mod_authz_owner.html.en revision 101bf3584c853027d9e51df6edfff5ff70c80238
0N/A<?xml version="1.0" encoding="ISO-8859-1"?>
0N/A<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
0N/A<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
0N/A XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0N/A This file is generated from xml source: DO NOT EDIT
0N/A XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0N/A -->
0N/A<title>mod_authz_owner - Apache HTTP Server</title>
0N/A<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
0N/A<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
0N/A<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
0N/A<link href="/images/favicon.ico" rel="shortcut icon" /></head>
0N/A<body>
0N/A<div id="page-header">
0N/A<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
0N/A<p class="apache">Apache HTTP Server Version 2.1</p>
0N/A<img alt="" src="/images/feather.gif" /></div>
0N/A<div class="up"><a href="./"><img title="&lt;-" alt="&lt;-" src="/images/left.gif" /></a></div>
0N/A<div id="path">
0N/A<a href="http://www.apache.org/">Apache</a> &gt; <a href="http://httpd.apache.org/">HTTP Server</a> &gt; <a href="http://httpd.apache.org/docs-project/">Documentation</a> &gt; <a href="../">Version 2.1</a> &gt; <a href="./">Modules</a></div>
0N/A<div id="page-content">
0N/A<div id="preamble"><h1>Apache Module mod_authz_owner</h1>
0N/A<div class="toplang">
0N/A<p><span>Available Languages: </span><a href="/en/mod/mod_authz_owner.html" title="English">&nbsp;en&nbsp;</a> |
0N/A<a href="/ja/mod/mod_authz_owner.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
0N/A<a href="/ko/mod/mod_authz_owner.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a></p>
0N/A</div>
0N/A<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Authorization based on file ownership</td></tr>
0N/A<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
0N/A<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>authz_owner_module</td></tr>
0N/A<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_authz_owner.c</td></tr>
0N/A<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.1 and later</td></tr></table>
0N/A<h3>Summary</h3>
0N/A
0N/A <p>This module authorizes access to files by comparing the userid used
0N/A for HTTP authentication (the web userid) with the file-system owner or
0N/A group of the requested file. The supplied username and password
0N/A must be already properly verified by an authentication module,
0N/A such as <code class="module"><a href="/mod/mod_auth_basic.html">mod_auth_basic</a></code> or
0N/A <code class="module"><a href="/mod/mod_auth_digest.html">mod_auth_digest</a></code>. <code class="module"><a href="/mod/mod_authz_owner.html">mod_authz_owner</a></code>
0N/A recognizes two arguments for the <code class="directive"><a href="/mod/core.html#require">Require</a></code> directive, <code>file-owner</code> and
0N/A <code>file-group</code>, as follows:</p>
0N/A
0N/A <dl>
0N/A <dt><code>file-owner</code></dt>
0N/A <dd>The supplied web-username must match the system's name for the
0N/A owner of the file being requested. That is, if the operating system
0N/A says the requested file is owned by <code>jones</code>, then the
0N/A username used to access it through the web must be <code>jones</code>
0N/A as well.</dd>
0N/A
0N/A <dt><code>file-group</code></dt>
0N/A <dd>The name of the system group that owns the file must be present
0N/A in a group database, which is provided, for example, by <code class="module"><a href="/mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> or <code class="module"><a href="/mod/mod_authz_dbm.html">mod_authz_dbm</a></code>,
0N/A and the web-username must be a member of that group. For example, if
0N/A the operating system says the requested file is owned by (system)
0N/A group <code>accounts</code>, the group <code>accounts</code> must
0N/A appear in the group database and the web-username used in the request
0N/A must be a member of that group.</dd>
0N/A </dl>
0N/A
0N/A <div class="note"><h3>Note</h3>
0N/A <p>If <code class="module"><a href="/mod/mod_authz_owner.html">mod_authz_owner</a></code> is used in order to authorize
0N/A a resource that is not actually present in the filesystem
0N/A (<em>i.e.</em> a virtual resource), it will deny the access.</p>
0N/A
0N/A <p>Particularly it will never authorize <a href="/content-negotiation.html#multiviews">content negotiated
0N/A "MultiViews"</a> resources.</p>
0N/A </div>
0N/A</div>
0N/A<div id="quickview"><h3 class="directives">Directives</h3>
0N/A<ul id="toc">
0N/A<li><img alt="" src="/images/down.gif" /> <a href="#authzownerauthoritative">AuthzOwnerAuthoritative</a></li>
0N/A</ul>
0N/A<h3>Topics</h3>
0N/A<ul id="topics">
0N/A<li><img alt="" src="/images/down.gif" /> <a href="#examples">Configuration Examples</a></li>
0N/A</ul><h3>See also</h3>
0N/A<ul class="seealso">
0N/A<li><code class="directive"><a href="/mod/core.html#require">Require</a></code></li>
0N/A<li><code class="directive"><a href="/mod/core.html#satisfy">Satisfy</a></code></li>
0N/A</ul></div>
0N/A<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
0N/A<div class="section">
0N/A<h2><a name="examples" id="examples">Configuration Examples</a></h2>
0N/A
