[users@httpd] webDav access to home directory as user

["Ronald C.F.Antony" <rc...@cubiculum.com>]

Hi,

I have a scenario where a regular network file system is out of  
question (firewall and ISP restrictions).

Users have regular accounts on a Linux machine, where they store  
their files, and if they are security critical, also have a user  
mountable cryptoloop file system which is mounted via ssh script on  
demand, if access is required and unmounted when no longer needed.  
This cryptoloop file system is mounted on a mount point below each  
user's home.

What I need is a way to give users the ability to mount their regular  
home directories via SSL secured webDAV in such a way that
a) their regular user names and passwords apply (no separate "web  
passwords")
b) all files are accessed by the webDAV server with the privileges of  
the user logged in, i.e. regular Unix permissions apply and files are  
created with the proper ownerships and permissions if they are uploaded.

a) and b) are important because the users may use the files sometimes  
directly on the Linux computer, and sometimes via the WebDAV mount.  
In other words, something that requires syncing of "regular files"  
and "files in a WebDAV repository" isn't called for, and we can't  
require special permissions on the files or risk that WebDAV writes  
files with permissions that prevents the user from fully manipulating  
the files when logged in on the Linux machine proper.

Is there a recommended way of doing this? I can't really find much  
documentation on how to use either regular user passwords for (SSL  
secured) WebDAV login, or how to make sure that the WebDAV file  
operations are executed with the UID/GID of the user using the service.

Any pointers highly welcome!

Greetings,

Ronald

Re: [users@httpd] webDav access to home directory as user

[Joshua Slive <js...@gmail.com>]

On 11/27/05, Ronald C.F. Antony <rc...@cubiculum.com> wrote:

> The lack of per-user threads seems to be a rather severe limitation of
> creative uses of apache...
> ...there's e.g. this great software phpXplorer ( http://
> www.phpXplorer.org ),
> which would do a lot of what I'like to do, but since Apache can't
> spawn per
> user instances, it makes it pretty much impossible to use this as an
> interface
> to user's real home directories.

php can be run through cgi/suexec.  mod_dav can't.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] webDav access to home directory as user

["Ronald C.F. Antony" <rc...@cubiculum.com>]

On 26 Nov 2005, at 13:33, Joshua Slive wrote:

> On 11/26/05, Ronald C. F. Antony <rc...@cubiculum.com> wrote:
>
>> What I need is a way to give users the ability to mount their regular
>> home directories via SSL secured webDAV in such a way that
>> a) their regular user names and passwords apply (no separate "web
>> passwords")
>> b) all files are accessed by the webDAV server with the privileges of
>> the user logged in, i.e. regular Unix permissions apply and files are
>> created with the proper ownerships and permissions if they are  
>> uploaded.
>>
>> a) and b) are important because the users may use the files sometimes
>> directly on the Linux computer, and sometimes via the WebDAV mount.
>> In other words, something that requires syncing of "regular files"
>> and "files in a WebDAV repository" isn't called for, and we can't
>> require special permissions on the files or risk that WebDAV writes
>> files with permissions that prevents the user from fully manipulating
>> the files when logged in on the Linux machine proper.
>
> The mod_dav docs:
> http://httpd.apache.org/docs/2.0/mod/mod_dav.html#security
> are pretty clear that this isn't supported.  The dav repository is
> private to mod_dav and cannot be shared with non-dav access methods.
> (There is no provision for proper locking in this case, so you risk
> trashing your files.)  In addition, apache does not support serving
> files under many different user ids, except through cgi and suexec.
>
> So I think you'll need to rethink your basic setup here.  mod_dav is
> not designed to interact with non-dav access in the way you specify.

Thanks for the information. Bummer. I really don't care about file  
locking,
since trashing files could easily be done as well with other network
file systems that only have optional/advisory locking. Also, users are
either in the console, or they are in the field, so they would never
access their home folder by means of both methods anyway, while outside
of their home folder they have read-only access, so they can't do  
harm there.

What would be what I was hoping for is that one could have a webDav  
realm,
with SSL protected basic authentication based on the regular passwd  
file,
and then have worker thread spawned for each login, running under the
user ID of the logged in person, i.e. a suexec-ed dav thread for each
logged in user.

Looks like Apache isn't up to that task. Is anyone aware of some other
software that can export a file system over the dav protocol?
I found http://search.cpan.org/src/LBROCARD/Net-DAV-Server-1.27/README
but that's just about all the documentation on that, so it's not clear
to me what this can do, and how it works...

The lack of per-user threads seems to be a rather severe limitation of
creative uses of apache...
...there's e.g. this great software phpXplorer ( http:// 
www.phpXplorer.org ),
which would do a lot of what I'like to do, but since Apache can't  
spawn per
user instances, it makes it pretty much impossible to use this as an  
interface
to user's real home directories.

The only software that does something like that right now is  
Usermin's File Manager
module, which works great as a web interface, but of course doesn't  
offer a
dav equivalent.

Ronald

Re: [users@httpd] webDav access to home directory as user

[Joshua Slive <js...@gmail.com>]

On 11/26/05, Ronald C. F. Antony <rc...@cubiculum.com> wrote:

> What I need is a way to give users the ability to mount their regular
> home directories via SSL secured webDAV in such a way that
> a) their regular user names and passwords apply (no separate "web
> passwords")
> b) all files are accessed by the webDAV server with the privileges of
> the user logged in, i.e. regular Unix permissions apply and files are
> created with the proper ownerships and permissions if they are uploaded.
>
> a) and b) are important because the users may use the files sometimes
> directly on the Linux computer, and sometimes via the WebDAV mount.
> In other words, something that requires syncing of "regular files"
> and "files in a WebDAV repository" isn't called for, and we can't
> require special permissions on the files or risk that WebDAV writes
> files with permissions that prevents the user from fully manipulating
> the files when logged in on the Linux machine proper.

The mod_dav docs:
http://httpd.apache.org/docs/2.0/mod/mod_dav.html#security
are pretty clear that this isn't supported.  The dav repository is
private to mod_dav and cannot be shared with non-dav access methods. 
(There is no provision for proper locking in this case, so you risk
trashing your files.)  In addition, apache does not support serving
files under many different user ids, except through cgi and suexec.

So I think you'll need to rethink your basic setup here.  mod_dav is
not designed to interact with non-dav access in the way you specify.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org