Slashdot Mirror

← Back to Stories (view on slashdot.org)

Implementing True WebDAV Homedirs?

Posted by Cliff on from the my-$HOME-is-on-the-d.a.v dept.

Vito asks: "I'd like to use WebDAV over SSL (with [preferably digest] authentication against Unix accounts) to provide a few hundred Windows users with secure, easy, and free access to their Linux home directories. WebDAV is supported as Web Folders in Windows, meaning there is no need to download and install SFTP, SCP, FTPS, and other clients. It's also supported natively in Mac OS X, and Linux users can install davfs. But this setup doesn't seem to be possible (safely) using Apache. Do I have alternatives?"

"Apache has mod_dav, which seems to be primarily designed to provide a single shared space to files, where the Apache process user has read/write access. mod_auth_digest doesn't seem to be usable at the same time as mod_auth_shadow. It would appear that the only way to 'properly' do what I want to do would be to run Apache as root(!), have vhosts for every user (webdav.username.domain.com), have Apache change to that user's uid and gid before enabling webdav for their home directory, and then use basic authentication instead of digest authentication.

Is anyone out there trying this? Has Anyone used Jigsaw, kirra-httpd or even the no-longer-available MoulDAVia in a production environment? What are you using to provide non-trivial, safe WebDAV services?

I know I can use something like a restricted SCP- and SFTP-only shell, like scponly and rssh, but again, I'd prefer WebDAV as it wouldn't require the end user to install a client application."

12 of 47 comments (clear)

  1. mod_become by danpat · · Score: 4, Interesting

    You've pretty much hit the nail on the head when it comes to correct file permissions and remote access to folders under apache.

    The only way to really achieve it is to allow apache to set(e)uid to the user who you want it to be running as. I extended mod_become for our internal use here, and it works ok, but yes, you need to run apache as root to achieve this. I wouldn't want to go exposing it to the world-at-large.

    1. Re:mod_become by aminorex · · Score: 2

      chroot'ed, your exposure amounts to the possibility that
      a remote exploit can allow a cracker to write on /home
      as root. To solve:

      You could make the module run as a daemon uid, and
      have it invoke a setuid program that sets uid to the
      final user's.

      --
      -I like my women like I like my tea: green-
  2. mod_waklog by More+Trouble · · Score: 3, Informative

    We do something very similar to this for AFS access, using a module called "web aklog". aklog is an AFS tool for giving a process group "tokens" to talk to AFS servers on behalf of the user. The concept of "root" is meaningless in AFS, so this is a pretty secure methodology. Doesn't really help if you're trying to serve the local filesystem, tho.

    :w

  3. A name from the distant past... by Anonymous Coward · · Score: 2, Interesting

    Have you looked at any of the tools from Novell? They've invested a fair amount of effort in WebDav, they've transitioned to Apache, and NetWare 7 promises to run on a Linux kernel.

    Plus, they're the only shop in the bidness with a robust, distributable, replicatable, dynamically inheritable directory service [without which they would've long since ceased to exist].

  4. won't work? by tzanger · · Score: 2, Interesting

    It's kind of a nasty hack, but won't this work?

    <Location /user1>
    require user user1
    </Location>

    <Location /user2>
    require user user2
    </Location>

    <Location /user3>
    require user user3
    </Location>
    ??
  5. Some of my experiences by h3 · · Score: 3, Informative

    WebDAV is supported as Web Folders in Windows, meaning there is no need to download and install SFTP, SCP, FTPS, and other clients. It's also supported natively in Mac OS X

    Somethings to watch for: Windows 2000 SP2 had some issues with the mod_dav/mod_ssl combination we're running (uploads failed). Upgrading to SP3 fixed that problem.

    Windows makes it a royal pain in the ass if you are planning on using self-signed certificates. I just couldn't figure out how to make IE accept self-signed CA certs. After literally years of seeking this information, I've finally found a solution this past week. This is something you have to consider for your users if you're going to use SSL with self-signed certs: how much can they take the constant popup cert warnings and how happy will they be about going through a 8 step process to get rid of it. Either way: poor user experience, which makes it hard for me to convince my users that DAV is a good thing (they're used to FTP).

