Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 24286 invoked from network); 30 Nov 2006 03:18:59 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 30 Nov 2006 03:18:59 -0000 Received: (qmail 7034 invoked by uid 500); 30 Nov 2006 03:18:51 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 7016 invoked by uid 500); 30 Nov 2006 03:18:51 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 7004 invoked by uid 99); 30 Nov 2006 03:18:51 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Nov 2006 19:18:51 -0800 X-ASF-Spam-Status: No, hits=2.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [192.48.171.19] (HELO omx2.sgi.com) (192.48.171.19) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 29 Nov 2006 19:18:39 -0800 Received: from internal-mail-relay1.corp.sgi.com (internal-mail-relay1.corp.sgi.com [198.149.32.52]) by omx2.sgi.com (8.12.11/8.12.9/linux-outbound_gateway-1.1) with ESMTP id kAU64T26010282 for ; Wed, 29 Nov 2006 22:04:29 -0800 Received: from mtv-amer001e--3.americas.sgi.com ([192.26.64.111]) by internal-mail-relay1.corp.sgi.com (8.12.9/8.12.10/SGI_generic_relay-1.2) with ESMTP id kAU3IHbj61502604 for ; Wed, 29 Nov 2006 19:18:17 -0800 (PST) Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C7142E.2DFE2185" X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Date: Wed, 29 Nov 2006 19:18:17 -0800 Message-ID: In-Reply-To: <486672.52124.qm@web51414.mail.yahoo.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [users@httpd] Limiting COPY method for WebDAV to one direction Thread-Index: AccT+BlFGGuWGy3ORJOwfrOpbYTAsQANE0rA From: "Mark Lavi" To: X-Virus-Checked: Checked by ClamAV on apache.org Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one direction ------_=_NextPart_001_01C7142E.2DFE2185 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable You know, the more I think about this, the more I think you could try to get closer to implement what you want. =20 The example below uses LimitExcept, I think you could further restrict it by the WebDAV properties...yes, it looks like you can as described by the HTTP methods listed for LIMIT: http://httpd.apache.org/docs/2.2/mod/core.html#limit =20 So you could try to add something like this to allow Group Y to COPY... =20 Require group X Require group X Y =20 You could try to experiment multiple or directives to get what you need and see if Apache can handle that. You could also leave off the later directive to allow unauthenticated HTTP COPYs, GETs, etc. =20 Try it out, I'd expect that Apache 1.x couldn't handle this, but 2.2.x might. =20 --Mark=20 Mark Lavi, Enterprise Web Management Team @ SGI mailto:mlavi@sgi.com || phone:+1-650-933-7707 ________________________________ From: Todd Hivnor [mailto:spambox_98103@yahoo.com]=20 Sent: Wednesday, November 29, 2006 12:50 PM To: users@httpd.apache.org Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one direction =20 Mark, thank for the clues. I guess I will need to tinker with OS-level file permissions to solve this. I was hoping for a pure-Apache solution, and am a bit disappointed with the granularity of control over COPY operations. But I can work around the issue using file level permissions.=20 Thanks for the clue. Mark Lavi wrote: Ah, you've changed the scope of your question. :-) =20 So long as you leverage an Apache authorization module with user and group permissions, I would think you could control permissions on who can do what per directory easily, but for this solution, you would not give both groups WebDAV access. =20 One group (read only) could browse the web server and download contents of the autogenerated directory while the other group would be authenticated to have WebDAV privileges. It's simpler to manage and granular to the directory, but not exactly what you are asking for because not both groups are given WebDAV permissions. So the read only group could not do a select all files to download, much like a network drive operation, unless they used some sort of browser enhancement. =20 Configuration would be something like (I'm doing this off the top of my head for illustration, please don't expect to cut and paste this without syntax correction and adaptation for your situation): =20 Options Indexes AllowOverride None AuthType Basic AuthName "Only group X can publish!" AuthUserFile /home/www/acl/htpasswdfile AuthGroupFile /home/www/acl/groupfile DAV On Require group X =20 --Mark=20 Mark Lavi, Enterprise Web Management Team @ SGI mailto:mlavi@sgi.com || phone:+1-650-933-7707 ________________________________ From: Todd Hivnor [mailto:spambox_98103@yahoo.com]=20 Sent: Tuesday, November 28, 2006 11:15 AM To: users@httpd.apache.org Subject: RE: [users@httpd] Limiting COPY method for WebDAV to one direction =20 Updating the permissions on the file system will work for folders which are strictly read-only. But in a lot of cases, I want the folder to be readable by group X and writable by group Y.=20 Mark Lavi wrote: I don't know of an Apache/WebDAV solution off the top of my head for your requirement, but it is probably easiest to address this from the filesystem: change the permissions on the directory to be read only. =20 --Mark=20 Mark Lavi, Enterprise Web Management Team @ SGI mailto:mlavi@sgi.com || phone:+1-650-933-7707 ________________________________ From: Todd Hivnor [mailto:spambox_98103@yahoo.com]=20 Sent: Monday, November 27, 2006 3:44 PM To: users@httpd.apache.org Subject: [users@httpd] Limiting COPY method for WebDAV to one direction =20 I am running WebDAV on my Apache 2.0.51 server on Fedora Core 2.=20 =20 I would like to allow users to copy files _from_ a certain directory,=20 but not _into_ it. However, if I allow the COPY method (via a the=20 LimitExcept tag) then I am allowing copy _from_ and copy _to_. There doesn't=20 seem to be able to any means to control the direction of the copy=20 method.=20 =20 Is there are way to configure this? It seems like a fairly basic=20 requirement: a read-only WebDAV folder which allows users to copy files into=20 their personal directories, with a direct HTTP COPY call.=20 =20 - Todd =20 =20 ________________________________ Everyone is raving about the all-new Yahoo! Mail beta. =20 =20 =20 ________________________________ Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get things done faster. ------_=_NextPart_001_01C7142E.2DFE2185 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

You know, the more I think about = this, the more I think you could try to get closer to implement what you = want.

