tags:

views:

354

answers:

3
Q: 

Apache/nginx fine grained (per file) permissions?

Is it possible to set fine-grained permissions using either Apache or nginx? Given a large number of files and a large number of users, what's a good way to specify that each authenticated user only has access his/her own files?

user_a can access file_a_1, file_a_2
user_b can access file_b_1
user_c can access file_c_1, file_c2, file_c3, file_a_2

These are static, read-only files (for the most part). Imagine file-system like access control but with http. No web-dav; this is part of a web app; the images will display as part of the user's page in a browser. I want to make sure nobody else can see the image even if they can find the url for it.

A: 

Not entirely sure what you're looking to do. Do these users need write permissions, or are the files read-only? Are these static files?

Don Werve  2009-04-03 01:09:45
Updated the question with clarification.
Parand  2009-04-03 01:45:34
+1  A: 

Ugh. Short of writing your own authentication handler, I doubt there is an easy way of accomplishing this, at least with Apache.

If lighttpd were an option, I would probably implement the security check in a PHP script and if everything checks out, add a X-LIGHTTPD-send-file header to the response. This means that lighty will do all the file transfer without it going through PHP.

(A quick googling revealed that apache should support something like this with X-sendfile, but I was unable to get anything about this from the Apache documentation.)

edit: Apparently you can do a similar thing with Apache and mod proxy scgi.

andri  2009-04-03 02:15:39
andri, thanks, this seems like a good path. I remember reading something similar for nginx; I believe you can run a script and based on the result serve a file. Let me dig into that a bit.
Parand  2009-04-03 04:25:19
A: 

I realize I'm necroposting here, but just for future googlers,

Here's the analogous nginx option for andri's solution:

http://blog.kovyrin.net/2006/11/01/nginx-x-accel-redirect-php-rails/

http://wiki.nginx.org/NginxXSendfile

...and the same thing for Apache, apparently:

http://tn123.ath.cx/mod_xsendfile/

Burke  2009-05-06 13:25:03

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP