WebDAV Support in DirectAdmin Question

[roarkh]

I just installed DirectAdmin on a box running CentOS 5.2 and almost everything has gone very smoothly, I'm quite happy but I do have a question about WebDAV support. It looked like everything was going to be trivial as apparently the WebDAV extensions are now included with DA by default (I had to install it myself on an older DirectAdmin box). This made it appear to me that DirectAdmin is now supporting WebDAV out of the box but unfortunately it turned out to not be quite so simple. I was able to read directory listings and download files with WebDAV but was unable to upload anything, after checking the error logs I found a message about a missing lock database.

I did some digging and found a file in /etc/httpd/conf/extra named httpd-dav.conf which contains the following line...

DavLockDB "/etc/httpd/var/DavLock"

But apparantly the DavLock database files were not set up during installation which is where I'm wondering if I made a mistake somehow or not. I created the files manually and now things apparently seem to be working. Is this normal behavior for a clean DirectAdmin installation or should those files have been created by the installer?

 

[DirectAdmin Support]

Hello,

WebDAV is not supported at this time. All apache modules/configs are there just for any future implementation, but because of the process rights of "apache" that webDAV would be using, no files would be able to be uploaded to user folders because they're chowned to the user, not apache. We also dont want to have all user files chowned to "apache" as that would be very insecure (everyone could edit each other's files according to linux rules if they had apache write access, which is bad). We're still open to other methods of making webDAV work securly (as the correct user) but FTP is still, and will likely always be the best upload method of choice.

John

 

[roarkh]

Ok, I understand your reasoning, I would not use WebDav for uploading web pages either. In this case I only needed to enable it on one folder that hosts calendars published from Apple iCal.

 

[donkeyKICK]

I have had very poor luck with FTP and scp moving very large #'s of small files. It turned out to be well over 100 times faster to use FrontPage. This inability to use WebDAV has been the primary reason I have been upable to upgrade to new apache and use custom build. I have customers who like to use the publishing functions of SharePoint, and also like using the shared folders, calendars, etc... While I know many admins don't like supporting webDAV, I have customers who have it as a major priority.

My point is, we all have varying needs, and while many would like to say there is never a circumstance that would merit needing webDAV, I disagree. I think under certain cercumstances, it is merited. All I am asking for is the option.

 

[nobaloney]

It's not just an option, it's a change in your server security model.

Note that WebDAV in and of itself uses it's own authentication systems which should keep WebDAV itself secure, but it requires security settings in Unix/Linux that make it possible to use other common commands to overwrite, add, and even delete, files. It seems that WebDAV requires that all files be owned by user apache. This is exactly what we've tried to get away from to make PHP more secure.

My personal feeling is that WebDAV and PHP on the same Linux/Unix based server are a security nightmare waiting to happen.

Do you really want that?

Okay, I presume you do.

But John has already written that DirectAdmin has installed the stubs and you can install the rest. It won't make DirectAdmin stop working.

Jeff

 

[roarkh]

I have had very poor luck with FTP and scp moving very large #'s of small files. It turned out to be well over 100 times faster to use FrontPage. This inability to use WebDAV has been the primary reason I have been upable to upgrade to new apache and use custom build. I have customers who like to use the publishing functions of SharePoint, and also like using the shared folders, calendars, etc... While I know many admins don't like supporting webDAV, I have customers who have it as a major priority.

My point is, we all have varying needs, and while many would like to say there is never a circumstance that would merit needing webDAV, I disagree. I think under certain cercumstances, it is merited. All I am asking for is the option.

Jeff and John are correct, files written with WebDAV have the owner and group set to Apache, this would create a serious security risk if used server wide as a replacement for ftp. That being said, if you like, I can tell you what I did to create the lock database to get it working.
WebDAV also requires that each site's httpd.conf files to be modified on any directory you want to support WebDAV, in my case I only enabled it for a single subdirectory of one of my sites that I write some calendars too and in my case I am both the administrator of the server and for that site. I believe it is relatively safe to use given those circumstances but would never use it as a replacement for using ftp to upload the sites themselves.

 

[donkeyKICK]

Yea, that would be great... I'd really like to check that out

 

[donkeyKICK]

roarkh, I love to see what you did...

 

[roarkh]

Sorry, time got away from me today. My notes on it are at work so I'll do my best to post first thing Monday.

 

[roarkh]

Ok, this is what I did to finish the WebDAV installation on my DirectAdmin Server (running CentOS 5.2). There is a config file for WebDAV located in /etc/httpd/conf/extra called httpd-dav.conf. In it is a reference to the DavLockDB.