 

The example below uses LimitExcept, = I think you could further restrict it by the WebDAV properties…yes, = it looks like you can as described by the HTTP methods listed for LIMIT: http://http= d.apache.org/docs/2.2/mod/core.html#limit

 

So you could try to add something = like this to allow Group Y to COPY…

 

  <LimitExcept PUT DELETE = MKCOL MOVE = LOCK = UNLOCK>

   Require group = X

  = </LimitExcept>

  <LimitExcept COPY GET = POST HEAD OPTIONS>

   Require group X = Y

  = </LimitExcept>

 

You could try to experiment = multiple <LIMIT> or <LIMITEXCEPT> directives to get what you need and = see if Apache can handle that.  You could also leave off the later = directive to allow unauthenticated HTTP COPYs, GETs, etc.

 

Try it out, I’d expect that = Apache 1.x couldn’t handle this, but 2.2.x = might.

 

--Mark = 

Mark Lavi, Enterprise Web Management Team @ =
SGI
mailto:mlavi@sgi.com || =
phone:+1-650-933-7707

From: Todd = Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Wednesday, November = 29, 2006 12:50 PM
To: users@httpd.apache.org
Subject: RE: = [users@httpd] Limiting COPY method for WebDAV to one = direction

 

Mark, thank for the clues. I guess I will need to tinker with = OS-level file permissions to solve this. I was hoping for a pure-Apache solution, = and am a bit disappointed with the granularity of control over COPY operations. = But I can work around the issue using file level permissions.

Thanks for the clue.


Mark Lavi <mlavi@sgi.com> wrote:

Ah, you’ve = changed the scope of your question. J

 

So long as you leverage an Apache authorization module with user and group permissions, I would think you = could control permissions on who can do what per directory easily, but for = this solution, you would not give both groups WebDAV = access.

 

One group (read only) could browse = the web server and download contents of the autogenerated directory while the = other group would be authenticated to have WebDAV privileges. It’s = simpler to manage and granular to the directory, but not exactly what you are = asking for because not both groups are given WebDAV permissions. So the read only = group could not do a select all files to download, much like a network drive operation, unless they used some sort of browser = enhancement.

 

Configuration would be something = like (I’m doing this off the top of my head for illustration, please don’t expect to cut and paste this without syntax correction and adaptation for your = situation):

 

<Directory "/www/docroot/projects/X">

  Options = Indexes

  AllowOverride = None

  AuthType = Basic

  AuthName "Only group X = can publish!"

  AuthUserFile /home/www/acl/htpasswdfile

  AuthGroupFile /home/www/acl/groupfile

  DAV = On

  <LimitExcept GET HEAD = OPTIONS>

   Require group = X

  = </LimitExcept>

 </Directory>

 

--Mark = 

Mark Lavi, Enterprise=

 Web Management Team @ =
SGI
mailto:mlavi@sgi.com || =
phone:+1-650-933-7707

From: Todd = Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Tuesday, November = 28, 2006 11:15 AM
To: users@httpd.apache.org
Subject: RE: = [users@httpd] Limiting COPY method for WebDAV to one = direction

 

Updating the permissions on the file system will work for = folders which are strictly read-only. But in a lot of cases, I want the folder to be = readable by group X and writable by group Y.



Mark Lavi <mlavi@sgi.com> = wrote:

I don’t know of an Apache/WebDAV solution off the top of my head for = your requirement, but it is probably easiest to address this from the = filesystem: change the permissions on the directory to be read = only.

 

--Mark = 

Mark Lavi, Enterprise Web Management Team =
@
 =
SGI
mailto:mlavi@sgi.com || =
phone:+1-650-933-7707<=
/pre>

From: Todd = Hivnor [mailto:spambox_98103@yahoo.com]
Sent: Monday, November = 27, 2006 3:44 PM
To: users@httpd.apache.org
Subject: [users@httpd] = Limiting COPY method for WebDAV to one direction

 

I am running WebDAV on my Apache 2.0.51 =
server on Fedora Core 2. 

  

  I would like to allow users =
to copy files _from_ a certain directory, 

  but not _into_ it. However, =
if I allow the COPY method (via a the 

  LimitExcept tag)  then I =
am allowing copy _from_ and copy _to_. There doesn't 

  seem to be able to any means =
to control the direction of the copy 

  method. 

  

  Is there are way =
to
 =
configure this? It seems like a fairly basic 

  requirement: a read-only =
WebDAV folder which allows users to copy files into 

  their personal directories, =
with a direct HTTP COPY call. 

  

   - =
Todd




 

 

Everyone is raving about the all-new Yahoo! Mail beta.

 

 

Check out the all-new Yahoo! Mail beta - Fire up a more powerful email and get = things done faster.

------_=_NextPart_001_01C7142E.2DFE2185--