Implementing True WebDAV Homedirs?

Vito asks: "I'd like to use WebDAV over SSL (with [preferably digest] authentication against Unix accounts) to provide a few hundred Windows users with secure, easy, and free access to their Linux home directories. WebDAV is supported as Web Folders in Windows, meaning there is no need to download and install SFTP, SCP, FTPS, and other clients. It's also supported natively in Mac OS X, and Linux users can install davfs. But this setup doesn't seem to be possible (safely) using Apache. Do I have alternatives?"

"Apache has mod_dav, which seems to be primarily designed to provide a single shared space to files, where the Apache process user has read/write access. mod_auth_digest doesn't seem to be usable at the same time as mod_auth_shadow. It would appear that the only way to 'properly' do what I want to do would be to run Apache as root(!), have vhosts for every user (webdav.username.domain.com), have Apache change to that user's uid and gid before enabling webdav for their home directory, and then use basic authentication instead of digest authentication.

Is anyone out there trying this? Has Anyone used Jigsaw, kirra-httpd or even the no-longer-available MoulDAVia in a production environment? What are you using to provide non-trivial, safe WebDAV services?

I know I can use something like a restricted SCP- and SFTP-only shell, like scponly and rssh, but again, I'd prefer WebDAV as it wouldn't require the end user to install a client application."

mod_waklog

[More+Trouble]

We do something very similar to this for AFS access, using a module called "web aklog". aklog is an AFS tool for giving a process group "tokens" to talk to AFS servers on behalf of the user. The concept of "root" is meaningless in AFS, so this is a pretty secure methodology. Doesn't really help if you're trying to serve the local filesystem, tho.

:w

Some of my experiences

[h3]

WebDAV is supported as Web Folders in Windows, meaning there is no need to download and install SFTP, SCP, FTPS, and other clients. It's also supported natively in Mac OS X

Somethings to watch for: Windows 2000 SP2 had some issues with the mod_dav/mod_ssl combination we're running (uploads failed). Upgrading to SP3 fixed that problem.

Windows makes it a royal pain in the ass if you are planning on using self-signed certificates. I just couldn't figure out how to make IE accept self-signed CA certs. After literally years of seeking this information, I've finally found a solution this past week. This is something you have to consider for your users if you're going to use SSL with self-signed certs: how much can they take the constant popup cert warnings and how happy will they be about going through a 8 step process to get rid of it. Either way: poor user experience, which makes it hard for me to convince my users that DAV is a good thing (they're used to FTP).

OSX natively supports DAV but unless something has changed recently, it does NOT natively support DAV over SSL. You need Goliath for that. At least Goliath has a single "Accept this certificate permanently?" button that actually does what it advertises :p.

I have to say I feel your pain. I'm not trying to do something as ambitious as you (I just wanted something to replace FTP for users that wanted to share files with other users outside of our network), but I've still been frustrated with trying to get the authentication business worked out with different directories having different sets of users that can access them, some with read/write and some with read-only.

To be honest, I've recently started to re-evaluate using DAV for our needs. It just hasn't been as flexible as I had hoped.

-h3

Re:Some of my experiences

[h3]

Sorry, I was too busy ranting and forgot to elaborate. Here's a page where I was tipped off http://www.drh-consultancy.demon.co.uk/pkcs12faq.h tml

I'll be the first to admit that I don't know much about Windows and I'm no export on cryptography so maybe I'm an idiot for not having found a solution sooner. The big hurdle for me was that if I navigated to a site that used one of my own certs, IE would *offer* to add it permanently, walk me through the process, then congratulate me on successfully adding it. But it was all lies. It wasn't added.

As the document above describes (see the 12 step usage section near the middle) the solution I found to work is to convert my openssl CA cert to "DER" format, make that a downloadable file for IE users, and have them *download and open it*. With the proper mime type, this will trigger IE to walk you through exactly the same process as above, but this time it works, suggesting IE really only likes certs in a particular format. No excuse for making up lies, though.

Also, the way I set it up may not work for IE5, but I've had enough for one week :p. MacIE - hopeless. No way to import certs as far as I know.

From a personal standpoint, I couldn't care less how IE handles these certs since I don't use it, but I needed to find a solution that our users could handle.

-h3

There is solution but in apache2

[radek]

apache 2 supports prechild MPM: "Multi-Processing Module allowing for daemon processes serving requests to be assigned a variety of different userids" Here is link: perchild It solves your uids permission part of a problem.

perchild MPM

[Hard_Code]

You could try Apache 2.0 with perchild MPM which allows requests to be served under arbitrary user ids... (no suid,suexec crap)

davenport

[Dark+Fire]

If you are using samba, you might want to try using davenport. Davenport offers a read only listing of files in your browser and permits read/write via webdav. davenport converts webdav requests to smb requests via the jcifs project. Davenport is a java servlet.

davenport.sourceforge.net