You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Todd Hivnor <sp...@yahoo.com> on 2006/11/28 00:44:28 UTC
[users@httpd] Limiting COPY method for WebDAV to one direction
I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.
I would like to allow users to copy files _from_ a certain directory,
but not _into_ it. However, if I allow the COPY method (via a the
LimitExcept tag) then I am allowing copy _from_ and copy _to_. There doesn't
seem to be able to any means to control the direction of the copy
method.
Is there are way to configure this? It seems like a fairly basic
requirement: a read-only WebDAV folder which allows users to copy files into
their personal directories, with a direct HTTP COPY call.
- Todd
---------------------------------
Access over 1 million songs - Yahoo! Music Unlimited.
RE: [users@httpd] Limiting COPY method for WebDAV to one direction
Posted by Mark Lavi <ml...@sgi.com>.
You know, the more I think about this, the more I think you could try to
get closer to implement what you want.
The example below uses LimitExcept, I think you could further restrict
it by the WebDAV properties...yes, it looks like you can as described by
the HTTP methods listed for LIMIT:
http://httpd.apache.org/docs/2.2/mod/core.html#limit
So you could try to add something like this to allow Group Y to COPY...
<LimitExcept PUT DELETE MKCOL MOVE LOCK UNLOCK>
Require group X
</LimitExcept>
<LimitExcept COPY GET POST HEAD OPTIONS>
Require group X Y
</LimitExcept>
You could try to experiment multiple <LIMIT> or <LIMITEXCEPT> directives
to get what you need and see if Apache can handle that. You could also
leave off the later directive to allow unauthenticated HTTP COPYs, GETs,
etc.
Try it out, I'd expect that Apache 1.x couldn't handle this, but 2.2.x
might.
--Mark
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
________________________________
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Wednesday, November 29, 2006 12:50 PM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one
direction
Mark, thank for the clues. I guess I will need to tinker with OS-level
file permissions to solve this. I was hoping for a pure-Apache solution,
and am a bit disappointed with the granularity of control over COPY
operations. But I can work around the issue using file level
permissions.
Thanks for the clue.
Mark Lavi <ml...@sgi.com> wrote:
Ah, you've changed the scope of your question. :-)
So long as you leverage an Apache authorization module with user and
group permissions, I would think you could control permissions on who
can do what per directory easily, but for this solution, you would not
give both groups WebDAV access.
One group (read only) could browse the web server and download contents
of the autogenerated directory while the other group would be
authenticated to have WebDAV privileges. It's simpler to manage and
granular to the directory, but not exactly what you are asking for
because not both groups are given WebDAV permissions. So the read only
group could not do a select all files to download, much like a network
drive operation, unless they used some sort of browser enhancement.
Configuration would be something like (I'm doing this off the top of my
head for illustration, please don't expect to cut and paste this without
syntax correction and adaptation for your situation):
<Directory "/www/docroot/projects/X">
Options Indexes
AllowOverride None
AuthType Basic
AuthName "Only group X can publish!"
AuthUserFile /home/www/acl/htpasswdfile
AuthGroupFile /home/www/acl/groupfile
DAV On
<LimitExcept GET HEAD OPTIONS>
Require group X
</LimitExcept>
</Directory>
--Mark
Mark Lavi, Enterprise
Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
________________________________
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Tuesday, November 28, 2006 11:15 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one
direction
Updating the permissions on the file system will work for folders which
are strictly read-only. But in a lot of cases, I want the folder to be
readable by group X and writable by group Y.
Mark Lavi <ml...@sgi.com> wrote:
I don't know of an Apache/WebDAV solution off the top of my head for
your requirement, but it is probably easiest to address this from the
filesystem: change the permissions on the directory to be read only.
--Mark
Mark Lavi, Enterprise Web Management Team @
SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
________________________________
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Monday, November 27, 2006 3:44 PM
To: users@httpd.apache.org
Subject: [users@httpd] Limiting COPY method for WebDAV to one direction
I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.
I would like to allow users to copy files _from_ a certain directory,
but not _into_ it. However, if I allow the COPY method (via a the
LimitExcept tag) then I am allowing copy _from_ and copy _to_. There
doesn't
seem to be able to any means to control the direction of the copy
method.
