Hi all,I really like apache, subversion and encryption. Maintaining files through subversion + apache already works very well, but sensitive files have to be encrypted. Encrypting files before check-in is cumbersome and makes your respository a binary mess.
I thought apache could help decrypting files (like a svn repository) on authentication. Unfortunately I could not find a working solution anywhere and nothing about impersonation, thus I tried it myself. This is what I tried:
encfs (encrypted user land file system) + libpam_encfs (decrypts home directories on the fly) + libapache2-mod-auth-pam (autentication with pam)
1. automatic mounting of the encrypted directory (/var/www/encrypted) on login (from shell) works
2. autentification through pam on a website (through apache) works 3. both combined - does not work:reading the supposedly mounted directory from apache does not work, the file does not appear in directory listings
I tried many user/group/permission combinations and now I am a bit stuck.What I did not yet try is to recompile apache with -DBIG_SECURITY_HOLE to access everything from root, I guess this is discouraged :-)
I guess this might have to with privilege seperation: http://oss.metaparadigm.com/apache-privsep/
Would that patch help me? Is there anything like that for Apache2? Does anyone know of any alternative? Regards, André ps. My /etc/pam.d/apache2 @include common-auth @include common-account auth required pam_encfs.so session required pam_encfs.so Snipplet from enabled site: AuthType Basic AuthName "Secure" Require user encrypted AuthPAM_Enabled on --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|