-v1.1.0 (Jan Wolter - )
+v1.1.0 (Jan Wolter - Oct 6, 2011)
-----------------------------------
- * Revised to work with Apache 2.4.
+ * Revised to work as an access control provider in Apache 2.4.
+ * Eliminated "AuthzUnixgroup on" directive because it is no longer needed.
+ * Eliminated "AuthnzUnixgroupError 403" directive because it is supplanted
+ by "AuthzSendForbiddenOnFailure On".
+ * Eliminated "AuthzUnixgroupAuthoritative off" directive because the whole
+ concept of authoritativeness is dead for access control providers in
+ Apache 2.4.
v1.0.3 (Jan Wolter - Oct 6, 2011)
------------------------------------
CONFIGURATION:
--------------
-Mod_authz_unixgroup is pretty simple to use. First, you need to enable it
-for whatever directory you want to use it in, by inserting the following
-directive either in a .htaccess file in the directory or a <Directory> block
-in the httpd.conf file:
+Mod_authz_unixgroup is extremely simple to use. Presumably you already are
+setting up some kind of authentication in a .htaccess file or in a
+<Directory> block in the httpd.conf file. You'll just need to change the
+"Require" directive there to something like:
- AuthzUnixgroup on
-
-Second, you will need a require directive like
-
- Require group admin
+ Require unix-group admin
or
- Require group students teachers staff
+ Require unix-group students teachers staff
Obviously this only makes sense in a directory where you are doing
authentication. This could be any kind of authentication, but it makes
It is also possible to list groups by gid number instead of name, like
- Require group 10
+ Require unix-group 10
would be equivalent to "Require group admin" if the gid listed for the group
admin in /etc/group is 10.
mod_authz_unixgroup to check access based on file groups. For example if
we do:
- AuthzUnixgroup on
- Require file-group
+ Require unix-file-group
Then a user will be able to access a file if and only if that file is owned
by a group of which the user is a member.
+Changes from Previous Versions:
+-------------------------------
+
+Previous versions of mod_authz_unixgroup needed a 'AuthzUnixgroup on' to
+tell Apache that the "Require file-group" directive was supposed to be
+handled by mod_authz_unixgroup. Now we have a distinct directive,
+"Require unix-file-group" instead, so the 'AuthzUnixgroup' is no longer
+needed and no longer exists.
+
Normally, when an access check fails, mod_authz_unixgroup will return a
HTTP 401 error. This will typically cause the browser to pop up a message
saying "Authentication Failed" and then the browser will ask for a new login
"Require file-group" directive, you may not want to log the user off every time
he hits a file he doesn't have access to. Maybe you'd rather just show a
"Permission denied message" and not log him off. You could do that by
-directing mod_authz_unixgroup to return a 403 error instead of a 401 error.
-You can do this with the following directive:
-
- AuthnzUnixgroupError 403
+returning 403 error instead of a 401 error. Older versions of
+mod_authz_unixgroup had a directive called 'AuthnzUnixgroupError' that did
+this, but in Apache 2.4 that is replaced with a new standard Apache directive:
-By default, mod_authz_unixgroup is authoritative. If you want to use more
-than one group checker, like mod_authz_unixgroup together with
-mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non-
-authoritative, so that if one fails, the other will be tried. You can
-make mod_authz_unixgroup non-authoritative by saying:
+ AuthzUnixgroupAuthoritative off
- AuthzUnixgroupAuthoritative off
+There also used to be an 'AuthzUnixgroupAuthoritative' directive which is
+also gone, since the whole concept of authoritativeness no longer applies
+to access control providers in Apache 2.4.
That would cause mod_auth_basic and mod_authnz_external to do authentication
based on the Unix passwd database. Mod_Authz_Unixgroup would come into play
if you wanted to further restrict access to specific Unix groups. You might
-append the following directives:
+append the following directive:
- AuthzUnixgroup on
- Require group staff admin
+ Require unix-group staff admin
This would allow only access to accounts in the 'staff' or 'admin' unix groups.
You can alternately specify groups by their gid numbers instead of their names.
Or you could use mod_authz_unixgroup together with the standard apache module
mod_authz_owner to do something like:
- Require file-group
+ Require unix-file-group
This would allow access to the page, only the user was a member of the unix
group that owns the file.
and ignore the rest.
Mod_authnz_external is available from:
- http://www.unixpapa.com/mod_auth_external/
+ http://code.google.com/p/mod-auth-external/
Pwauth is available from:
- http://www.unixpapa.com/pwauth/
+ http://code.google.com/p/pwauth/
It might also be possible to use this with mod_auth_shadow, expecially if a
authn/authz version of that is ever released.