httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ms...@freezone.co.uk
Subject Re: [users@httpd] DAV According to Filesystem Permissions
Date Fri, 09 Jul 2004 07:36:55 GMT
On Jul 7, 2004, at 10:18 AM, Joshua Slive wrote:

> On Tue, 6 Jul 2004 17:45:40 -0700, ms419@freezone.co.uk
> <ms419@freezone.co.uk> wrote:
>
>> My problem is, users want to setup DAV repositories, but the "DAV On"
>> directive can't be issued in a .htaccess file. Consequently, to setup
>> DAV repositories in users' UserDir, I'm turning DAV on for all
>> UserDirs.
>>
>> I've been over the documentation and understand there are security
>> risks, so I tried restricting POST, PUT, etc. to authenticated
>> visitors. Unfortunately, this breaks users' CGIs.
>>
>> At this point, I'm considering enabling DAV and leaving POST, PUT, 
>> etc.
>> the way they were.
>>
>> I can't give authenticated users access corresponding to their
>> filesystem permissions, but filesystem permissions should still 
>> prevent
>> "www-data" from gaining more access than intended - unauthenticated
>> visitors should not have write access unless users explicitly make
>> files available to "www-data".
>>
>> Is this reasonable, or can someone point out the vulnerability in this
>> configuration?
>
> I don't really understand what you are asking.  If you are saying you
> are planning to give full-unrestricted access to DAV methods, then
> this is not a good idea.  Your server will become warez-central, since
> anyone will be able to write files.
>
> Joshua.

Ach - I hate being unclear (it's a problem even before I try expressing 
myself).

But you are correct - I'm suggesting turning DAV on *and* allowing 
unauthenticated access to POST, etc.

I'm hoping that filesystem permissions will be enough to keep warez off 
the server (and avoid any other vulnerabilities)? If the apache user 
(www-data) can't write to any of the UserDirs, neither can 
unauthenticated users?

(True, the purpose of turning DAV on is to allow users to write to 
repositories in their own directories - so users must limit access to 
POST, etc. (using .htaccess files) before enabling write access by 
www-data. The users are trusted. It would be simpler, however, if 
users' authentication gave them access corresponding to their 
filesystem permissions. : \

Many thanks for your insight!

Jack


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message