From: Andre Malo Date: Fri, 17 Jan 2003 01:53:07 +0000 (+0000) Subject: add documentation for mod_authz_owner X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=3bd31e0e95c23a15900790f7762a342b830701e1;p=apache add documentation for mod_authz_owner git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@98300 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_authz_owner.xml b/docs/manual/mod/mod_authz_owner.xml new file mode 100644 index 0000000000..b55db4aefe --- /dev/null +++ b/docs/manual/mod/mod_authz_owner.xml @@ -0,0 +1,151 @@ + + + + + +mod_authz_owner +Authorization based on file ownership +Extension +mod_authz_owner.c +authz_owner_module +Available in Apache 2.1 and later + + +

This module authorizes access to files by comparing the userid used + for HTTP authentication (the web userid) with the file-system owner or + group of the requested file. The supplied username and password + must be already properly verified by an authentication module, + such as mod_auth_basic or + mod_auth_digest. mod_authz_owner + recognizes two arguments for the Require directive, file-owner and + file-group, as follows:

+ +
+
file-owner
+
The supplied web-username must match the system's name for the + owner of the file being requested. That is, if the operating system + says the requested file is owned by jones, then the + username used to access it through the web must be jones + as well.
+ +
file-group
+
The name of the system group that owns the file must be present + in a group database, which is provided, for example, by mod_authz_groupfile or mod_authz_dbm, + and the web-username must be a member of that group. For example, if + the operating system says the requested file is owned by (system) + group accounts, the group accounts must + appear in the group database and the web-username used in the request + must be a member of that group.
+
+ + Note +

If mod_authz_owner is used in order to authorize + a resource that is not actually present in the filesystem + (i.e. a virtual resource), it will deny the access.

+ +

Particularly it will never authorize content negotiated + "MultiViews" resources.

+ + +Require +Satisfy + +
Configuration Examples + +
Require file-owner +

Consider a multi-user system running the Apache Web server, with + each user having his or her own files in ~/public_html/private. Assuming that there is a single + AuthDBMUserFile database + that lists all of their web-usernames, and that these usernames match + the system's usernames that actually own the files on the server, then + the following stanza would allow only the user himself access to his + own files. User jones would not be allowed to access + files in /home/smith/public_html/private unless they + were owned by jones instead of smith.

+ + + <Directory /home/*/public_html/private>
+ + AuthType Basic
+ AuthName MyPrivateFiles
+ AuthBasicProvider dbm
+ AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ Satisfy All
+ Require file-owner
+ + </Directory> + +
+ +
Require file-group +

Consider a system similar to the one described above, but with + some users that share their project files in + ~/public_html/project-foo. The files are owned by the + system group foo and there is a single AuthDBMGroupFile database that + contains all of the web-usernames and their group membership, + i.e. they must be at least member of a group named + foo. So if jones and smith + are both member of the group foo, then both will be + authorized to access the project-foo directories of + each other.

+ + + <Directory /home/*/public_html/project-foo>
+ + AuthType Basic
+ AuthName "Project Foo Files"
+ AuthBasicProvider dbm
+
+ # combined user/group database
+ AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all
+ AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all
+
+ Satisfy All
+ Require file-group
+ + </Directory> + +
+
+ + +AuthzOwnerAuthoritative +Sets whether authorization will be passed on to lower level +modules +AuthzOwnerAuthoritative On|Off +AuthzOwnerAuthoritative On +directory.htaccess + +AuthConfig + + +

Setting the AuthzOwnerAuthoritative + directive explicitly to Off allows for + user authorization to be passed on to lower level modules (as defined + in the modules.c files) if:

+ +
    +
  • in the case of file-owner the file-system owner does not + match the supplied web-username or could not be determined, or
    • + +
  • in the case of file-group the file-system group does not + contain the supplied web-username or could not be determined.
    • +
+ +

Note that setting the value to Off also allows the + combination of file-owner and file-group, so + access will be allowed if either one or the other (or both) match.

+ +

By default, control is not passed on and an authorization failure + will result in an "Authentication Required" reply. Not + setting it to Off thus keeps the system secure and forces + an NCSA compliant behaviour.

+ + + + diff --git a/docs/manual/sitemap.xml b/docs/manual/sitemap.xml index deb7bcdd56..a5005aa267 100644 --- a/docs/manual/sitemap.xml +++ b/docs/manual/sitemap.xml @@ -138,6 +138,7 @@ Server on HPUX mod_authz_default.xml mod_authz_groupfile.xml mod_authz_host.xml + mod_authz_owner.xml mod_authz_user.xml mod_auth_ldap.xml mod_autoindex.xml