0

Apache2 setup with mod_userdir and mod_authnz_external and pwauth, so that each user can access their home and can be authenticated by their local UNIX credentials.

Now I need some kind of authorization so that each user can, after being authenticated, only access their own home directory, but not those of other users.

The caveat: in my setup, a user is not necessarily the owner of their home directory, so mod_authz_owner won't work here.

Another problem: %{REMOTE_USER} variable set by Apache is not usable inside <If > directives (or other directives that might help here), because the authentication is done late during request processing.

How can I achieve my goal with Apache2? Is there e.g. the possibility to extract the user home directory name from %{REQUEST_URI} and pass it to a Require user ... directive? I have not been able to find out how to do this, so any help would be appreciated.

Improve this question
3
  • FYI: I have resorted to using nginx instead of Apache now. With that, it is very easily done using something like alias /home/$remote_user/;. Still, would be interesting if this was possible with Apache as well. Commented Aug 5, 2021 at 12:14
  • i belive your question was already answered Here Commented Aug 5, 2021 at 14:54
  • djdomi: not exactly. It only shows how to use mod_authnz_external, which never was the issue here. It does not show how to make each logged in user see only his own home directory. Commented Aug 9, 2021 at 5:59

1 Answer 1

Reset to default
1

You'd need to write your own authenticator script. You should be able to do it pretty easily without writing much code.

Apache passes the URI being requested to the authenticator script via an environment variable, so you'd need to call pwauth from your script to validate the username/password combination, and then compare the given username to the URI to make sure the username whose password you just validated is in the URI being requested.

Here's the documentation, which was very helpful when I wrote an authenticator for myself. https://github.com/phokz/mod-auth-external/blob/master/mod_authnz_external/AUTHENTICATORS

Working authenticator implementation in PHP:

#!/usr/bin/php <?php // Get the user name $user = trim(fgets(STDIN)); // Get the password $pass = trim(fgets(STDIN)); // Call pwauth to validate user and password combination $handle = popen('/usr/sbin/pwauth', 'w'); fwrite($handle, $user."\n".$pass."\n"); if (pclose($handle) === 0) { // Password is valid for user // Check if the URI belongs to the user $uri = getenv('URI'); if (preg_match('#^/~'.$user.'/#', $uri) || preg_match('#^/~'.$user.'$#', $uri)) { exit(0); // User matches requested URI } else exit(1); // User does not match requested URI } exit(1); // Password is not valid for user
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.