Re: How to serve up different content depending on authenticated user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Matt - That method didn't work for me... it got into an internal recursion and bombed out after 10 redirects. I think you do perhaps need to test for something to stop it going on forever.

Andre - I think you are right... that's why you still need to have a "Require user <user>" in a seperate directive for each directory.... it's a pain but the only way I can see it working. I think perhaps you could write a macro to automatically add this directive for each directory - but I haven't got into that yet.

Steve

On Thu, Feb 5, 2009 at 6:41 PM, André Warnier <aw@xxxxxxxxxx> wrote:
Matt McCutchen wrote:
On Thu, 2009-02-05 at 18:01 +1000, Steve Dalton wrote:
I managed to do something similar in the end, using the prefix user_
for each user directory then adding .htaccess to root dir of:

AuthType Basic
AuthName "Restricted Files"
AuthUserFile /var/www/passwd/htpasswd
Require valid-user

RewriteEngine on
RewriteCond $1 !^user_
RewriteCond %{REMOTE_USER} ^([a-z0-9_]+)$
RewriteRule (.*) /var/www/accesstest/user_%1/$1 [

The only problem with this is that any user could access other users
directories... so I then had to add an additional .htaccess of
require user spidie

to the user_spidie directory... etc etc.

If you put the rewrite rules in the main server configuration rather
than an htaccess file, you don't have to worry about them being run
multiple times, so you can drop the user_ prefix and condition.  You
don't need to condition on %{REMOTE_USER} either because rewrite rules
don't run until after the user gains authorization.  The rule I gave
earlier (updated for your directory name) should just work:

RewriteRule ^(.*)$ /var/www/accesstest/%{REMOTE_USER}/$1

(Not trying to be sarcastic here, it's a genuine question)

What happens if Evil Hacker me, logs in as user1 and then request in my browser http://foo.com/../user2/index.html ?
Taken literally, the RewriteRule above should rewrite this as
/var/www/accesstest/user1/../user2/index.html
no ?
Is some other inner security measure stripping that .. somewhere ?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
 "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
I did have a signature, but the dog ate it.

google:steve.dalton | skype:spidieman | msn: msn@xxxxxxxxxxxxxxx | yahoo:daltonsp | aol: spidie100 | twitter: @spidie | mynetfone:09203861

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux