You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sean Davis <sd...@mail.nih.gov> on 2006/02/28 14:55:42 UTC
[users@httpd] WebDAV directory allowing all access despite limits
I am running the following on MacOS 10.4.5:
Apache/2.0.54 (Unix) DAV/2 proxy_html/2.5 SVN/1.2.3 PHP/5.0.4 mod_perl/2.0.1
Perl/v5.8.6
I have a webDAV directory configured as such:
<Location /webDAV/public/>
Dav On
AuthType Basic
AuthName "Public WebDAV Repository"
AuthUserFile /usr/local/apache2/passwd/htpass
Options none
AllowOverride none
<LimitExcept GET HEAD OPTIONS>
Require user sean
</LimitExcept>
</Location>
However, when I connect to this DAV directory (via the mac "connect to
server"), I can happily PUT, DELETE, and PROPFIND. Below is the access log.
I'm confused as to why I can still do these things with the above
configuration.
128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
/webDAV/public/Abstract.doc HTTP/1.1" 204 -
<SNIP>
128.231.145.14 - sean [28/Feb/2006:08:46:55 -0500] "DELETE
/webDAV/public/Abstract.doc HTTP/1.1" 204 -
128.231.145.14 - sean [28/Feb/2006:08:46:55 -0500] "DELETE
/webDAV/public/._Abstract.doc HTTP/1.1" 204 -
128.231.145.14 - sean [28/Feb/2006:08:46:55 -0500] "PROPFIND /webDAV/public/
HTTP/1.1" 207 2230
128.231.145.14 - sean [28/Feb/2006:08:49:00 -0500] "PROPFIND /webDAV/public/
HTTP/1.1" 207 560
128.231.145.14 - sean [28/Feb/2006:08:49:00 -0500] "PROPFIND /webDAV/public/
HTTP/1.1" 207 2230
128.231.145.14 - - [28/Feb/2006:08:49:00 -0500] "GET
/webDAV/public/._Templeton HTTP/1.1" 304 -
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] WebDAV directory allowing all access despite
limits
Posted by Sean Davis <sd...@mail.nih.gov>.
On 2/28/06 10:08 AM, "Joshua Slive" <jo...@slive.ca> wrote:
> On 2/28/06, Sean Davis <sd...@mail.nih.gov> wrote:
>>
>>
>>
>> On 2/28/06 9:23 AM, "Nick Kew" <ni...@webthing.com> wrote:
>>
>>> On Tuesday 28 February 2006 13:55, Sean Davis wrote:
>>>
>>>> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
>>>> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
>>>
>>> See that "sean" in there? Your client has authenticated itself.
>>> Where's the problem?
>>
>> Sorry, Nick, for not explaining the problem clearly. The problem isn't the
>> lack of authentication, but what I thought was too permissive authorization.
>> Perhaps my understanding of LimitExcept is wrong, but I thought if I had a:
>>
>> <LimitExcept GET HEAD OPTIONS>
>> Require user sean
>> </LimitExcept>
>>
>> that I shouldn't be able PUT or DELETE. The log entries show that I was
>> able to do that--hence the problem. I don't understand why I can PUT or
>> DELETE with the LimitExcept directive in place. I simply want a webDAV
>> directory that is read-only by the user sean.
>
> Yes, your understanding of <LimitExcept> is wrong. You want
> <Limit GET OPTIONS>
> require use sean
> </Limit>
> <LimitExcept GET OPTIONS>
> Order allow,deny
> Deny from all
> </LimitExcept>
Thanks for clarifying--that was it.
Sean
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] WebDAV directory allowing all access despite limits
Posted by Joshua Slive <jo...@slive.ca>.
On 2/28/06, Sean Davis <sd...@mail.nih.gov> wrote:
>
>
>
> On 2/28/06 9:23 AM, "Nick Kew" <ni...@webthing.com> wrote:
>
> > On Tuesday 28 February 2006 13:55, Sean Davis wrote:
> >
> >> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
> >> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
> >
> > See that "sean" in there? Your client has authenticated itself.
> > Where's the problem?
>
> Sorry, Nick, for not explaining the problem clearly. The problem isn't the
> lack of authentication, but what I thought was too permissive authorization.
> Perhaps my understanding of LimitExcept is wrong, but I thought if I had a:
>
> <LimitExcept GET HEAD OPTIONS>
> Require user sean
> </LimitExcept>
>
> that I shouldn't be able PUT or DELETE. The log entries show that I was
> able to do that--hence the problem. I don't understand why I can PUT or
> DELETE with the LimitExcept directive in place. I simply want a webDAV
> directory that is read-only by the user sean.
Yes, your understanding of <LimitExcept> is wrong. You want
<Limit GET OPTIONS>
require use sean
</Limit>
<LimitExcept GET OPTIONS>
Order allow,deny
Deny from all
</LimitExcept>
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] WebDAV directory allowing all access despite
limits
Posted by Sean Davis <sd...@mail.nih.gov>.
On 2/28/06 9:23 AM, "Nick Kew" <ni...@webthing.com> wrote:
> On Tuesday 28 February 2006 13:55, Sean Davis wrote:
>
>> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
>> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
>
> See that "sean" in there? Your client has authenticated itself.
> Where's the problem?
Sorry, Nick, for not explaining the problem clearly. The problem isn't the
lack of authentication, but what I thought was too permissive authorization.
Perhaps my understanding of LimitExcept is wrong, but I thought if I had a:
<LimitExcept GET HEAD OPTIONS>
Require user sean
</LimitExcept>
that I shouldn't be able PUT or DELETE. The log entries show that I was
able to do that--hence the problem. I don't understand why I can PUT or
DELETE with the LimitExcept directive in place. I simply want a webDAV
directory that is read-only by the user sean.
Thanks,
Sean
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] WebDAV directory allowing all access despite limits
Posted by Nick Kew <ni...@webthing.com>.
On Tuesday 28 February 2006 13:55, Sean Davis wrote:
> 128.231.145.14 - sean [28/Feb/2006:08:46:34 -0500] "PUT
> /webDAV/public/Abstract.doc HTTP/1.1" 204 -
See that "sean" in there? Your client has authenticated itself.
Where's the problem?
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org