mod_authz_owner.xml revision 654734c34540d66c4550b856dd1a278779b34138
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<modulesynopsis>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<description>Authorization based on file ownership</description>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<compatibility>Available in Apache 2.1 and later</compatibility>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <p>This module authorizes access to files by comparing the userid used
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov for HTTP authentication (the web userid) with the file-system owner or
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe group of the requested file. The supplied username and password
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov must be already properly verified by an authentication module,
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <module>mod_auth_digest</module>. <module>mod_authz_owner</module>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe recognizes two arguments for the <directive module="core"
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov >Require</directive> directive, <code>file-owner</code> and
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <dd>The supplied web-username must match the system's name for the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe owner of the file being requested. That is, if the operating system
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe says the requested file is owned by <code>jones</code>, then the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe username used to access it through the web must be <code>jones</code>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe as well.</dd>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <dd>The name of the system group that owns the file must be present
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe in a group database, which is provided, for example, by <module
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe >mod_authz_groupfile</module> or <module>mod_authz_dbm</module>,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe and the web-username must be a member of that group. For example, if
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the operating system says the requested file is owned by (system)
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe group <code>accounts</code>, the group <code>accounts</code> must
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe appear in the group database and the web-username used in the request
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe must be a member of that group.</dd>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <p>If <module>mod_authz_owner</module> is used in order to authorize
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe a resource that is not actually present in the filesystem
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe (<em>i.e.</em> a virtual resource), it will deny the access.</p>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe href="/content-negotiation.html#multiviews">content negotiated
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<seealso><directive module="core">Require</directive></seealso>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<seealso><directive module="core">Satisfy</directive></seealso>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe<section id="examples"><title>Configuration Examples</title>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <section id="examples:file-owner"><title>Require file-owner</title>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <p>Consider a multi-user system running the Apache Web server, with
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe each user having his or her own files in <code
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe >~/public_html/private</code>. Assuming that there is a single
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <directive module="mod_authn_dbm">AuthDBMUserFile</directive> database
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe that lists all of their web-usernames, and that these usernames match
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the system's usernames that actually own the files on the server, then
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe the following stanza would allow only the user himself access to his
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe own files. User <code>jones</code> would not be allowed to access
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe files in <code>/home/smith/public_html/private</code> unless they
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe were owned by <code>jones</code> instead of <code>smith</code>.</p>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <Directory /home/*/public_html/private><br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthType Basic<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthName MyPrivateFiles<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthBasicProvider dbm<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Satisfy All<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Require file-owner<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </Directory>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <section id="examples:file-group"><title>Require file-group</title>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <p>Consider a system similar to the one described above, but with
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe some users that share their project files in
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <code>~/public_html/project-foo</code>. The files are owned by the
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe system group <code>foo</code> and there is a single <directive
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe module="mod_authz_dbm">AuthDBMGroupFile</directive> database that
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe contains all of the web-usernames and their group membership,
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <em>i.e.</em> they must be at least member of a group named
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <code>foo</code>. So if <code>jones</code> and <code>smith</code>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe are both member of the group <code>foo</code>, then both will be
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe authorized to access the <code>project-foo</code> directories of
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe each other.</p>
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe <Directory /home/*/public_html/project-foo><br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthType Basic<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthName "Project Foo Files"<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthBasicProvider dbm<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthDBMUserFile /usr/local/apache2/etc/.htdbm-all<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe AuthDBMGroupFile /usr/local/apache2/etc/.htdbm-all<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Satisfy All<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe Require file-group<br />
c10c16dec587a0662068f6e2991c29ed3a9db943Richard Lowe </Directory>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov<directivesynopsis>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov<description>Sets whether authorization will be passed on to lower level
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankovmodules</description>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov<contextlist><context>directory</context><context>.htaccess</context>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov</contextlist>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <p>Setting the <directive>AuthzOwnerAuthoritative</directive>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov directive explicitly to <code>Off</code> allows for
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov user authorization to be passed on to lower level modules (as defined
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <li>in the case of <code>file-owner</code> the file-system owner does not
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov match the supplied web-username or could not be determined, or</li>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <li>in the case of <code>file-group</code> the file-system group does not
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov contain the supplied web-username or could not be determined.</li>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <p>Note that setting the value to <code>Off</code> also allows the
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov combination of <code>file-owner</code> and <code>file-group</code>, so
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov access will be allowed if either one or the other (or both) match.</p>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov <p>By default, control is not passed on and an authorization failure
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov will result in an "Authentication Required" reply. Not
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov setting it to <code>Off</code> thus keeps the system secure and forces
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov an NCSA compliant behaviour.</p>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov</directivesynopsis>
a9478106a12424322498e53cf7cd75bd8a4d6004Yuri Pankov</modulesynopsis>