Bug 48808

Summary: mod_authz_owner support for POSIX access control lists
Product: Apache httpd-2 Reporter: Sven Ulland <sveniu>
Component: mod_authz_ownerAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: PC   
OS: Linux   

Description Sven Ulland 2010-02-24 12:21:51 UTC
This is an enhancement request for the mod_authz_owner module to support
posix acls, enabling fine-grained, filesystem-based authorization.
Currently it only respects the primary owner and group of files.

Many Unix-like systems support posix acls, including Linux, BSD and
Solaris. OSX and Windows have similar features, but these might be more
difficult and/or less useful to interface with. Linux would be the
preferred platform for a pilot implementation.

From my perspective, the primary usecase is a file download system, where
Apache provides the HTTP access method in parallel with others, such as
shell/ ssh/scp and Samba for CIFS/SMB, to access the same set of files.
Authentication is based on LDAP (both in Apache, Samba and nsswitch).
Currently, access control happens in three places: 1) Apache .htaccess
and/or Directory/Location directives in the config, 2) Samba's additional
user/group directives in smb.conf, and 3) file/dir ownership. Keeping
the access control purely in the filesystem (with POSIX ACLs) would avoid
the fragmentation and difficulty of maintenance, as long as the access-
providing applications (Apache, Samba, etc) support it.