WebDAV home directory security

[Luke Scharf <ls...@ee.vt.edu>]

I now have WebDAV and mod_auth_pam installed, but not working together
the way I want.  I'm trying to give my users the ability to edit their
$HOME/public_html directories with WebDAV and the whole world to see
their pages.

The catch is that I'd like to impose the following requirements:
1. Authentication is required only for webdav
2. Regular browser traffic does not require authentication.
2. Users can only edit their own files.  Right now, all files need to
owned by the apache user.

I've tried turning  DAV on in the user's .htaccess file.  This is not
allowed, although we could customize the .htaccess with a "require user"
field which would do the trick.

So, I have three questions:
1. Can <Directory /home/*/public_html> be set with something like
"require user $USER"?
2. Can apache su to $USER?
3. What is the Right Way to do this - assuming that I accept the
security risk of a brute-force password-guessing attack.

Any suggestions would be greatly appreciated!

Thanks,
-Luke

-- 
Luke Scharf, Jack of Several Trades
http://www.ccm.ece.vt.edu/~lscharf


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: WebDAV home directory security

[Joshua Slive <jo...@slive.ca>]

On 21 Feb 2002, Luke Scharf wrote:

> I now have WebDAV and mod_auth_pam installed, but not working together
> the way I want.  I'm trying to give my users the ability to edit their
> $HOME/public_html directories with WebDAV and the whole world to see
> their pages.
>
> The catch is that I'd like to impose the following requirements:
> 1. Authentication is required only for webdav
> 2. Regular browser traffic does not require authentication.

Those two are easy.  That is what <LimitExcept> is for.  For example:

<LimitExcept GET POST OPTIONS PROPFIND>
require valid-user
</LimitExcept>

> 2. Users can only edit their own files.  Right now, all files need to
> owned by the apache user.

That is difficult/impossible.

>
> I've tried turning  DAV on in the user's .htaccess file.  This is not
> allowed, although we could customize the .htaccess with a "require user"
> field which would do the trick.
>
> So, I have three questions:
> 1. Can <Directory /home/*/public_html> be set with something like
> "require user $USER"?

No, but you can use mod_rewrite to check the %{REMOTE_USER} and perform
actions based on what it finds.

There is also a "require file-owner" in recent apache versions, but I
guess that only works with mod_auth.

> 2. Can apache su to $USER?

No.  This only works for cgi scripts.

> 3. What is the Right Way to do this - assuming that I accept the
> security risk of a brute-force password-guessing attack.

At the moment, I know of no easy way to mix access via normal unix
permissions and via apache/webdav.  There may be a way if you make all the
files/directories owned by the user, but also writable by that group that
apache runs under.  This will not be simple.

You may find more experienced people if you ask on the mod_dav mailing
list:
http://www.webdav.org/mod_dav/

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org