mod_verify 1.4 review
Downloadmod_verify Apache module is a ownership & permission verification for Apache 1.3. This module is intended to verify ownership and
|
|
mod_verify Apache module is a ownership & permission verification for Apache 1.3.
This module is intended to verify ownership and permissions of directories and files within a web site's hierarchy without having to use setuid() and setgid(), ie. no root privileges needed.
In order for this module to operate without the use of setuid(), setguid(), and root privilages, the web server requires sufficient permissions to access requested document: world readable; or group readable where the the web server is a member of the document's group. Note in the latter case, the web server is limited to being a member of NGROUPS_MAX groups.
If the web server doesn't have sufficent rights to access a document, then your will get a 403 Forbidden error.
Once the web server can read the requested document, the module runs through the following heuristic to judge whether the request can be completed or not:
The containing directory of the requested document is determined as specified by the Verify directive below.
If the directory is world writable, then if VerifyTest dir_not_o_w is set true (default false), then the request fails; otherwise it succeeds.
If VerifyTest req_not_o_w is true (default true) and the requested document is world writable, then the request fails.
If VerifyTest dir_not_g_w is true (default false) and the directory is group writable, then the request fails.
If VerifyTest req_not_g_w is true (default false) and the requested document is group writable, then the request fails.
If VerifyTest one_hard_link is true (default true) and the requested file is hard linked more than once, the request fails.
If VerifyTest symlink_owner is true (default true) and the requested document is a symbolic link and the user or group ids of the link are not the same as the linked file, then the request fails.
If VerifyTest same_group is true (default true) and the requested document is a file and its group is not the same as the directory, then the request fails.
If VerifyTest setuid_root is true (default true) and the requested document is setuid to root, then the request succeeds.
If VerifyTest same_member is true (default true) and the requested document is not owned by a member of the directory's group then the request fails.
Otherwise the request is succeeds.
When a request fails you will see a 412 Precondition Failed error.
Requirements:
Apache 1.3.x
mod_verify 1.4 keywords