On Thu, Mar 6, 2008 at 1:25 PM, Tim Edwards <t.edwards@xxxxxxxxxxx> wrote: > I'm trying to use Apache to essentially replicate the functionality of our > FTP server (we've found a lot of customers have corporate policies/firewalls > stopping them accessing FTP but not http/s). The idea is that each customer > has a Linux user created for them and can login with Apache setup to use > mod_auth_shadow. However I want each user to have a directory into which > they can upload files, as well as download. I can see a few possibilities: > > * Use mod_userdir so each user has a https://servername.com/~username site. > My problem with this is that I'd have to give the apache user rights to > write to user's home directories to allow uploads, I'm not sure if this is a > good idea security-wise. However this server is single-purpose – no one > except administrators will be logging into it or interacting with it in any > way except through httpd. > > > > * Use some kind of module that allows apache to spawn a sub-process running > as the user who logged in through mod_auth_shadow. Does such a module exist? > > > > * Give up on the idea of using user's home dirs and create a setup with > virtual hosts and a directory owned by the apache user. Eg. have all user's > files under /var/www/users/<username> and have a virtual host for each > /var/www/users/<username> dir. I'm not sure how to do this in any automated > fashion though – is there a way to coerce mod_userdir into working like > this? You should probably start by reading this: http://wiki.apache.org/httpd/PrivilegeSeparation Then you need to ask youself: do the users absolutely need to be able to access the uploaded content through their unix logins as well as through apache? If they don't, then just let apache manage all the authorization process internally under its own userid. If they do need direct access to these files, then you basically have two choices: 1) use a CGI script to do the file management, and have this cgi script switch users using suexec or cgiwrap; 2) setup a separate apache install (not just a vhost) for each user and run that install under that user. The technique is described here: http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|