Kernel_Killer
December 9th, 2007, 01:04
I'm having a slight issue with the userdir, added with WebDAV, and trying to implement the solution I've striving for. The issue isn't getting it to work. It works fine. The problem is that any user authenticated, can go to any user's folder, and add/remove files since the apache user/group is what takes care of Read/Write/Execute permissions. Does anyone know of a way to keep this from happening? Maybe a module that has apache compare the authenticated user against the permissions of the folder and such?
Even if you have another solution with WebDAV, that would be great as well.
Kernel_Killer
December 9th, 2007, 04:29
Well, I answered my own question. I simply set a .htaccess file in each user's folder, requiring only that user.
bmw
December 9th, 2007, 15:06
Smart!! I've wondered about that too, when creating a place to sync iCal calendars. Good solution.
Kernel_Killer
December 9th, 2007, 15:55
Well, it's getting quite annoying now. I still can't get the home directories to segregate themselves. I'm starting to wonder if it's the auth module. Here is the setup:
Home Dir
evile@/home/evile> ls -l
total 2
drwxr-x--- 4 www www 512 Dec 9 13:22 data
Site Config
evile@/home/evile> cat /usr/local/etc/apache22/Sites/netsyn
<VirtualHost *>
#SSLEngine On
#SSLCertificateFile /etc/apache2/ssl/apache2.pem
ServerName nsdata.networksynapse.net
ErrorLog /var/log/apache2/sites/nsdata.err
UserDir data
UserDir disabled root
DAVLockDB /var/DAV/DataLock
<Directory /home/*/data>
AllowOverride AuthConfig
Options MultiViews Indexes
AuthBasicProvider external
AuthExternal pwauth
AuthName "WebDAV Backup"
AuthType Basic
</Directory>
AddExternalAuth pwauth /usr/local/bin/pwauth
SetExternalAuthMethod pwauth pipe
</VirtualHost>
.htaccess in user's dir
evile@/home/vile# cat data/.htaccess
AuthType Basic
AuthName "Evile's Backup"
Require user evile
Require group nsdata
Satisfy all
First off, this IS on FBSD 6.2. Many people that have seen the site conf in it's own file thought it was Debian. Includes work for all OSes. ;)
There are two users, both in the nsdata group. If I access evile's userdir, either user can access the folder, add files, etc. I'm pretty sure I could eliminate this issue by giving each user their own user group, and requiring that group. Of course, I'd much rather have a group, so that they could be removed from the group, and not from the entire system to deny access.
What I don't understand is even with "Satisfy all", apache seems to interpret it as "Satisfy any".
BMW, yes, it's been a great solution for vCalandars. Thunderbird with Lightning has issues, but can't expect less.
Kernel_Killer
December 9th, 2007, 17:20
Well, now it gets even more strange. I decided mess with the .htaccess file a little more:
AuthType Basic
AuthName "Network Synapse Backup"
Require group wheel
This works. The problem is, if the require is "user evile", no one can log in at all. It almost seems as if it can't compare users at all. The error in the site log is "GROUP: evile not in required group(s).". Really weird.
Evile is in the group wheel, but other users are not (root disabled. See above). This does keep anyone else from logging in. So, it looks like the only way to split these home directories is to do via group restrictions.
At the last second, I decided to try one more thing.
AuthType Basic
AuthName "Network Synapse Backup"
Require group nsdata
<Limit GET POST>
Require user evile
</Limit>
You would think this would do something. It did, but something very unexpected. What we did here was limit anyone from even viewing the index, unless they were the user "evile". Well, logging in as the 2nd user, I was able to GET and POST.
Kernel_Killer
December 9th, 2007, 17:53
Well, I guess this will have to do. I might eventually move to a full-blown database solution (which I probably should), but I'm pretty disappointed that I couldn't get it to auth against the username.
So, in conclusion, each user has their own group as their primary group in which they authenticate against, and then 'nsdata' as a secondary group for file quotas.