December 9th, 2007, 01:04
I'm having a slight issue with the userdir, added with WebDAV, and trying to implement the solution I've striving for. The issue isn't getting it to work. It works fine. The problem is that any user authenticated, can go to any user's folder, and add/remove files since the apache user/group is what takes care of Read/Write/Execute permissions. Does anyone know of a way to keep this from happening? Maybe a module that has apache compare the authenticated user against the permissions of the folder and such?

Even if you have another solution with WebDAV, that would be great as well.

December 9th, 2007, 04:29
Well, I answered my own question. I simply set a .htaccess file in each user's folder, requiring only that user.

December 9th, 2007, 15:06
Smart!! I've wondered about that too, when creating a place to sync iCal calendars. Good solution.

December 9th, 2007, 15:55
Well, it's getting quite annoying now. I still can't get the home directories to segregate themselves. I'm starting to wonder if it's the auth module. Here is the setup:

Home Dir

evile@/home/evile> ls -l
total 2
drwxr-x--- 4 www www 512 Dec 9 13:22 data

Site Config

evile@/home/evile> cat /usr/local/etc/apache22/Sites/netsyn
<VirtualHost *>
#SSLEngine On
#SSLCertificateFile /etc/apache2/ssl/apache2.pem

ErrorLog /var/log/apache2/sites/nsdata.err

UserDir data
UserDir disabled root

DAVLockDB /var/DAV/DataLock

<Directory /home/*/data>
AllowOverride AuthConfig
Options MultiViews Indexes

AuthBasicProvider external
AuthExternal pwauth

AuthName "WebDAV Backup"
AuthType Basic


AddExternalAuth pwauth /usr/local/bin/pwauth
SetExternalAuthMethod pwauth pipe

.htaccess in user's dir

evile@/home/vile# cat data/.htaccess
AuthType Basic
AuthName "Evile's Backup"

Require user evile
Require group nsdata
Satisfy all

First off, this IS on FBSD 6.2. Many people that have seen the site conf in it's own file thought it was Debian. Includes work for all OSes. ;)

There are two users, both in the nsdata group. If I access evile's userdir, either user can access the folder, add files, etc. I'm pretty sure I could eliminate this issue by giving each user their own user group, and requiring that group. Of course, I'd much rather have a group, so that they could be removed from the group, and not from the entire system to deny access.

What I don't understand is even with "Satisfy all", apache seems to interpret it as "Satisfy any".

BMW, yes, it's been a great solution for vCalandars. Thunderbird with Lightning has issues, but can't expect less.

December 9th, 2007, 17:20
Well, now it gets even more strange. I decided mess with the .htaccess file a little more:

AuthType Basic
AuthName "Network Synapse Backup"

Require group wheel

This works. The problem is, if the require is "user evile", no one can log in at all. It almost seems as if it can't compare users at all. The error in the site log is "GROUP: evile not in required group(s).". Really weird.

Evile is in the group wheel, but other users are not (root disabled. See above). This does keep anyone else from logging in. So, it looks like the only way to split these home directories is to do via group restrictions.

At the last second, I decided to try one more thing.

AuthType Basic
AuthName "Network Synapse Backup"

Require group nsdata

<Limit GET POST>
Require user evile

You would think this would do something. It did, but something very unexpected. What we did here was limit anyone from even viewing the index, unless they were the user "evile". Well, logging in as the 2nd user, I was able to GET and POST.

December 9th, 2007, 17:53
Well, I guess this will have to do. I might eventually move to a full-blown database solution (which I probably should), but I'm pretty disappointed that I couldn't get it to auth against the username.

So, in conclusion, each user has their own group as their primary group in which they authenticate against, and then 'nsdata' as a secondary group for file quotas.