Search code examples
phpauthenticationpermissionssuphp

Implementing log in alongside suPHP


How can a log in like feature be designed to use suPHP's file permissions. For example, if I have a website at www.example.com and the following two users with their own home directories, each with a php script test.php, and a validateUser.php script that belongs to another user (root, www-data, apache...) in the /home directory.

/home/
├── validateUser.php
├── user1
│   └── test.php
└── user2
    └── test.php

user1 can access user2's script by visiting www.example.com/user2/test.php, and vice versa. Instead what I want, is to channel all incoming requests, using something like mod_rewrite, to validateUser.php. However, doing so will have the consequence of executing all scripts as the owner of validateUser.php, not the target test.php script.

Is there anyway to call a php script before suPHP kicks in, and then either allow suPHP to continue, or abort entirely.


EDIT This is the second bounty I am putting up. The first I gave to Gustav b/c he gave a good partial answer. I will mention what I have attempted so far, and why none of them work for me.

1)I have tried using mod_rewrite to redirect the URL to validateUser.php to either log the user in, or call whatever script they wanted to call. The problem is that I have set my virtual hosts such that each user has their own virtual site (ie. www.user1.example.com, www.user2.example.com...if this is a bad design approach, feel free to rudely point it out). Therefore, although the OS sees the file structure as above, online, the root directories are set up as such

VirtualHost = www.user1.example.com
├── validateUser.php
└── test.php
VirtualHost = www.user2.example.com
├── validateUser.php
└── test.php

Naturally I just moved a copy of validateUser.php into every user's directory. The problem is that now the user can delete that file and put whatever they want in there, like not require a log in at all. A way around this is to make the home folder sticky (not something I would ever recommend doing to a home folder) and make the validateUser.php owned by root. But now it will executed AS root since this is suPHP. That's where I gave up.

2)I could use Gustav's mod_auth suggestion, but I don't like that it demands the password up front (like the old school web sites).

3) I have considered a variant to 1) if I could redirect between virtual hosts. For example, restructure the virtual hosts like so

VirtualHost = www.user1.example.com
└── test.php
VirtualHost = www.user2.example.com
└── test.php
VirtualHost = www.admin.example.com
└── validateUser.php

Then use mod_rewrite to redirect ALL traffic from users to www.admin.example.com/validateUser.php, and if the user is logged in (or if the login is successful) the user is redirected back to the site they initially tried to log in to. The benefit of this, if it even is possible, is that suPHP won't kick in until the user is directed back to their own virtual host.


Solution

  • Have you considered implementing user authentication using using mod_auth? If you decide to try it, there is a guide that you may find useful.

    The Apache 2.2 equivalents:

    Note that the browser stores the credentials, and sends them in the header with every request you make.