6

When a user creates a file via WebDAV, the default behavior is that the file is owned by the user and group running the Apache process, with a umask of 022.

Unfortunately, this makes it impossible for unprivileged users to write to the files by other means without being a member of the group Apache runs under (which strikes me as a particularly bad idea).

My current solution is to set umask 000 in Apache's envvars and remove all world permissions from the webdav parent directory for the user. So, if the WebDAV share is /home/foo/www, then /home/foo/www is owned by www-data:foo with permissions of 770. This keeps other unprivileged users out, more or less, but it's hokey at best and a security disaster awaiting at worst.

From my research and poking around at mod_dav and Apache, I cannot find a reasonable solution short of a cron job flipping all the permissions back (I'd rather not have the load and increased complexity on the server). SuExec won't work, either, because WebDAV operations are not going to execute as a different user.

Any thoughts on this? Thank you.

Tohuw
  • 488
  • 2
  • 8
  • 23
  • 4
    My thought, is that Apache doesn't really do very well as a WebDAV server. I really wish there was something better, but I haven't found it. – Zoredache Dec 12 '12 at 01:46
  • Likewise, Zoredache. I've been looking, but I haven't found anything really satisfactory. It would be nice if there were a solid WebDAV server that ran isolated and could either run MPM-style or grant correct permissions (or at least leave them alone). EDIT: There was an MPM Apache many moons ago, but no development has happened on that in a long time. At least with that I could fork out the Apache instances as each user and utilize mod_dav under each child. – Tohuw Dec 12 '12 at 03:37
  • 1
    I would prefer a real WebDAV file server as well, but there is a solution. See my answer here: http://serverfault.com/a/457299/50950 – aef Dec 12 '12 at 03:56

1 Answers1

4

I circumvented Apache's lack of user switching capabilities by using Posix ACL. These allow you to add more group and user entries on every file and also allow setting up default permissions on directories which are automatically added to each file created within.

If I guess right and you're running Linux, you can enable Posix ACL you need to remount you file system with the acl option. Then you can use setfacl and getfacl to manage additional permissions. On Debian-based systems these tools can be found in the package acl. You can further read about Posix ACL in man acl and man setfacl. Posix ACL are also available on some BSD systems and MacOS, but I never used them there.

For example you could set up a folder in which group fileserver always has read and write access to all files within:

setfacl -Rm default:group:fileserver:rw,group:fileserver:rx /srv/fileserver

That would result in getfacl /srv/fileserver reporting something like this:

# file: /srv/fileserver
# owner: aef
# group: aef
user::rwx
group::rwx
group:fileserver:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:fileserver:rw-
default:mask::rwx
default:other::r-x

A warning though: You will probably need some time to get used to Posix ACLs, they add quite a bit more complexity, even as it doesn't seem so at first.

aef
  • 1,705
  • 4
  • 24
  • 41
  • Thank you aef! This seems very promising and I will try this as soon as I am able. I will reserve marking it as the answer until then, but I will try to get that done sometime in the next few days. Thank you. – Tohuw Dec 14 '12 at 21:39