2.2.4 Require file-group seems to forget user authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello List:

My goal is to base web access control on the underlying Unix file system
group access. I'm using:

- AuthzUnixgroup (Third-party module which effectively replaces AuthGroupFile
 with /etc/group.  http://www.unixpapa.com/mod_authz_unixgroup/)
- Apache's "Require file-group" mechanism (mod_authz_owner)

We experience two prohibitively annoying side-effects of this, and I need
help with #2:

1) Every request for a missing file results in a request for
reauthentication. To solve this, I've added rewrite rules which check for
file existence. If a requested file doesn't exist, it rewrites the
request to an informative php script.  This works well.

2) A request for an existing file to which the authenticated user is
not authorized results in the desired request for reauthentication and
access denial.  However, when the user then returns to a file to which
s/he is authorized, s/he is again forced to reauth.  It's as if the
user's login is forgotten after every step out-of-bounds.

Is this the expected behavior for "Require file-group"?  If so, can
anyone recommend a friendlier work-around?

--

We're at: Solaris8, apache-2.2.4, SSL is enabled.

#############################################################################
<Directory /web/htdocs/TJB_TEST >
AllowOverride None
order deny,allow
deny from all
allow from .example.com
Options SymLinksIfOwnerMatch IncludesNOEXEC Indexes

DirectoryIndex /DirectoryIndexer.php

AuthName "TJB_TEST Access Controls Test"
AuthType Basic
AuthBasicProvider file
AuthUserFile /web/conf/Password.cfg

AuthzOwnerAuthoritative on
AuthzUnixgroup on

Require file-group
Satisfy all
</directory>
#############################################################################


Thanks!
--Tom

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux