httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jos...@slive.ca>
Subject Re: WebDAV home directory security
Date Thu, 21 Feb 2002 19:06:38 GMT

On 21 Feb 2002, Luke Scharf wrote:

> I now have WebDAV and mod_auth_pam installed, but not working together
> the way I want.  I'm trying to give my users the ability to edit their
> $HOME/public_html directories with WebDAV and the whole world to see
> their pages.
>
> The catch is that I'd like to impose the following requirements:
> 1. Authentication is required only for webdav
> 2. Regular browser traffic does not require authentication.

Those two are easy.  That is what <LimitExcept> is for.  For example:

<LimitExcept GET POST OPTIONS PROPFIND>
require valid-user
</LimitExcept>

> 2. Users can only edit their own files.  Right now, all files need to
> owned by the apache user.

That is difficult/impossible.

>
> I've tried turning  DAV on in the user's .htaccess file.  This is not
> allowed, although we could customize the .htaccess with a "require user"
> field which would do the trick.
>
> So, I have three questions:
> 1. Can <Directory /home/*/public_html> be set with something like
> "require user $USER"?

No, but you can use mod_rewrite to check the %{REMOTE_USER} and perform
actions based on what it finds.

There is also a "require file-owner" in recent apache versions, but I
guess that only works with mod_auth.

> 2. Can apache su to $USER?

No.  This only works for cgi scripts.

> 3. What is the Right Way to do this - assuming that I accept the
> security risk of a brute-force password-guessing attack.

At the moment, I know of no easy way to mix access via normal unix
permissions and via apache/webdav.  There may be a way if you make all the
files/directories owned by the user, but also writable by that group that
apache runs under.  This will not be simple.

You may find more experienced people if you ask on the mod_dav mailing
list:
http://www.webdav.org/mod_dav/

Joshua.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message