Kenneth Lussier wrote:
>
> Ken Coar should be able to correct me if I'm wrong. I also
> *HIGHLY* recommend reading his books!
:-D
Paul Lussier wrote:
>
> No, that's not what I'm talking about. The 'Options FollowSymLinks'
> does allow me to follow the symlink, but only of the directory
> permissions are at least r-x for world! Because this directory
> is NFS mounted all over the network, I have the permissions set
> to 770. Accessing this directory from Netscape does not allow for
> Unix permission checking, especially since the httpd server is
> running as user 'nobody' and not in the correct group!
Well, it's the server user that's doing the accessing, so
that'll never work. Can you use 750, and either a different
user for User (one that's a member of that group) or else
the owning group for Group? Then standard auth/auth checking
will work, since the server can see into the directory in order
to read .htaccess files.
> I need some way of verifying that the enduser is authorized to
> see the directory at the Unix permissions level for groups.
If by 'enduser' you mean the person running the browser,
no can do, I'm afraid. Those credentials aren't available
to the server.
Perhaps I'm misunderstanding what you want. I *think* your
problem is something like this:
You have files in a directory that's NFS mounted all over
the network. (Presumably the UIDs and GIDs are shared as
well, through NIS or something, yes?) The permissions on
the directory prevent anyone except those in the appropriate
group from accessing the directory through NFS.
So far so good?
Now you want to publish the contents of the directory through
Apache, but only to people who are still in that same group.
Correct?
If that's your scenario, I don't see a simple answer, that
would painlessly lock out one set and painlessly allow the other.
You *might* be able to do something by putting the server user
into the correct group, and using AuthUserFile and AuthGroupFile
directives that point to your real /etc/passwd and /etc/group
equivalents (shudder!) and a "Require group soandso". But
they'd still have to 'log in' through a Web challenge dialogue,
and all the disadvantages of using your real authdb apply.
Of course, if I've demonstrated I have no clew about what you're
trying to do, let me know.. :-)
--
#ken P-)}
Ken Coar <http://Golux.Com/coar/>
Apache Software Foundation <http://www.apache.org/>
"Apache Server for Dummies" <http://Apache-Server.Com/>
Come to the first official Apache Software Foundation
Conference! <http://ApacheCon.Com/>
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