Is there are way to
configure this? It seems like a fairly basic
requirement: a read-only WebDAV folder which allows users to copy
files into
their personal directories, with a direct HTTP COPY call.
- Todd
________________________________
Everyone is raving about the all-new Yahoo! Mail beta.
<http://us.rd.yahoo.com/evt=45083/*http:/advision.webevents.yahoo.com/ma
ilbeta>
________________________________
Check out the all-new Yahoo! Mail beta
<http://us.rd.yahoo.com/evt=43257/*http:/advision.webevents.yahoo.com/ma
ilbeta> - Fire up a more powerful email and get things done faster.
RE: [users@httpd] Limiting COPY method for WebDAV to one direction
Posted by Todd Hivnor <sp...@yahoo.com>.
Mark, thank for the clues. I guess I will need to tinker with OS-level file permissions to solve this. I was hoping for a pure-Apache solution, and am a bit disappointed with the granularity of control over COPY operations. But I can work around the issue using file level permissions.
Thanks for the clue.
Mark Lavi <ml...@sgi.com> wrote: v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } Ah, youve changed the scope of your question. J
So long as you leverage an Apache authorization module with user and group permissions, I would think you could control permissions on who can do what per directory easily, but for this solution, you would not give both groups WebDAV access.
One group (read only) could browse the web server and download contents of the autogenerated directory while the other group would be authenticated to have WebDAV privileges. Its simpler to manage and granular to the directory, but not exactly what you are asking for because not both groups are given WebDAV permissions. So the read only group could not do a select all files to download, much like a network drive operation, unless they used some sort of browser enhancement.
Configuration would be something like (Im doing this off the top of my head for illustration, please dont expect to cut and paste this without syntax correction and adaptation for your situation):
<Directory "/www/docroot/projects/X">
Options Indexes
AllowOverride None
AuthType Basic
AuthName "Only group X can publish!"
AuthUserFile /home/www/acl/htpasswdfile
AuthGroupFile /home/www/acl/groupfile
DAV On
<LimitExcept GET HEAD OPTIONS>
Require group X
</LimitExcept>
</Directory>
--Mark
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
---------------------------------
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Tuesday, November 28, 2006 11:15 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one direction
Updating the permissions on the file system will work for folders which are strictly read-only. But in a lot of cases, I want the folder to be readable by group X and writable by group Y.
Mark Lavi <ml...@sgi.com> wrote:
I dont know of an Apache/WebDAV solution off the top of my head for your requirement, but it is probably easiest to address this from the filesystem: change the permissions on the directory to be read only.
--Mark
Mark Lavi, Enterprise Web Management Team @
SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
---------------------------------
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Monday, November 27, 2006 3:44 PM
To: users@httpd.apache.org
Subject: [users@httpd] Limiting COPY method for WebDAV to one direction
I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.
I would like to allow users to copy files _from_ a certain directory,
but not _into_ it. However, if I allow the COPY method (via a the
LimitExcept tag) then I am allowing copy _from_ and copy _to_. There doesn't
seem to be able to any means to control the direction of the copy
method.
Is there are way to
configure this? It seems like a fairly basic
requirement: a read-only WebDAV folder which allows users to copy files into
their personal directories, with a direct HTTP COPY call.
- Todd
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
---------------------------------
Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster.
RE: [users@httpd] Limiting COPY method for WebDAV to one direction
Posted by Mark Lavi <ml...@sgi.com>.
Ah, you've changed the scope of your question. :-)
So long as you leverage an Apache authorization module with user and
group permissions, I would think you could control permissions on who
can do what per directory easily, but for this solution, you would not
give both groups WebDAV access.
One group (read only) could browse the web server and download contents
of the autogenerated directory while the other group would be
authenticated to have WebDAV privileges. It's simpler to manage and
granular to the directory, but not exactly what you are asking for
because not both groups are given WebDAV permissions. So the read only
group could not do a select all files to download, much like a network
drive operation, unless they used some sort of browser enhancement.
Configuration would be something like (I'm doing this off the top of my
head for illustration, please don't expect to cut and paste this without
syntax correction and adaptation for your situation):
<Directory "/www/docroot/projects/X">
Options Indexes
AllowOverride None
AuthType Basic
AuthName "Only group X can publish!"
