Hi all, I have a problem at the moment which has certainly been solved elsewhere, however I don't find an answer using google. We have an apache server running on a Unix system (AIX now, Solaris soon) where users upload their web data using ftp. Our problem is that our current scheme on the ftp side enables most users to see other users documents if they know the exact path to that users documents. For example: drwxrws--x 12 12286 35020 1536 Jul 08 16:37 group86 drwx-----x 2 12083 12083 512 Feb 07 13:13 user083 drwx-----x 4 12143 12143 512 Mar 02 2004 user143 drwx-----x 2 12321 12321 512 Jan 05 2001 user321 User and group names have been changed, however you get the idea. All users are stored in an ldap database and authenticate against that. There are no system users or groups. Each user gets their own unique numerical userid and groupid. The groups are done so that multiple users can be a group member. All group members need to have full access to the directory and its contents. If, for example, user143 comes in using ftp and knows that inside group86 there is a document called group86/authorised/secure_document.pdf, they can get to that document even if there is a .htaccess file in authorised protecting access through apache. This applies to all other users too. Of course this is unacceptable. We did try changing all users to have their group as apache which works find for individual users, however it breaks our groups: drwxrws--x 12 12286 apache 1536 Jul 08 16:37 group86 In the above example, the group members are no longer able to write to the directory, which is of course also not what we want. Several of us here have been trying to work out a solution, however none is forthcoming. We need to keep all user authentication data on our ldap server and there should be no system groups or users outside what is absolutely necessary to run the server. This is a problem someone else has surely already solved, and I would greatly appreciate some information on how we can solve this too. I'll even appreciate an RTFM if someone would just tell me which FM to R... regards Markus. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|