<Limit> and Satisfy in <Location> for mod_dav

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

All,

I'm having trouble getting <Limit> and Satisfy to work within a <Location>.

I'm using Apache httpd 2.2.22 on Debian Wheezy.

Now, "Satisfy" is not documented to work under <Location> elements, but
also <Limit> is not documented to work under <Location>, and seems to
work without a problem. I was wondering if it's just an accident that
<Limit> works under <Location>, but that Satisfy can't, or the
documentation is inaccurate, or if I simply can't do what I want to do.

I am trying to protect a part of my filesystem that is accessible via
WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be
able to do this:

<Directory /path/to/dav/some/subdir>
  <Limit HEAD GET OPTIONS PROPFIND>
    Satisfy Any
    Require ldap-group cn=some-read-only-group
    Require ldap-group cn=some-read-only-other-group
  </Limit>
  <LimitExcept HEAD GET OPTIONS PROPFIND>
    Satisfy Any
    Require ldap-group cn=some-read-write-group
  </LimitExcept>
</Directory>


The closest thing I'm able to get working is this:

<Location "/dav/Clinical/grants">
  <Limit HEAD GET OPTIONS PROPFIND>
    Require ldap-group cn=some-read-only-group
  </Limit>
 <LimitExcept HEAD GET OPTIONS PROPFIND>
    Require ldap-group cn=some-read-write-group
  </LimitExcept>
</Location>

It looks like I have to use <Location> instead of <Directory> because
<Directory> does not protect directories being handled by mod_dav. Can
someone confirm that?

Whenever I use "Satisfy Any" anywhere, it appears to apply to a
much-wider set of files than is specified in <Limit> or <Location>.

Is there a way to do complicated permissions along with WebDAV?

I'd appreciate any suggestions anyone might have.

While I'm at it, I'd like to know whether path-ordering in httpd.conf
will have any bearing on how the permissions are applied. Ideally, I'd
like to be able to set permissions on a top-level directory, then
override those permissions on a sub-directory -- not necessarily either
widening or narrowing the permissions... I might want to do a little of
both.

-chris

Attachment: signature.asc
Description: OpenPGP digital signature

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux