I'm trying to see if we can use the user/group authorization facilities to control access for users to a (non-public) tree served by our web server.
More fine-grained needs may come later, but right now the basic requirement is that only one group of users will have access to the whole tree, and then grant some users and groups access to areas (i.e. direct or indirect sub-trees) within the tree.
We use the external mod_auth_pam to authenticate our users (they all have actual Unix user accounts in the network, and obviously we don't want to duplicate their information in a htpasswd file), and mod_auth_sys_group to have Apache recognize our Unix groups.
In real life this will be served by an Apache module with some HTTP methods to read and others to write, and additional configuration to determine the actual data server. However to cut the mess and demonstrate what I'm trying, here's the relevant part of a very minimal configuration I'm experimenting with:
<Location /local> Require group system </Location>This should grant by default only group system access to everything served under http://server/local.
Now, say that there is some subtree, http://server/local/buz, which should in general be accessible to group buzzers. If I add a section like:
<Location /local/buz> Require group buzzers </Location>This will further restrict access to /local/buz, denying it to not in group buzzers, even if they are in group system. However what I am trying to achieve is the opposite - allow access to anybody in group buzzers, in addition to those in group system which are granted access by the Require line in the /local location.
I tried putting "Satisfy Any" in the /local/buz Location, which granted access to people in group buzzers even if they are not in group system, but also overrode the restriction anywhere else in /local.
According to the documentation example "Removing controls in subdirectories" in http://httpd.apache.org/docs/2.2/mod/core.html#require, it is possible to use "Satisfy Any" in a directory section to remove restrictions on a parent directory. However, in this specific case Directory sections cannot be used, because the objects are not served from an actual directory on the local filesystem, but using DAV, mod_perl and some rewrite rules. Looking at the source, it appears that the rules for the order of matching Location rules are different from those of matching Directory rules.
Any ideas, suggestions, or insights? I'm trying to avoid having to write a new authz module, so for now I'll try to insert some debug logging lines into the ap_hook_auth_checker function in mod_auth_sys_group to see what require rules it considers for every request.
Thanks, -- Tom -- Tom Alsberg - hacker (being the best description fitting this space) Web page: http://www.cs.huji.ac.il/~alsbergt/ DISCLAIMER: The above message does not even necessarily represent what my fingers have typed on the keyboard, save anything further. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|