2400N/A<
name>mod_authz_owner</
name>
2400N/A<
description>Authorization based on file ownership</
description>
2400N/A<
identifier>authz_owner_module</
identifier>
2400N/A<
compatibility>Available in Apache 2.1 and later</
compatibility>
2400N/A <
p>This module authorizes access to files by comparing the userid used
2400N/A for HTTP authentication (the web userid) with the file-system owner or
2400N/A group of the requested file. The supplied username and password
2400N/A must be already properly verified by an authentication module,
2400N/A such as <
module>mod_auth_basic</
module> or
2400N/A <
module>mod_auth_digest</
module>. <
module>mod_authz_owner</
module>
2400N/A recognizes two arguments for the <
directive module="core" 3998N/A >Require</
directive> directive, <
code>file-owner</
code> and
3998N/A <
code>file-group</
code>, as follows:</
p>
3998N/A <
dt><
code>file-owner</
code></
dt>
2400N/A <
dd>The supplied web-username must match the system's name for the
2400N/A owner of the file being requested. That is, if the operating system
2400N/A says the requested file is owned by <
code>jones</
code>, then the
6781N/A username used to access it through the web must be <
code>jones</
code>
2400N/A <
dt><
code>file-group</
code></
dt>
6781N/A <
dd>The name of the system group that owns the file must be present
2400N/A in a group database, which is provided, for example, by <
module 2400N/A >mod_authz_groupfile</
module> or <
module>mod_authz_dbm</
module>,
2400N/A and the web-username must be a member of that group. For example, if
2400N/A the operating system says the requested file is owned by (system)
6781N/A group <
code>accounts</
code>, the group <
code>accounts</
code> must
2899N/A appear in the group database and the web-username used in the request
6781N/A must be a member of that group.</
dd>
3817N/A <
p>If <
module>mod_authz_owner</
module> is used in order to authorize
3817N/A a resource that is not actually present in the filesystem
2400N/A (<
em>
i.e.</
em> a virtual resource), it will deny the access.</
p>
2400N/A <
p>Particularly it will never authorize <
a 6781N/A "MultiViews"</
a> resources.</
p>
6781N/A<
seealso><
directive module="core">Require</
directive></
seealso>
6781N/A<
seealso><
directive module="core">Satisfy</
directive></
seealso>
2400N/A<
section id="examples"><
title>Configuration Examples</
title>
6781N/A <
section id="examples:file-owner"><
title>Require file-owner</
title>
2400N/A <
p>Consider a multi-user system running the Apache Web server, with
5125N/A each user having his or her own files in <
code 6781N/A <
directive module="mod_authn_dbm">AuthDBMUserFile</
directive> database
6781N/A that lists all of their web-usernames, and that these usernames match
6781N/A the system's usernames that actually own the files on the server, then
6781N/A the following stanza would allow only the user himself access to his
6781N/A own files. User <
code>jones</
code> would not be allowed to access
2400N/A were owned by <
code>jones</
code> instead of <
code>smith</
code>.</
p>
2400N/A AuthName MyPrivateFiles<
br />
2400N/A AuthBasicProvider dbm<
br />
6781N/A <
section id="examples:file-group"><
title>Require file-group</
title>
4337N/A <
p>Consider a system similar to the one described above, but with
6781N/A some users that share their project files in
system group <
code>foo</
code> and there is a single <
directive module="mod_authz_dbm">AuthDBMGroupFile</
directive> database that
contains all of the web-usernames and their group membership,
<
em>
i.e.</
em> they must be at least member of a group named
<
code>foo</
code>. So if <
code>jones</
code> and <
code>smith</
code>
are both member of the group <
code>foo</
code>, then both will be
authorized to access the <
code>project-foo</
code> directories of
AuthName "Project Foo Files"<
br />
AuthBasicProvider dbm<
br />
<
name>AuthzOwnerAuthoritative</
name>
<
description>Sets whether authorization will be passed on to lower level
<
syntax>AuthzOwnerAuthoritative On|Off</
syntax>
<
default>AuthzOwnerAuthoritative On</
default>
<
contextlist><
context>directory</
context><
context>.htaccess</
context>
<
override>AuthConfig</
override>
<
p>Setting the <
directive>AuthzOwnerAuthoritative</
directive>
directive explicitly to <
code>Off</
code> allows for
user authorization to be passed on to lower level modules (as defined
<
li>in the case of <
code>file-owner</
code> the file-system owner does not
match the supplied web-username or could not be determined, or</
li>
<
li>in the case of <
code>file-group</
code> the file-system group does not
contain the supplied web-username or could not be determined.</
li>
<
p>Note that setting the value to <
code>Off</
code> also allows the
combination of <
code>file-owner</
code> and <
code>file-group</
code>, so
access will be allowed if either one or the other (or both) match.</
p>
<
p>By default, control is not passed on and an authorization failure
will result in an "Authentication Required" reply. Not
setting it to <
code>Off</
code> thus keeps the system secure and forces
an NCSA compliant behaviour.</
p>