You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by LuKreme <kr...@kreme.com> on 2009/11/12 01:11:09 UTC

[users@httpd] setting up webdav

I have a server running Apache 2.2.11_7 on FreeBSD 6-2-RELEASE with webdav enabled. I have several domains on the machine.

I have the following directive for one domain, which works just fine with webdav:

<VirtualHost *>
   ServerName webdav.example.com
   ServerAlias files.example.com
   DocumentRoot /usr/local/www/example.com/
   ErrorLog /usr/local/www/example.com/logs/example.error_log
   CustomLog /usr/local/www/example.com/logs/example.access_log combined
   DavLockDB /tmp/DavLock.example
   <location />
     DAV On
     AuthType basic
     AuthName BUops
     AuthUserFile /usr/local/www/example.com/.htdavpass
     Options All
     ForceType text/plain
     <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
        require valid-user
     </Limit>
   </location>
</VirtualHost>

The document root contains an htaccess file that contains 
AddType application/xml .html

(I'm actually not sure why this directive is there)

I have another domain which gives an error overtime I try to login, but its setup is nearly identical.

<virtualhost *>
   ServerName webdav.example.net
   DocumentRoot /usr/local/www/example.net/
   DavLockDB /tmp/DavLock.examplenet
   <location />
      DAV On
      AuthType Basic
      AuthName "Example.net DAV"
      AuthUserFile /usr/local/www/example.net/.htdavpass
      Options All
      Allow from All
      ForceType text/plain
      <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
         require user jeans
      </limit>
   </location>
</VirtualHost>

The .htdavpass file for the second domain contains the user jeans and a password and was setup with the command

htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans <PASSWORD>

the error in the logs is:

[error] [client 71.229.144.93] client denied by server configuration: /usr/local/www/example.net/

The only difference in the files is the require directive, but I've seen that exact syntax many times, so I don't know why that would cause a failure, and besides, if I change the directive to 'require valid-user' it still fails.

both directories and all the files in them are owned by the www user (except .htdavpass which is owned by root), and I cannot figure out what the issue could be.  AuthName?


-- 
Death was familiar with the concept of the eternal, ever-renewed hero, the champion with a thousand faces. He'd refrained from commenting. --The Last Continent


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: setting up webdav

Posted by LuKreme <kr...@kreme.com>.
On 11-Nov-2009, at 18:04, André Warnier wrote:
> LuKreme wrote:
>> any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file.
> What do you mean there is nowhere else ?
> What about under /usr/local/www, and name it example.com.davpasswd for instance. At least it would not be directly under your DocumentRoot, in an area potentially accessible by users.

It's SUPPOSED to be accessible to the users. It's THEIR web space. If they want to change the webDAV passwords they are free to do so. However, I have to admit that currently there's no method for them to do so (I keep meaning to get around to setting something up).

> Apache will never serve a file starting with a dot, maybe.
> But since you have the / locations open to DAV, have you checked if someone (authenticated) can upload a file called .htdavpass ?
> Or download it through DAV ?

It doesn't show up at all via webDAV and the file is owned by root, so no, there is no way for them to change it.

>      AuthUserFile /usr/local/www/example.net/.htdavpass
> 
> So it is not really surprising if user jeans cannot acces a site for which the password file is not the same as the one user jeans' password was created in, is it ?

I simply forgot to obfuscate the domain in question on the htpass line. The paths are identical (and copied and pasted). Also, I am not getting a password error, I am getting 

[error] [client 71.229.144.93] client denied by server configuration: /usr/local/www/example.net/


-- 
Humans are always slightly lost. It's a basic characteristic. It explains a lot about them. --Lords and Ladies


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: setting up webdav

Posted by André Warnier <aw...@ice-sa.com>.
LuKreme wrote:
> 
> any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file.
> 
What do you mean there is nowhere else ?
What about under /usr/local/www, and name it example.com.davpasswd for 
instance. At least it would not be directly under your DocumentRoot, in 
an area potentially accessible by users.
Apache will never serve a file starting with a dot, maybe.
But since you have the / locations open to DAV, have you checked if 
someone (authenticated) can upload a file called .htdavpass ?
Or download it through DAV ?
(I don't know the answer, but it might be interesting)

Now about the rest :

...
The .htdavpass file for the second domain contains the user jeans and a 
password and was setup with the command

htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans 
<PASSWORD>

but then :
    <location />
    ...
       AuthUserFile /usr/local/www/example.net/.htdavpass

So it is not really surprising if user jeans cannot acces a site for 
which the password file is not the same as the one user jeans' password 
was created in, is it ?



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: setting up webdav

Posted by LuKreme <kr...@kreme.com>.
On 11-Nov-2009, at 17:28, André Warnier wrote:

> LuKreme wrote:
> ...
>>   DocumentRoot /usr/local/www/example.com/
> ...
>>     AuthUserFile /usr/local/www/example.com/.htdavpass
> 
> I think that you have managed to do what no developer of Apache ever thought that a user would ever do : place the file containing the users passwords inside the very directory that this file is supposed to help protect.
> You might thus be exploring code pathways which nobody trod before.

OK, but why does it work for one domain (actually, it works for several domains on this same server) but not for others?

any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file.

http.conf:
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</Files>

(the actual web site is in .../html/ or .../wordpress/, depending on the site)


-- 
Fairy Tales are more than true; not because they tell us that
	dragons exist, but because they tell us that dragons can be
	beaten.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] setting up webdav

Posted by André Warnier <aw...@ice-sa.com>.
LuKreme wrote:
> 
...
>    DocumentRoot /usr/local/www/example.com/
...
>      AuthUserFile /usr/local/www/example.com/.htdavpass

I think that you have managed to do what no developer of Apache ever 
thought that a user would ever do : place the file containing the users 
passwords inside the very directory that this file is supposed to help 
protect.
You might thus be exploring code pathways which nobody trod before.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] Re: setting up webdav

Posted by LuKreme <kr...@kreme.com>.
On 11-Nov-2009, at 17:11, LuKreme wrote:
> I have the following directive for one domain, which works just fine with webdav:


Never mind. Someone enabled 'evasive20_module' sometime this afternoon, and it was this event that stopped webdav mounts (all of them) to stop working. I'd been using several this morning, but when trying to access two new domains, the mounting kept failing.

Sorry. The appropriate person has been beaten and whipped.

-- 
Boy, it sure would be nice if we had some grenades, 
	don'tcha think? 


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org