| <?xml version="1.0"?> |
| <!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd"> |
| <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?> |
| <!-- $LastChangedRevision$ --> |
| |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| |
| <modulesynopsis metafile="mod_authz_owner.xml.meta"> |
| |
| <name>mod_authz_owner</name> |
| <description>Authorization based on file ownership</description> |
| <status>Extension</status> |
| <sourcefile>mod_authz_owner.c</sourcefile> |
| <identifier>authz_owner_module</identifier> |
| <compatibility>Available in Apache 2.1 and later</compatibility> |
| |
| <summary> |
| <p>This module authorizes access to files by comparing the userid used |
| for HTTP authentication (the web userid) with the file-system owner or |
| group of the requested file. The supplied username and password |
| must be already properly verified by an authentication module, |
| such as <module>mod_auth_basic</module> or |
| <module>mod_auth_digest</module>. <module>mod_authz_owner</module> |
| recognizes two arguments for the <directive module="mod_authz_core" |
| >Require</directive> directive, <code>file-owner</code> and |
| <code>file-group</code>, as follows:</p> |
| |
| <dl> |
| <dt><code>file-owner</code></dt> |
| <dd>The supplied web-username must match the system's name for the |
| owner of the file being requested. That is, if the operating system |
| says the requested file is owned by <code>jones</code>, then the |
| username used to access it through the web must be <code>jones</code> |
| as well.</dd> |
| |
| <dt><code>file-group</code></dt> |
| <dd>The name of the system group that owns the file must be present |
| in a group database, which is provided, for example, by <module |
| >mod_authz_groupfile</module> or <module>mod_authz_dbm</module>, |
| and the web-username must be a member of that group. For example, if |
| the operating system says the requested file is owned by (system) |
| group <code>accounts</code>, the group <code>accounts</code> must |
| appear in the group database and the web-username used in the request |
| must be a member of that group.</dd> |
| </dl> |
| |
| <note><title>Note</title> |
| <p>If <module>mod_authz_owner</module> is used in order to authorize |
| a resource that is not actually present in the filesystem |
| (<em>i.e.</em> a virtual resource), it will deny the access.</p> |
| |
| <p>Particularly it will never authorize <a |
| href="../content-negotiation.html#multiviews">content negotiated |
| "MultiViews"</a> resources.</p> |
| </note> |
| </summary> |
| <seealso><directive module="mod_authz_core">Require</directive></seealso> |
| |
| <section id="examples"><title>Configuration Examples</title> |
| |
| <section id="examples.file-owner"><title>Require file-owner</title> |
| <p>Consider a multi-user system running the Apache Web server, with |
| each user having his or her own files in <code |
| >~/public_html/private</code>. Assuming that there is a single |
| <directive module="mod_authn_dbm">AuthDBMUserFile</directive> database |
| that lists all of their web-usernames, and that these usernames match |
| the system's usernames that actually own the files on the server, then |
| the following stanza would allow only the user himself access to his |
| own files. User <code>jones</code> would not be allowed to access |
| files in <code>/home/smith/public_html/private</code> unless they |
| were owned by <code>jones</code> instead of <code>smith</code>.</p> |
| |
| <highlight language="config"> |
| <Directory "/home/*/public_html/private"> |
| AuthType Basic |
| AuthName MyPrivateFiles |
| AuthBasicProvider dbm |
| AuthDBMUserFile "/usr/local/apache2/etc/.htdbm-all" |
| Require file-owner |
| </Directory> |
| </highlight> |
| </section> |
| |
| <section id="examples.file-group"><title>Require file-group</title> |
| <p>Consider a system similar to the one described above, but with |
| some users that share their project files in |
| <code>~/public_html/project-foo</code>. The files are owned by the |
| system group <code>foo</code> and there is a single <directive |
| module="mod_authz_dbm">AuthDBMGroupFile</directive> database that |
| contains all of the web-usernames and their group membership, |
| <em>i.e.</em> they must be at least member of a group named |
| <code>foo</code>. So if <code>jones</code> and <code>smith</code> |
| are both member of the group <code>foo</code>, then both will be |
| authorized to access the <code>project-foo</code> directories of |
| each other.</p> |
| |
| <highlight language="config"> |
| <Directory "/home/*/public_html/project-foo"> |
| AuthType Basic |
| AuthName "Project Foo Files" |
| AuthBasicProvider dbm |
| |
| # combined user/group database |
| AuthDBMUserFile "/usr/local/apache2/etc/.htdbm-all" |
| AuthDBMGroupFile "/usr/local/apache2/etc/.htdbm-all" |
| |
| Satisfy All |
| Require file-group |
| </Directory> |
| </highlight> |
| </section> |
| </section> |
| |
| </modulesynopsis> |