AuthUserFile /home/www/acl/htpasswdfile
AuthGroupFile /home/www/acl/groupfile
DAV On
<LimitExcept GET HEAD OPTIONS>
Require group X
</LimitExcept>
</Directory>
--Mark
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
________________________________
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Tuesday, November 28, 2006 11:15 AM
To: users@httpd.apache.org
Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one
direction
Updating the permissions on the file system will work for folders which
are strictly read-only. But in a lot of cases, I want the folder to be
readable by group X and writable by group Y.
Mark Lavi <ml...@sgi.com> wrote:
I don't know of an Apache/WebDAV solution off the top of my head for
your requirement, but it is probably easiest to address this from the
filesystem: change the permissions on the directory to be read only.
--Mark
Mark Lavi, Enterprise Web Management Team @
SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
________________________________
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Monday, November 27, 2006 3:44 PM
To: users@httpd.apache.org
Subject: [users@httpd] Limiting COPY method for WebDAV to one direction
I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.
I would like to allow users to copy files _from_ a certain directory,
but not _into_ it. However, if I allow the COPY method (via a the
LimitExcept tag) then I am allowing copy _from_ and copy _to_. There
doesn't
seem to be able to any means to control the direction of the copy
method.
Is there are way to
configure this? It seems like a fairly basic
requirement: a read-only WebDAV folder which allows users to copy files
into
their personal directories, with a direct HTTP COPY call.
- Todd
________________________________
Everyone is raving about the all-new Yahoo! Mail beta.
<http://us.rd.yahoo.com/evt=45083/*http:/advision.webevents.yahoo.com/ma
ilbeta>
RE: [users@httpd] Limiting COPY method for WebDAV to one direction
Posted by Todd Hivnor <sp...@yahoo.com>.
Updating the permissions on the file system will work for folders which are strictly read-only. But in a lot of cases, I want the folder to be readable by group X and writable by group Y.
Mark Lavi <ml...@sgi.com> wrote: v\:* {behavior:url(#default#VML);} o\:* {behavior:url(#default#VML);} w\:* {behavior:url(#default#VML);} .shape {behavior:url(#default#VML);} st1\:*{behavior:url(#default#ieooui) } I dont know of an Apache/WebDAV solution off the top of my head for your requirement, but it is probably easiest to address this from the filesystem: change the permissions on the directory to be read only.
--Mark
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
---------------------------------
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Monday, November 27, 2006 3:44 PM
To: users@httpd.apache.org
Subject: [users@httpd] Limiting COPY method for WebDAV to one direction
I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.
I would like to allow users to copy files _from_ a certain directory,
but not _into_ it. However, if I allow the COPY method (via a the
LimitExcept tag) then I am allowing copy _from_ and copy _to_. There doesn't
seem to be able to any means to control the direction of the copy
method.
Is there are way to configure this? It seems like a fairly basic
requirement: a read-only WebDAV folder which allows users to copy files into
their personal directories, with a direct HTTP COPY call.
- Todd
---------------------------------
Everyone is raving about the all-new Yahoo! Mail beta.
RE: [users@httpd] Limiting COPY method for WebDAV to one direction
Posted by Mark Lavi <ml...@sgi.com>.
I don't know of an Apache/WebDAV solution off the top of my head for
your requirement, but it is probably easiest to address this from the
filesystem: change the permissions on the directory to be read only.
--Mark
Mark Lavi, Enterprise Web Management Team @ SGI
mailto:mlavi@sgi.com || phone:+1-650-933-7707
________________________________
From: Todd Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Monday, November 27, 2006 3:44 PM
To: users@httpd.apache.org
Subject: [users@httpd] Limiting COPY method for WebDAV to one direction
I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.
I would like to allow users to copy files _from_ a certain directory,
but not _into_ it. However, if I allow the COPY method (via a the
LimitExcept tag) then I am allowing copy _from_ and copy _to_. There
doesn't
seem to be able to any means to control the direction of the copy
method.
Is there are way to configure this? It seems like a fairly basic
requirement: a read-only WebDAV folder which allows users to copy files
into
their personal directories, with a direct HTTP COPY call.
- Todd
________________________________
Access over 1 million songs - Yahoo! Music Unlimited.
<http://pa.yahoo.com/*http:/us.rd.yahoo.com/evt=36035/*http:/music.yahoo
.com/unlimited/>