0N/A <h3><a name="examples.file-owner" id="examples.file-owner">Require file-owner</a></h3>
0N/A <p>Consider a multi-user system running the Apache Web server, with
0N/A each user having his or her own files in <code>~/public_html/private</code>. Assuming that there is a single
0N/A <code class="directive"><a href="/mod/mod_authn_dbm.html#authdbmuserfile">AuthDBMUserFile</a></code> database
0N/A that lists all of their web-usernames, and that these usernames match
0N/A the system's usernames that actually own the files on the server, then
0N/A the following stanza would allow only the user himself access to his
0N/A own files. User <code>jones</code> would not be allowed to access
0N/A files in <code>/home/smith/public_html/private</code> unless they
0N/A were owned by <code>jones</code> instead of <code>smith</code>.</p>
0N/A
0N/A <div class="example"><p><code>
0N/A &lt;Directory /home/*/public_html/private&gt;<br />
0N/A <span class="indent">
0N/A AuthType Basic<br />
0N/A AuthName MyPrivateFiles<br />
0N/A AuthBasicProvider dbm<br />
0N/A AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
0N/A Satisfy All<br />
0N/A Require file-owner<br />
0N/A </span>
0N/A &lt;/Directory&gt;
0N/A </code></p></div>
0N/A
0N/A
0N/A <h3><a name="examples.file-group" id="examples.file-group">Require file-group</a></h3>
0N/A <p>Consider a system similar to the one described above, but with
0N/A some users that share their project files in
0N/A <code>~/public_html/project-foo</code>. The files are owned by the
0N/A system group <code>foo</code> and there is a single <code class="directive"><a href="/mod/mod_authz_dbm.html#authdbmgroupfile">AuthDBMGroupFile</a></code> database that
0N/A contains all of the web-usernames and their group membership,
0N/A <em>i.e.</em> they must be at least member of a group named
0N/A <code>foo</code>. So if <code>jones</code> and <code>smith</code>
0N/A are both member of the group <code>foo</code>, then both will be
0N/A authorized to access the <code>project-foo</code> directories of
0N/A each other.</p>
0N/A
0N/A <div class="example"><p><code>
0N/A &lt;Directory /home/*/public_html/project-foo&gt;<br />
0N/A <span class="indent">
0N/A AuthType Basic<br />
0N/A AuthName "Project Foo Files"<br />
0N/A AuthBasicProvider dbm<br />
0N/A <br />
0N/A # combined user/group database<br />
0N/A AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
0N/A AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all<br />
0N/A <br />
0N/A Satisfy All<br />
0N/A Require file-group<br />
0N/A </span>
0N/A &lt;/Directory&gt;
0N/A </code></p></div>
0N/A
0N/A</div>
0N/A<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
0N/A<div class="directive-section"><h2><a name="AuthzOwnerAuthoritative" id="AuthzOwnerAuthoritative">AuthzOwnerAuthoritative</a> <a name="authzownerauthoritative" id="authzownerauthoritative">Directive</a></h2>
0N/A<table class="directive">
0N/A<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Sets whether authorization will be passed on to lower level
0N/Amodules</td></tr>
0N/A<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>AuthzOwnerAuthoritative On|Off</code></td></tr>
0N/A<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>AuthzOwnerAuthoritative On</code></td></tr>
0N/A<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
0N/A<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
0N/A<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
0N/A<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_authz_owner</td></tr>
0N/A</table>
0N/A <p>Setting the <code class="directive">AuthzOwnerAuthoritative</code>
0N/A directive explicitly to <code>Off</code> allows for
0N/A user authorization to be passed on to lower level modules (as defined
0N/A in the <code>modules.c</code> files) if:</p>
0N/A
0N/A <ul>
0N/A <li>in the case of <code>file-owner</code> the file-system owner does not
0N/A match the supplied web-username or could not be determined, or</li>
0N/A
0N/A <li>in the case of <code>file-group</code> the file-system group does not
0N/A contain the supplied web-username or could not be determined.</li>
0N/A </ul>
0N/A
0N/A <p>Note that setting the value to <code>Off</code> also allows the
0N/A combination of <code>file-owner</code> and <code>file-group</code>, so
0N/A access will be allowed if either one or the other (or both) match.</p>
0N/A
0N/A <p>By default, control is not passed on and an authorization failure
0N/A will result in an "Authentication Required" reply. Not
0N/A setting it to <code>Off</code> thus keeps the system secure and forces
0N/A an NCSA compliant behaviour.</p>
0N/A
0N/A</div>
0N/A</div>
0N/A<div class="bottomlang">
0N/A<p><span>Available Languages: </span><a href="/en/mod/mod_authz_owner.html" title="English">&nbsp;en&nbsp;</a> |
0N/A<a href="/ja/mod/mod_authz_owner.html" hreflang="ja" rel="alternate" title="Japanese">&nbsp;ja&nbsp;</a> |
0N/A<a href="/ko/mod/mod_authz_owner.html" hreflang="ko" rel="alternate" title="Korean">&nbsp;ko&nbsp;</a></p>
0N/A</div><div id="footer">
0N/A<p class="apache">Copyright 1995-2005 The Apache Software Foundation or its licensors, as applicable.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
0N/A<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div>
0N/A</body></html>