Hi Nick, > > We would like to have an autoindex-like file serving functionality of > > apache web server that avoids usage of .htaccess file, but uses > > filesystem's ACLs instead. Moreover we don't want to require wwwrun > > to be allowed in every file/dir ACLs. > > > > For authentication we'd use e.g. mod_auth_external + pwauth. > > Please read up on why that's a huge security hole (I think it's > described somewhere in apache's own documentation).
Sorry, could you point there please? (I've already spent 4 hours for google and grep on trunk, asked expert people here but couldn't find anything.) Do you mean the hole is in the auth way (we can use mod_auth_pam instead), or in using fs ACLs instead of .htaccess? Thank you in advance. > > > a newly written tool > > which _becomes_ the authenticated user and lists directory content. > > That's what suexec (and its many cousins) are for. Thanks, however I wanted my question to be applied to fs ACL usage solution existence, not to becoming a user. Sorry for the misunderstanding. BTW. this feature already exists for OpenAFS, but there permission is linked with a PAG, not with a local user. Peter
