Preserve the Shell Environment Using sudo

When executing a command or script as another user, it may be necessary to preserve the current shell’s environment. sudo provides the -E flag for this.

However, on Ubuntu systems the PATH environment variable is not preserved by the -E flag. Work around this by passing the current shell’s PATH environment variable on the command-line in the form of PATH=$PATH.

$ sudo PATH=$PATH -E -u anotheruser ./some-command.sh

There are other ways to manage environment variables with sudo by editing /etc/sudoers (use sudoedit, don’t edit it directly!), but the above can be useful to quickly get the job done.

Tags: ,

Enabling Apache Digest User Authentication

Background

These notes relate to Debian-based systems running Apache 2.2, so you’ll have to make the appropriate changes to paths, and possibly commands, for your operating system or Linux distro.

The example setup that I’ve provided here allows users with an operational Apache user directory (mod_userdir) to set their own user access permissions, rather than a system-wide approach.

System-wide Settings

The Apache2 configuration files can be found in /etc/apache2/. Update the file /etc/apache2/apache2.conf to include the following directives:

<Directory /home/*/public_html>
    AllowOverride FileInfo AuthConfig Limit
    Options Indexes SymLinksIfOwnerMatch IncludesNoExec
</Directory>

You might simply be able to uncomment existing text within the config file. Among other things, this permits users to enable authentication checking in their public_html directories, or whatever you set the directory name to. You’ll also have to enable Apache’s mod_userdir if it isn’t already enabled:

$ sudo a2enmod userdir

Support for digest authentication is also provided in an Apache module. The digest authentication module is not enabled by default, but can also be enabled using a2enmod:

$ sudo a2enmod auth_digest

If a2enmod isn’t available on your distribution, then you may wish to enable Apache modules by providing a sym link to the appropriate module in the following manner:

ln -s /etc/apache2/mods-available/auth_digest.load /etc/apache2/mods-enable

Password Generation

Passwords are generated using the htdigest tool that ships with the Apache2 distribution. The file created using this tool places username, realm and hashed password together on a colon-delimited line. This file should be placed in a location where Apache cannot serve it up to a client (e.g. don’t place it in /var/www).

In order to add an entry to the password file run the htdigest tool as follows:

$ htdigest -c /directory/path/digest.htpasswd myrealm username

Caution: the -c flag forces htdigest to delete the existing digest  password file, if it already exists. Drop its use of you need to add new entries into the file. You should also replace the values myrealm and username with values appropriate for your system. The realm value is a security context that should be recognisable to the user in order to allow them to provide the correct username and password.

Directory-Level Configuration

You can now create a .htaccess file within each of those directories and subdirectories that you would like to be maintain access control to using digest authentication. Here’s an example .htaccess file that may, for example, be placed immediately within a user’s public_html directory:

AuthType Digest
AuthName "myrealm"
AuthDigestDomain / http://subdomain.mydomain.com/
AuthUserFile /directory/path/digest.htpasswd
Require valid-user

Here’s an explanation of each of the above Apache directives.

  • The AuthName value is the same value that was given when using the htdigest program (see details above).
  • AuthDigestDomain provides the list of URIs that are in the protection space. These URIs can be absolute or relative and sub-directories of those given are matched also.
  • The value of AuthDigestFile points to the location of the file that was created using the htdigest tool.
  • Require takes two values here, but can take more so that extra requirements are imposed. The values used are used to indicate that the user-level authentication mechanism is being used (rather than group-level) and that only valid users (created using htdigest, as shown above) are granted access.

Now Try It!

Restart apache

$ sudo /etc/init.d/apache2 restart

If all has gone well, you should be challenged for your credentials when you try to browse your protected directories.

Tags: , ,