Slashdot Mirror

← Back to Stories (view on slashdot.org)

Implementing True WebDAV Homedirs?

Posted by Cliff on from the my-$HOME-is-on-the-d.a.v dept.

Vito asks: "I'd like to use WebDAV over SSL (with [preferably digest] authentication against Unix accounts) to provide a few hundred Windows users with secure, easy, and free access to their Linux home directories. WebDAV is supported as Web Folders in Windows, meaning there is no need to download and install SFTP, SCP, FTPS, and other clients. It's also supported natively in Mac OS X, and Linux users can install davfs. But this setup doesn't seem to be possible (safely) using Apache. Do I have alternatives?"

"Apache has mod_dav, which seems to be primarily designed to provide a single shared space to files, where the Apache process user has read/write access. mod_auth_digest doesn't seem to be usable at the same time as mod_auth_shadow. It would appear that the only way to 'properly' do what I want to do would be to run Apache as root(!), have vhosts for every user (webdav.username.domain.com), have Apache change to that user's uid and gid before enabling webdav for their home directory, and then use basic authentication instead of digest authentication.

Is anyone out there trying this? Has Anyone used Jigsaw, kirra-httpd or even the no-longer-available MoulDAVia in a production environment? What are you using to provide non-trivial, safe WebDAV services?

I know I can use something like a restricted SCP- and SFTP-only shell, like scponly and rssh, but again, I'd prefer WebDAV as it wouldn't require the end user to install a client application."

2 of 47 comments (clear)

  1. mod_become by danpat · · Score: 4, Interesting

    You've pretty much hit the nail on the head when it comes to correct file permissions and remote access to folders under apache.

    The only way to really achieve it is to allow apache to set(e)uid to the user who you want it to be running as. I extended mod_become for our internal use here, and it works ok, but yes, you need to run apache as root to achieve this. I wouldn't want to go exposing it to the world-at-large.

  2. Re:Some of my experiences by h3 · · Score: 4, Informative

    Sorry, I was too busy ranting and forgot to elaborate. Here's a page where I was tipped off http://www.drh-consultancy.demon.co.uk/pkcs12faq.h tml

    I'll be the first to admit that I don't know much about Windows and I'm no export on cryptography so maybe I'm an idiot for not having found a solution sooner. The big hurdle for me was that if I navigated to a site that used one of my own certs, IE would *offer* to add it permanently, walk me through the process, then congratulate me on successfully adding it. But it was all lies. It wasn't added.

    As the document above describes (see the 12 step usage section near the middle) the solution I found to work is to convert my openssl CA cert to "DER" format, make that a downloadable file for IE users, and have them *download and open it*. With the proper mime type, this will trigger IE to walk you through exactly the same process as above, but this time it works, suggesting IE really only likes certs in a particular format. No excuse for making up lies, though.

    Also, the way I set it up may not work for IE5, but I've had enough for one week :p. MacIE - hopeless. No way to import certs as far as I know.

    From a personal standpoint, I couldn't care less how IE handles these certs since I don't use it, but I needed to find a solution that our users could handle.

    -h3