diff -Nur smeserver-phpvirtualbox-4.3.0-old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth smeserver-phpvirtualbox-4.3.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth --- smeserver-phpvirtualbox-4.3.0-old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-phpvirtualbox-4.3.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35-group-auth 2013-10-23 21:31:24.000000000 +0200 @@ -0,0 +1,5 @@ +{ + $OUT .= " AddExternalGroup ugroup /usr/lib/httpd/modules/unixgroup\n"; + $OUT .= " SetExternalGroupMethod ugroup environment\n"; +} + diff -Nur smeserver-phpvirtualbox-4.3.0-old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92phpvirtualhost smeserver-phpvirtualbox-4.3.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92phpvirtualhost --- smeserver-phpvirtualbox-4.3.0-old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92phpvirtualhost 2013-10-23 21:23:18.000000000 +0200 +++ smeserver-phpvirtualbox-4.3.0/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/92phpvirtualhost 2013-10-23 21:36:05.000000000 +0200 @@ -4,51 +4,9 @@ unless $status eq 'enabled'; $OUT = ""; - my $allow = 'all'; - my $pass = '0'; - my $satisfy = 'all'; - my $name = $phpvirtualbox{'Name'} || 'phpvirtualbox'; + my $satisfy = 'all'; + my $name = $phpvirtualbox{'Name'} || 'phpvirtualbox'; - for ('exit-if-none') - { - if ($phpvirtualbox{'PublicAccess'}) - { - if ($phpvirtualbox{'PublicAccess'} eq 'none') - { - next; - } - elsif ($phpvirtualbox{'PublicAccess'} eq 'local') - { - $allow = $localAccess; - $pass = 0; - $satisfy = 'all'; - } - elsif ($phpvirtualbox{'PublicAccess'} eq 'local-pw') - { - $allow = $localAccess; - $pass = 1; - $satisfy = 'all'; - } - elsif ($phpvirtualbox{'PublicAccess'} eq 'global') - { - $allow = 'all'; - $pass = 0; - $satisfy = 'all'; - } - elsif ($phpvirtualbox{'PublicAccess'} eq 'global-pw') - { - $allow = 'all'; - $pass = 1; - $satisfy = 'all'; - } - elsif ($phpvirtualbox{'PublicAccess'} eq 'global-pw-remote') - { - $allow = $localAccess; - $pass = 1; - $satisfy = 'any'; - } - } - $OUT .= "#------------------------------------------------------------\n"; $OUT .= "# phpvirtualbox - $name\n"; $OUT .= "#------------------------------------------------------------\n"; @@ -57,27 +15,30 @@ if ((exists $phpvirtualbox{'URL'}) && ($phpvirtualbox{'URL'} ne '')) { $OUT .= "Alias /$phpvirtualbox{'URL'} /opt/phpvirtualbox\n"; } } - + { $OUT .= "Alias /phpvirtualbox /opt/phpvirtualbox\n"; $OUT .= "\n"; $OUT .= "\n"; + $OUT .= " SSLRequireSSL\n"; $OUT .= " order deny,allow\n"; $OUT .= " deny from all\n"; - $OUT .= " allow from $allow\n"; + $OUT .= " allow from $localAccess\n"; $OUT .= " php_admin_value upload_tmp_dir /tmp\n"; - if ($pass) - { $OUT .= " AuthName \"$name\"\n"; $OUT .= " AuthType Basic\n"; $OUT .= " AuthExternal pwauth\n"; - $OUT .= " require valid-user\n"; + $OUT .= " GroupExternal ugroup\n"; + $OUT .= " AuthzUserAuthoritative off\n"; + $OUT .= " require user $phpvirtualbox{'User'}\n"; + $OUT .= " require group $phpvirtualbox{'Group'}\n"; $OUT .= " Satisfy $satisfy\n"; - } + $OUT .= " AddType application/x-httpd-php .php\n"; $OUT .= " php_admin_value open_basedir /opt/phpvirtualbox\n"; $OUT .= " php_admin_value eaccelerator.enable 1\n"; $OUT .= "\n"; } } + diff -Nur smeserver-phpvirtualbox-4.3.0-old/root/usr/lib/httpd/modules/unixgroup smeserver-phpvirtualbox-4.3.0/root/usr/lib/httpd/modules/unixgroup --- smeserver-phpvirtualbox-4.3.0-old/root/usr/lib/httpd/modules/unixgroup 1970-01-01 01:00:00.000000000 +0100 +++ smeserver-phpvirtualbox-4.3.0/root/usr/lib/httpd/modules/unixgroup 2013-10-23 21:33:29.000000000 +0200 @@ -0,0 +1,69 @@ +#!/usr/bin/perl +# +# This is a group authenticator for use with mod_auth_external using the +# "environment" argument passing method. If you are using mod_authnz_external, +# then a much better choice is to use mod_authz_unixgroup for group checking. +# It checks if the Unix user ID passed in the USER environment variable is in +# any of Unix groups (names or numbers) listed in the GROUP environment +# variable. It returns +# 0 - if the user is in one of the groups +# 1 - if the user is not in any of the groups +# 2 - if the user does not exist. +# +# This isn't a very efficient way to do group checking. I hope to find time +# to do something better someday. +# +# Typical Usage: +# In httpd.conf declare an pwauth authenticator and a unixgroup authenticator: +# +# AddExternalAuth pwauth /path/to/pwauth +# SetExternalAuthMethod pwauth pipe +# AddExternalGroup unixgroup /path/to/unixgroup +# SetExternalGroupMethod unixgroup environment +# +# In .htaccess file do something like +# +# AuthType Basic +# AuthName SystemName +# AuthExternal pwauth +# GroupExternal unixgroup +# require group customers admins staff +# +# Here "SystemName" is a string that will be included in the pop-up login +# box, all Unix groupnames which are to be allowed to login are listed on the +# "require group" command. If you are using this with mod_authnz_external, +# you'll need to add the directive "AuthBasicProvider external", but if you are +# using mod_authnz_external, you should be using mod_authz_unixgroup instead +# of this. + +# Get primary GID number for the user +$user= $ENV{USER}; +$gid= (getpwnam($user))[3]; +exit 2 if !defined $gid; # user does not exist - Reject + +# Loop through groups +foreach $group (split ' ', $ENV{GROUP}) +{ + if ($group =~ /^\d+$/) + { + # Group given as GID number + exit 0 if ($group == $gid); + # Get list of members + $members= (getgrgid($group))[3]; + } + else + { + # Group given by name + ($gname, $x, $ggid, $members)= getgrnam($group); + next if !$gname; # skip non-existant group + exit 0 if ($ggid == $gid); + } + + # Check if user is in member list + foreach $mem (split ' ',$members) + { + exit 0 if ($user eq $mem); + } +} + +exit 1;