Slashdot Mirror
Implementing True WebDAV Homedirs?
"Apache has mod_dav, which seems to be primarily designed to provide a single shared space to files, where the Apache process user has read/write access. mod_auth_digest doesn't seem to be usable at the same time as mod_auth_shadow. It would appear that the only way to 'properly' do what I want to do would be to run Apache as root(!), have vhosts for every user (webdav.username.domain.com), have Apache change to that user's uid and gid before enabling webdav for their home directory, and then use basic authentication instead of digest authentication.
Is anyone out there trying this? Has Anyone used Jigsaw, kirra-httpd or even the no-longer-available MoulDAVia in a production environment? What are you using to provide non-trivial, safe WebDAV services?
I know I can use something like a restricted SCP- and SFTP-only shell, like scponly and rssh, but again, I'd prefer WebDAV as it wouldn't require the end user to install a client
application."
You've pretty much hit the nail on the head when it comes to correct file permissions and remote access to folders under apache.
The only way to really achieve it is to allow apache to set(e)uid to the user who you want it to be running as. I extended mod_become for our internal use here, and it works ok, but yes, you need to run apache as root to achieve this. I wouldn't want to go exposing it to the world-at-large.
Have you looked at any of the tools from Novell? They've invested a fair amount of effort in WebDav, they've transitioned to Apache, and NetWare 7 promises to run on a Linux kernel.
Plus, they're the only shop in the bidness with a robust, distributable, replicatable, dynamically inheritable directory service [without which they would've long since ceased to exist].
It's kind of a nasty hack, but won't this work?
??Surprisingly, even though they had a pretty big hand in publishing the WebDAV standard, Microsoft's implementations are pretty poor. Depending on whether or not certain other packages are installed (mostly anything that talks Frontpage), and service release levels, there are several different sets of behaviors/bugs you can encounter with the Web Folders implementation.
In one project I was working on, the DLL driving Web Folders would freeze up Explorer, on a couple of different XP boxes. Frozen. You had to log out to clear it up.
You might want to consider a hybrid approach anyway. WebDAV isn't really a stellar performer, nor is it really designed to be. Why not do Samba, WebDAV, Netatalk, and NFS?
Is that even possible?
.Mac services, but .Mac doesn't try to fit the square peg of UNIX user/groups into the round peg of WebDAV. It utilizes individual users as the entire security paradigm. It's not nearly as sophisticated, but it could work.
I mean, I can see this actually working if you do something like rsync between two servers or sync two directories, one preserving file ownerships a la the UNIX security paradigm, one owned by webserver, using WebDAV security.
The shortcoming here is that you couldn't use groups very easily, but you could work around this without too much difficulty.
WebDAV was never meant to mirror the UNIX user/group paradigm. I think as close as you can get is the Apple
I don't know, but when I think about it, forking httpd as arbitrary users seems like a security nightmare.
Notes From Under *nix: blas.phemo.us