Ca va couper !
Si seulement ce n'était qu'une blague...
La loi HADOPI, prise de position par l'UFC Que Choisir
Posted in: Computers , jeudi 30 octobre 2008
Apache2 webdav Userdir based file server preventing authenticated user to access other's directories
Today I've setted up a server which purpose is to give its users access to their personal files using WebDav. Unfortunately, as soon as a user is authenticated, the server gives him the right to access any other user's file. This can't be prevented the right way without patching. Let's do it the wrong way ;-)
For this to work, I've used mod_rewrite. The trick consists in always rewritting the requested URI, to make it point to the remotely connected user's directory, using the REMOTE_USER variable. One cannot simply compare the value of that variable with the URI, the RewriteRule and RewriteCond simply can't support such a comparison.
To prevent Apache from applying that rule recursively, I've used to [NS] flag. However, this flag is not effective into the <directory> tags. Thus, this rule needs to be applyed to the whole vhost. The consequence is that the user still believes he is browsing another user's directory, although he really is browsing his.
I anyone has a better solution :
UserDir disabled root
UserDir /home/*/
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} !^$
RewriteRule /[^/]*/(.*) /~%{LA-U:REMOTE_USER}/$1 [NS]
Olivier’s Blog
Administration is pain. At first it's fun, then it becomes really boring, and you look for a way to get rid of this pain. I've became bored of Wordpress because my theme could not be easily ported to the newer version which I had to install. So here I come to blogger, integrated to my brand new domain name, coupelon.net.
Enjoy !
Posted in: news , mercredi 22 octobre 2008
Inscription à :
Messages (Atom)
