Re: how would I serve up an upload/download directory for each user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Mar 6, 2008 at 1:25 PM, Tim Edwards <t.edwards@xxxxxxxxxxx> wrote:

> I'm trying to use Apache to essentially replicate the functionality of our
> FTP server (we've found a lot of customers have corporate policies/firewalls
> stopping them accessing FTP but not http/s). The idea is that each customer
> has a Linux user created for them and can login with Apache setup to use
> mod_auth_shadow. However I want each user to have a directory into which
> they can upload files, as well as download. I can see a few possibilities:
>
> * Use mod_userdir so each user has a https://servername.com/~username site.
> My problem with this is that I'd have to give the apache user rights to
> write to user's home directories to allow uploads, I'm not sure if this is a
> good idea security-wise. However this server is single-purpose – no one
> except administrators will be logging into it or interacting with it in any
> way except through httpd.
>
>
>
> * Use some kind of module that allows apache to spawn a sub-process running
> as the user who logged in through mod_auth_shadow. Does such a module exist?
>
>
>
> * Give up on the idea of using user's home dirs and create a setup with
> virtual hosts and a directory owned by the apache user. Eg. have all user's
> files under /var/www/users/<username> and have a virtual host for each
> /var/www/users/<username> dir. I'm not sure how to do this in any automated
> fashion though – is there a way to coerce mod_userdir into working like
> this?

You should probably start by reading this:
http://wiki.apache.org/httpd/PrivilegeSeparation

Then you need to ask youself: do the users absolutely need to be able
to access the uploaded content through their unix logins as well as
through apache? If they don't, then just let apache manage all the
authorization process internally under its own userid.

If they do need direct access to these files, then you basically have
two choices: 1) use a CGI script to do the file management, and have
this cgi script switch users using suexec or cgiwrap; 2) setup a
separate apache install (not just a vhost) for each user and run that
install under that user. The technique is described here:
http://wiki.apache.org/httpd/DifferentUserIDsUsingReverseProxy

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux