something like

AuthType None
Require all granted

to remove the protection on the subdirectory but have never tried it my
self.

Cheers,
Igor

Mime
View raw message