    OSX natively supports DAV but unless something has changed recently, it does NOT natively support DAV over SSL. You need Goliath for that. At least Goliath has a single "Accept this certificate permanently?" button that actually does what it advertises :p.

    I have to say I feel your pain. I'm not trying to do something as ambitious as you (I just wanted something to replace FTP for users that wanted to share files with other users outside of our network), but I've still been frustrated with trying to get the authentication business worked out with different directories having different sets of users that can access them, some with read/write and some with read-only.

    To be honest, I've recently started to re-evaluate using DAV for our needs. It just hasn't been as flexible as I had hoped.

    -h3

    1. Re:Some of my experiences by h3 · · Score: 4, Informative

      Sorry, I was too busy ranting and forgot to elaborate. Here's a page where I was tipped off http://www.drh-consultancy.demon.co.uk/pkcs12faq.h tml

      I'll be the first to admit that I don't know much about Windows and I'm no export on cryptography so maybe I'm an idiot for not having found a solution sooner. The big hurdle for me was that if I navigated to a site that used one of my own certs, IE would *offer* to add it permanently, walk me through the process, then congratulate me on successfully adding it. But it was all lies. It wasn't added.

      As the document above describes (see the 12 step usage section near the middle) the solution I found to work is to convert my openssl CA cert to "DER" format, make that a downloadable file for IE users, and have them *download and open it*. With the proper mime type, this will trigger IE to walk you through exactly the same process as above, but this time it works, suggesting IE really only likes certs in a particular format. No excuse for making up lies, though.

      Also, the way I set it up may not work for IE5, but I've had enough for one week :p. MacIE - hopeless. No way to import certs as far as I know.

      From a personal standpoint, I couldn't care less how IE handles these certs since I don't use it, but I needed to find a solution that our users could handle.

      -h3

  6. Microsoft's DAV isn't up to snuff by bpendleton · · Score: 3, Interesting

    Surprisingly, even though they had a pretty big hand in publishing the WebDAV standard, Microsoft's implementations are pretty poor. Depending on whether or not certain other packages are installed (mostly anything that talks Frontpage), and service release levels, there are several different sets of behaviors/bugs you can encounter with the Web Folders implementation.

    In one project I was working on, the DLL driving Web Folders would freeze up Explorer, on a couple of different XP boxes. Frozen. You had to log out to clear it up.

    You might want to consider a hybrid approach anyway. WebDAV isn't really a stellar performer, nor is it really designed to be. Why not do Samba, WebDAV, Netatalk, and NFS?

  7. Re:won't work? by tres · · Score: 2, Interesting

    Is that even possible?

    I mean, I can see this actually working if you do something like rsync between two servers or sync two directories, one preserving file ownerships a la the UNIX security paradigm, one owned by webserver, using WebDAV security.

    The shortcoming here is that you couldn't use groups very easily, but you could work around this without too much difficulty.

    WebDAV was never meant to mirror the UNIX user/group paradigm. I think as close as you can get is the Apple .Mac services, but .Mac doesn't try to fit the square peg of UNIX user/groups into the round peg of WebDAV. It utilizes individual users as the entire security paradigm. It's not nearly as sophisticated, but it could work.

    I don't know, but when I think about it, forking httpd as arbitrary users seems like a security nightmare.

    --
    Notes From Under *nix: blas.phemo.us
  8. There is solution but in apache2 by radek · · Score: 2, Informative

    apache 2 supports prechild MPM: "Multi-Processing Module allowing for daemon processes serving requests to be assigned a variety of different userids" Here is link: perchild It solves your uids permission part of a problem.

  9. perchild MPM by Hard_Code · · Score: 3, Informative

    You could try Apache 2.0 with perchild MPM which allows requests to be served under arbitrary user ids... (no suid,suexec crap)

    --

    It's 10 PM. Do you know if you're un-American?
  10. davenport by Dark+Fire · · Score: 3, Informative

    If you are using samba, you might want to try using davenport. Davenport offers a read only listing of files in your browser and permits read/write via webdav. davenport converts webdav requests to smb requests via the jcifs project. Davenport is a java servlet.

    davenport.sourceforge.net