You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ms...@freezone.co.uk on 2004/07/05 05:22:09 UTC
[users@httpd] DAV According to Filesystem Permissions
I setup DAV and authentication. I authenticate against the same
directory used for login. Now, I would like authenticated users' read /
write access to correspond to their filesystem permissions. I can't
figure out how to accomplish this.
Currently, though users successfully authenticate, their read / write
access are all based on the user / group running Apache (www-data).
Thanks!
Jack
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DAV According to Filesystem Permissions
Posted by Joshua Slive <js...@gmail.com>.
On Fri, 9 Jul 2004 00:36:55 -0700, ms419@freezone.co.uk
<ms...@freezone.co.uk> wrote:
> But you are correct - I'm suggesting turning DAV on *and* allowing
> unauthenticated access to POST, etc.
>
> I'm hoping that filesystem permissions will be enough to keep warez off
> the server (and avoid any other vulnerabilities)? If the apache user
> (www-data) can't write to any of the UserDirs, neither can
> unauthenticated users?
>
> (True, the purpose of turning DAV on is to allow users to write to
> repositories in their own directories - so users must limit access to
> POST, etc. (using .htaccess files) before enabling write access by
> www-data. The users are trusted. It would be simpler, however, if
> users' authentication gave them access corresponding to their
> filesystem permissions. : \
Ok. I understand now.
Yes, that will probabably work, although it is not a configuration
that I would recommend. You need to be very careful with unix
permissions to prevent "bad things" from happening. For example, if
you have a cgi script that writes some data, it is probably doing it
under the apache userid and would be vulnerable after this.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DAV According to Filesystem Permissions
Posted by ms...@freezone.co.uk.
On Jul 7, 2004, at 10:18 AM, Joshua Slive wrote:
> On Tue, 6 Jul 2004 17:45:40 -0700, ms419@freezone.co.uk
> <ms...@freezone.co.uk> wrote:
>
>> My problem is, users want to setup DAV repositories, but the "DAV On"
>> directive can't be issued in a .htaccess file. Consequently, to setup
>> DAV repositories in users' UserDir, I'm turning DAV on for all
>> UserDirs.
>>
>> I've been over the documentation and understand there are security
>> risks, so I tried restricting POST, PUT, etc. to authenticated
>> visitors. Unfortunately, this breaks users' CGIs.
>>
>> At this point, I'm considering enabling DAV and leaving POST, PUT,
>> etc.
>> the way they were.
>>
>> I can't give authenticated users access corresponding to their
>> filesystem permissions, but filesystem permissions should still
>> prevent
>> "www-data" from gaining more access than intended - unauthenticated
>> visitors should not have write access unless users explicitly make
>> files available to "www-data".
>>
>> Is this reasonable, or can someone point out the vulnerability in this
>> configuration?
>
> I don't really understand what you are asking. If you are saying you
> are planning to give full-unrestricted access to DAV methods, then
> this is not a good idea. Your server will become warez-central, since
> anyone will be able to write files.
>
> Joshua.
Ach - I hate being unclear (it's a problem even before I try expressing
myself).
But you are correct - I'm suggesting turning DAV on *and* allowing
unauthenticated access to POST, etc.
I'm hoping that filesystem permissions will be enough to keep warez off
the server (and avoid any other vulnerabilities)? If the apache user
(www-data) can't write to any of the UserDirs, neither can
unauthenticated users?
(True, the purpose of turning DAV on is to allow users to write to
repositories in their own directories - so users must limit access to
POST, etc. (using .htaccess files) before enabling write access by
www-data. The users are trusted. It would be simpler, however, if
users' authentication gave them access corresponding to their
filesystem permissions. : \
Many thanks for your insight!
Jack
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DAV According to Filesystem Permissions
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 6 Jul 2004 17:45:40 -0700, ms419@freezone.co.uk
<ms...@freezone.co.uk> wrote:
> My problem is, users want to setup DAV repositories, but the "DAV On"
> directive can't be issued in a .htaccess file. Consequently, to setup
> DAV repositories in users' UserDir, I'm turning DAV on for all
> UserDirs.
>
> I've been over the documentation and understand there are security
> risks, so I tried restricting POST, PUT, etc. to authenticated
> visitors. Unfortunately, this breaks users' CGIs.
>
> At this point, I'm considering enabling DAV and leaving POST, PUT, etc.
> the way they were.
>
> I can't give authenticated users access corresponding to their
> filesystem permissions, but filesystem permissions should still prevent
> "www-data" from gaining more access than intended - unauthenticated
> visitors should not have write access unless users explicitly make
> files available to "www-data".
>
> Is this reasonable, or can someone point out the vulnerability in this
> configuration?
I don't really understand what you are asking. If you are saying you
are planning to give full-unrestricted access to DAV methods, then
this is not a good idea. Your server will become warez-central, since
anyone will be able to write files.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DAV According to Filesystem Permissions
Posted by ms...@freezone.co.uk.
On Jul 5, 2004, at 6:57 AM, Joshua Slive wrote:
> On Sun, 4 Jul 2004 20:22:09 -0700, ms419@freezone.co.uk
> <ms...@freezone.co.uk> wrote:
>> I setup DAV and authentication. I authenticate against the same
>> directory used for login. Now, I would like authenticated users' read
>> /
>> write access to correspond to their filesystem permissions. I can't
>> figure out how to accomplish this.
>>
>> Currently, though users successfully authenticate, their read / write
>> access are all based on the user / group running Apache (www-data).
>
> This can't be done (in any reasonable way).
>
> The mod_dav repository is private to mod_dav. You shouldn't be trying
> to interact with it from login accounts. This is both because of the
> ownership issue, and because locking will be completely wrecked if you
> bypass mod_dav.
>
> The ownership issue is a basic issue with unix security. Since Apache
> has long-lived processes and does not run as root, there is no way for
> it to switch permissions based on the request.
Got it. Thanks.
My problem is, users want to setup DAV repositories, but the "DAV On"
directive can't be issued in a .htaccess file. Consequently, to setup
DAV repositories in users' UserDir, I'm turning DAV on for all
UserDirs.
I've been over the documentation and understand there are security
risks, so I tried restricting POST, PUT, etc. to authenticated
visitors. Unfortunately, this breaks users' CGIs.
At this point, I'm considering enabling DAV and leaving POST, PUT, etc.
the way they were.
I can't give authenticated users access corresponding to their
filesystem permissions, but filesystem permissions should still prevent
"www-data" from gaining more access than intended - unauthenticated
visitors should not have write access unless users explicitly make
files available to "www-data".
Is this reasonable, or can someone point out the vulnerability in this
configuration?
Thanks!
Jack
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] DAV According to Filesystem Permissions
Posted by Joshua Slive <js...@gmail.com>.
On Sun, 4 Jul 2004 20:22:09 -0700, ms419@freezone.co.uk
<ms...@freezone.co.uk> wrote:
> I setup DAV and authentication. I authenticate against the same
> directory used for login. Now, I would like authenticated users' read /
> write access to correspond to their filesystem permissions. I can't
> figure out how to accomplish this.
>
> Currently, though users successfully authenticate, their read / write
> access are all based on the user / group running Apache (www-data).
This can't be done (in any reasonable way).
The mod_dav repository is private to mod_dav. You shouldn't be trying
to interact with it from login accounts. This is both because of the
ownership issue, and because locking will be completely wrecked if you
bypass mod_dav.
The ownership issue is a basic issue with unix security. Since Apache
has long-lived processes and does not run as root, there is no way for
it to switch permissions based on the request.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org