You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sean Davis <sd...@mail.nih.gov> on 2006/02/28 14:55:42 UTC

[users@httpd] WebDAV directory allowing all access despite limits

I am running the following on MacOS 10.4.5:

Apache/2.0.54 (Unix) DAV/2 proxy_html/2.5 SVN/1.2.3 PHP/5.0.4 mod_perl/2.0.1
Perl/v5.8.6

I have a webDAV directory configured as such:

<Location /webDAV/public/>
    Dav On
    AuthType Basic
    AuthName "Public WebDAV Repository"
    AuthUserFile /usr/local/apache2/passwd/htpass
    Options none
    AllowOverride none
    <LimitExcept GET HEAD OPTIONS>
        Require user sean
    </LimitExcept>
</Location>

However, when I connect to this DAV directory (via the mac "connect to
server"), I can happily PUT, DELETE, and PROPFIND.  Below is the access log.
I'm confused as to why I can still do these things with the above
configuration.


128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
/webDAV/public/Abstract.doc HTTP/1.1" 204 -

<SNIP> 

128.231.145.14 - sean [28/Feb/2006:08:46:55 -0500] "DELETE
/webDAV/public/Abstract.doc HTTP/1.1" 204 -
128.231.145.14 - sean [28/Feb/2006:08:46:55 -0500] "DELETE
/webDAV/public/._Abstract.doc HTTP/1.1" 204 -
128.231.145.14 - sean [28/Feb/2006:08:46:55 -0500] "PROPFIND /webDAV/public/
HTTP/1.1" 207 2230
128.231.145.14 - sean [28/Feb/2006:08:49:00 -0500] "PROPFIND /webDAV/public/
HTTP/1.1" 207 560
128.231.145.14 - sean [28/Feb/2006:08:49:00 -0500] "PROPFIND /webDAV/public/
HTTP/1.1" 207 2230
128.231.145.14 - - [28/Feb/2006:08:49:00 -0500] "GET
/webDAV/public/._Templeton HTTP/1.1" 304 -



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] WebDAV directory allowing all access despite limits

Posted by Sean Davis <sd...@mail.nih.gov>.



On 2/28/06 10:08 AM, "Joshua Slive" <jo...@slive.ca> wrote:

> On 2/28/06, Sean Davis <sd...@mail.nih.gov> wrote:
>> 
>> 
>> 
>> On 2/28/06 9:23 AM, "Nick Kew" <ni...@webthing.com> wrote:
>> 
>>> On Tuesday 28 February 2006 13:55, Sean Davis wrote:
>>> 
>>>> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
>>>> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
>>> 
>>> See that "sean" in there?  Your client has authenticated itself.
>>> Where's the problem?
>> 
>> Sorry, Nick, for not explaining the problem clearly.  The problem isn't the
>> lack of authentication, but what I thought was too permissive authorization.
>> Perhaps my understanding of LimitExcept is wrong, but I thought if I had a:
>> 
>> <LimitExcept GET HEAD OPTIONS>
>>    Require user sean
>> </LimitExcept>
>> 
>> that I shouldn't be able PUT or DELETE.  The log entries show that I was
>> able to do that--hence the problem.  I don't understand why I can PUT or
>> DELETE with the LimitExcept directive in place.  I simply want a webDAV
>> directory that is read-only by the user sean.
> 
> Yes, your understanding of <LimitExcept> is wrong.  You want
> <Limit GET OPTIONS>
> require use sean
> </Limit>
> <LimitExcept GET OPTIONS>
> Order allow,deny
> Deny from all
> </LimitExcept>

Thanks for clarifying--that was it.

Sean



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] WebDAV directory allowing all access despite limits

Posted by Joshua Slive <jo...@slive.ca>.

On 2/28/06, Sean Davis <sd...@mail.nih.gov> wrote:
>
>
>
> On 2/28/06 9:23 AM, "Nick Kew" <ni...@webthing.com> wrote:
>
> > On Tuesday 28 February 2006 13:55, Sean Davis wrote:
> >
> >> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
> >> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
> >
> > See that "sean" in there?  Your client has authenticated itself.
> > Where's the problem?
>
> Sorry, Nick, for not explaining the problem clearly.  The problem isn't the
> lack of authentication, but what I thought was too permissive authorization.
> Perhaps my understanding of LimitExcept is wrong, but I thought if I had a:
>
> <LimitExcept GET HEAD OPTIONS>
>    Require user sean
> </LimitExcept>
>
> that I shouldn't be able PUT or DELETE.  The log entries show that I was
> able to do that--hence the problem.  I don't understand why I can PUT or
> DELETE with the LimitExcept directive in place.  I simply want a webDAV
> directory that is read-only by the user sean.

Yes, your understanding of <LimitExcept> is wrong.  You want
<Limit GET OPTIONS>
require use sean
</Limit>
<LimitExcept GET OPTIONS>
Order allow,deny
Deny from all
</LimitExcept>

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] WebDAV directory allowing all access despite limits

Posted by Sean Davis <sd...@mail.nih.gov>.

On 2/28/06 9:23 AM, "Nick Kew" <ni...@webthing.com> wrote:

> On Tuesday 28 February 2006 13:55, Sean Davis wrote:
> 
>> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
>> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
> 
> See that "sean" in there?  Your client has authenticated itself.
> Where's the problem?

Sorry, Nick, for not explaining the problem clearly.  The problem isn't the
lack of authentication, but what I thought was too permissive authorization.
Perhaps my understanding of LimitExcept is wrong, but I thought if I had a:

<LimitExcept GET HEAD OPTIONS>
   Require user sean
</LimitExcept>

that I shouldn't be able PUT or DELETE.  The log entries show that I was
able to do that--hence the problem.  I don't understand why I can PUT or
DELETE with the LimitExcept directive in place.  I simply want a webDAV
directory that is read-only by the user sean.

Thanks,
Sean

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] WebDAV directory allowing all access despite limits

Posted by Nick Kew <ni...@webthing.com>.

On Tuesday 28 February 2006 13:55, Sean Davis wrote:

> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
> /webDAV/public/Abstract.doc HTTP/1.1" 204 -

See that "sean" in there?  Your client has authenticated itself.
Where's the problem?

-- 
Nick Kew

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org