httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [users@httpd] <Limit> and Satisfy in <Location> for mod_dav
Date Mon, 16 Sep 2013 18:40:37 GMT
All,

I'm having trouble getting <Limit> and Satisfy to work within a <Location>.

I'm using Apache httpd 2.2.22 on Debian Wheezy.

Now, "Satisfy" is not documented to work under <Location> elements, but
also <Limit> is not documented to work under <Location>, and seems to
work without a problem. I was wondering if it's just an accident that
<Limit> works under <Location>, but that Satisfy can't, or the
documentation is inaccurate, or if I simply can't do what I want to do.

I am trying to protect a part of my filesystem that is accessible via
WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be
able to do this:

<Directory /path/to/dav/some/subdir>
  <Limit HEAD GET OPTIONS PROPFIND>
    Satisfy Any
    Require ldap-group cn=some-read-only-group
    Require ldap-group cn=some-read-only-other-group
  </Limit>
  <LimitExcept HEAD GET OPTIONS PROPFIND>
    Satisfy Any
    Require ldap-group cn=some-read-write-group
  </LimitExcept>
</Directory>


The closest thing I'm able to get working is this:

<Location "/dav/Clinical/grants">
  <Limit HEAD GET OPTIONS PROPFIND>
    Require ldap-group cn=some-read-only-group
  </Limit>
 <LimitExcept HEAD GET OPTIONS PROPFIND>
    Require ldap-group cn=some-read-write-group
  </LimitExcept>
</Location>

It looks like I have to use <Location> instead of <Directory> because
<Directory> does not protect directories being handled by mod_dav. Can
someone confirm that?

Whenever I use "Satisfy Any" anywhere, it appears to apply to a
much-wider set of files than is specified in <Limit> or <Location>.

Is there a way to do complicated permissions along with WebDAV?

I'd appreciate any suggestions anyone might have.

While I'm at it, I'd like to know whether path-ordering in httpd.conf
will have any bearing on how the permissions are applied. Ideally, I'd
like to be able to set permissions on a top-level directory, then
override those permissions on a sub-directory -- not necessarily either
widening or narrowing the permissions... I might want to do a little of
both.

-chris


Mime
View raw message