|Summary:||mod_authz_owner support for POSIX access control lists|
|Product:||Apache httpd-2||Reporter:||Sven Ulland <sveniu>|
|Component:||mod_authz_owner||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Sven Ulland 2010-02-24 12:21:51 UTC
This is an enhancement request for the mod_authz_owner module to support posix acls, enabling fine-grained, filesystem-based authorization. Currently it only respects the primary owner and group of files. Many Unix-like systems support posix acls, including Linux, BSD and Solaris. OSX and Windows have similar features, but these might be more difficult and/or less useful to interface with. Linux would be the preferred platform for a pilot implementation. From my perspective, the primary usecase is a file download system, where Apache provides the HTTP access method in parallel with others, such as shell/ ssh/scp and Samba for CIFS/SMB, to access the same set of files. Authentication is based on LDAP (both in Apache, Samba and nsswitch). Currently, access control happens in three places: 1) Apache .htaccess and/or Directory/Location directives in the config, 2) Samba's additional user/group directives in smb.conf, and 3) file/dir ownership. Keeping the access control purely in the filesystem (with POSIX ACLs) would avoid the fragmentation and difficulty of maintenance, as long as the access- providing applications (Apache, Samba, etc) support it.