How to install mod_authz_unixgroup.c into Apache: NOTES: * There are two ways of installing mod_authz_unixgroup. (1) You can statically link it with Apache. This requires rebuilding Apache in such a way that mod_authz_unixgroup will be compiled in. (2) You can make mod_authz_unixgroup a dynamically loaded module. If your Apache has been built to support dynamically loaded modules you can do this without rebuilding Apache, so it is pretty easy. Performance may be slightly worse with this option. For information on dynamically loaded modules see http://www.apache.org/docs/dso.html Instructions for both options are given here. * There is also documentation in the README file. If you find this document unclear, reading that may help. INSTALL METHOD A: Dynamically Linking Mod_authz_unixgroup using apxs: --------------------------------------------------------------------- Step 1: Ensure that your Apache server is configured to handle dynamically loaded modules. To check this, run Apache server with the -l command flag, like httpd -l If mod_so.c is one of the compiled-in modules, then you are ready to go. Step 2: Compile the module using the following command in the mod_authz_unixgroup distribution directory: apxs -c mod_authz_unixgroup.c 'Apxs' is the Apache extension tool. It is part of the standard Apache installation. If you don't have it, then your Apache server is probably not set up for handling dynamically loaded modules. This should create a file named 'mod_authz_unixgroup.so'. Step 3: Install the module. Apxs can do this for you too. Do the following command (as root so you can write to Apache's directories and config files): apxs -i -a mod_authz_unixgroup.la This will create mod_authz_unixgroup.so and copy it into the proper place, and add appropriate AddModule and LoadModule commands to the configuration files. (Actually, it may get the LoadModule command wrong. See below.) Step 4: Go to the CONFIGURATION instructions below. INSTALL METHOD B: Statically Linking ------------------------------------ Step 1: Read the instructions on how to configure the Apache server in the INSTALL file provided with the Apache source. Step 2: When you run the ./configure script, include an --with-module flag, giving the full pathname to the mod_authz_unixgroup.c file in this distribution. For example, if you have unpacked this distribution in /usr/local/src/mod_authz_unixgroup and are building Apache for installation in /usr/local/apache, you might do: ./configure --prefix=/usr/local/apache \ --with-module=aaa:/usr/local/src/mod_authz_unixgroup/mod_authz_unixgroup.c This will copy the mod_authz_unixgroup.c file into the correct place in the Apache source tree and set things up to link it in. Step 3: Type "make" to compile Apache and "make install" to install it. Step 4: Go to the CONFIGURATION instructions below. CONFIGURATION: -------------- Mod_authz_unixgroup is pretty simple to use. First, you need to enable it for whatever directory you want to use it in, by inserting the following directive either in a .htaccess file in the directory or a <Directory> block in the httpd.conf file: AuthzUnixgroup on Second, you will need a require directive like Require group admin or Require group students teachers staff Obviously this only makes sense in a directory where you are doing authentication. This could be any kind of authentication, but it makes most sense if you are using it in combination with authentication out of the unix password file, perhaps using mod_auth_external together with pwauth, or mod_auth_shadow. The "Require group" directive will then cause mod_authz_unixgroup to check if the user is in one of the groups listed, and reject the authentication if they are not. A user is considered to be in a group if either (1) the group is the user's primary group identified by it's gid number in /etc/passwd, or (2) the group is listed in /etc/group and the user id is listed as a member of that group. If you are authenticating out of something other than the unix password database, then this can be used, but the effect is a bit odd. To pass the "Require group" test, there must (1) exist a unix account with the same name as the account the user authenticated in, and (2) that unix account must be in one of the unix groups listed on the Require line. It is also possible to list groups by gid number instead of name, like Require group 10 would be equivalent to "Require group admin" if the gid listed for the group admin in /etc/group is 10. If mod_authz_owner is enabled in your httpd, then that will work with mod_authz_unixgroup to check access based on file groups. For example if we do: AuthzUnixgroup on Require file-group Then a user will be able to access a file if and only if that file is owned by a group of which the user is a member. Normally, when an access check fails, mod_authz_unixgroup will return a HTTP 401 error. This will typically cause the browser to pop up a message saying "Authentication Failed" and then the browser will ask for a new login name. In some cases this is not the desired behavior. If you are using the "Require file-group" directive, you may not want to log the user off every time he hits a file he doesn't have access to. Maybe you'd rather just show a "Permission denied message" and not log him off. You could do that by directing mod_authz_unixgroup to return a 403 error instead of a 401 error. You can do this with the following directive: AuthnzUnixgroupError 403 By default, mod_authz_unixgroup is authoritative. If you want to use more than one group checker, like mod_authz_unixgroup together with mod_authz_groupfile or mod_authz_dbm, then you'll want to make them non- authoritative, so that if one fails, the other will be tried. You can make mod_authz_unixgroup non-authoritative by saying: AuthzUnixgroupAuthoritative off