On 12/11/05, Ken Tozier <kentozier@xxxxxxxxxxx> wrote: > > On Dec 11, 2005, at 8:12 PM, Joshua Slive wrote: > > By "exposing the entire hierarchy" do you mean giving file-system > > search permissions (chmod +x)? If so, no, you can't work around this > > in apache. It has nothing to do with apache. It is the file-system > > that is denying access. If apache can't get to the directory, there > > is no way to serve the files. > > I guess the confusion on my part is: Why isn't it possible to just > treat the Apache process as you would any other user? Add Apache > process x from machine y to group z that is allowed see a specified > folder? Instead, we're forced to redefining the permissions of every > directory in the path just so Apache can see it. The permissions are > already set up the way we want them re group access and in the > overall scheme of things Apache should be just another user logged > into the server. Apache processes are treated like any other user; well, in fact, a particular user: the one specified in the User/Group directives in httpd.conf. If this User/Group can access the files using ordinary filesystem permissions, then apache can access them. > The mechanics of coercing a resource URL into a file system path are > trivial. With a correctly formatted path string in hand, just send a > file open to the underlying file system. If you get a valid file > handle back, great you have permission. If not you don't. No need to > go through all this directory permission redefinition business. If the apache User/Group doesn't have search permissions on the directories leading to the file in question, then the "file open to the underlying file system" will fail. This is an OS/filesystem issue, and not an apache issue, as I've mentioned. Perhaps you missed one thing: you don't necessarily need to give wide-open +x permission to everyone; you can give it only to the specific User/Group specified in httpd.conf. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|