next up previous contents
Next: Configuring CERN HTTPD Up: Enabling Security on Previous: Restricting Users

Protecting Access to Individual Files using Access Control Lists

It is also possible to have an Access Control List (ACL) in the directory where the actual data files reside. This can specify access to individual files in the directory, and it also has the advantage that users can set up their own access control to their own files without having to be given permission to change the main server configuration filegif.

An ACL file must be called .www_acl, and it has the form:

index.html : GET : @*
secret*.html: GET,POST : trusted@*
*.html : GET : webweavers

Beware! If any entry matches, access is given. In the above example, the people in the webweavers group can access the secret*.html files, even if they're not connecting from a ucl machine, because the *.html term matches.

The relevant password and group files are identified from the main server configuration file using Protection and either Protect or DefProt commands.

DefProt is used in the same way as Protect except that by itself it doesn't actually enable any protection. Instead it identifies which password and group files should be used for .www_acl files in a particular subtree. For example, to specify a default password and group file for the entire server, you would add the following to the main server configuration file:

Protection DEFAULT {
AuthType Basic
ServerId UCL
PasswordFile /www/config/passwd
GroupFile /www/config/group
DefProt /* DEFAULT

If there's no relevant Protect or DefProt command, the .www_acl file will cause an error.

Jon Crowcroft
Wed May 10 11:46:29 BST 1995