DavLockDB "/etc/httpd/var/DavLock"

I'm sure you could change this line and create the database somewhere else (like /var/db for instance) but since I thought the config file might get rewritten at some point with an update I decided to stick with the listed location. You will need to do the following as root to create the database...

cd /etc/httpd
mkdir var
cd var
touch DavLock.dir
touch DavLock.pag
chown apache:apache DavLock.dir
chown apache:apache DavLock.pag
chmod 640 DavLock.dir
chmod 640 DavLock.pag

Then restart apache...

/sbin/service httpd restart

Once apache has restarted you are ready to use WebDAV but you still will need to add a Dav On directive to each directory you want it enabled for, I recommend doing this using the DirectAdmin Control Panel by logging in as the Admin user and clicking "Custom HTTPD Configurations" in the Extra Features section. You can then click on the domain you want to enable it for.

There are a couple things to keep in mind, the directory must have permissions set so that the user that apache is running as (in my case it's apache) has read and write access to the directory and of course this is where significant security issues come in to play. Also, if you simply add the Dav On directive to a directory I am pretty sure that this results in read and write access through web dav to anyone (something you almost certainly do not want). On my server the folder I have activated it for is part of a site that is secure and password protected already. I would recommend doing a google search for webdav configuration as there are different ways to deal with the security and one may work better for you.

One more thing (I may be wrong about this) but I think that after editing the httpd configuration files with the DirectAdmin control panel that the apache service needs to be restarted again (unless using the control panel does it for you which to be honest I've not tested).

Good luck and I think I will just restate that doing this could potentially have severe security implications on your server. I would limit the use of Web Dav folders to an absolute minimum and as I mentioned in previous posts I would never use it for maintaining full web sites, etc. As mentioned in previous posts sticking with ftp (or scp) is probably a better option for that.

 

[donkeyKICK]

I don't have httpd-dav.conf or /etc/httpd/conf/extra... so are those made by custombuild? I am running customapache.

This looks really followable (if only I had that folder and file)

Thanks!!

 

[donkeyKICK]

What do I do about that missing stuff?

 

[harro]

The thread is quite old but I bumped into a difficulty and wonder whether anyone recognises the problem / solution:

I set up WebDAV on the folder /private_html with basic authentication. Using Webdrive I can access the contents of the folder but only as read-only. I can't add new files or modify existing ones.

Apache 2 runs under the user 'apache', suphp runs as user 'webapps' and I suppose there is the username under which the folder is stored. I presume that somewhere along the way there is a problem with having three different users / groups, but I can't put my finger on it.

Any thoughts? Thanks!

 

[harro]

Some additional information:

- I made the location /etc/httpd/conf/var chmod 777, same for the two DAVlock files. Ownership apache.apache.

- the private_html folder is chowned to apache.apache and chmod 755 (doing chmod 777 did not make a difference).

- if I allow rwx rights access to just the user (not group + other), I cannot get access, irrespective of which owner I chown the private_html to (apache, webapps and the hosting user).


- in the http-dav.conf I enabled:

DavLockDB "/etc/httpd/var/DavLock"


- in the user's httpd.conf I added (fictitious domain):

<Directory /home/john/domains/webdisk.user.com/private_html>
DAV On
DAVMinTimeout 600
Order allow,deny
Allow from All
Options All
AuthGroupFile /dev/null
AuthName "Webdrive"
AuthType Basic
AuthUserFile /home/john/domains/webdisk.user.com/.htpasswd/pass.dav
Require valid-user
IndexOptions +FancyIndexing +FoldersFirst
<LimitExcept GET OPTIONS>
require user john
</LimitExcept>
</Directory>


Does anyone spot the problem in my story? Any feedback is highly appreciated!

Bye,

Harro

 

[harro]

Problem (and solution) found. I had made a typo in the reference to the DAVlockDB in httpd-dav.conf. It took me a few days of not working on it to spot it... Thanks for your thoughts and good to know that when you can't write (but can read), the cause is very likely the DAVlockDB.

Bye.

 

[topdog]

hi,
I've enabled web dav on my Apache 2.2 system, but when I connect to my web dav folder by adding it as a network location on Windows Vista 32 bit, after the 5th attempt, windows says my folder that I entered was invalid.
This is my configuration for my domain:
Alias /webdisk "/home/admin/domains/danielcproductions.net/public_html/webdisk"
<Directory "/home/admin/domains/danielcproductions.net/public_html/webdisk">
Dav On

Order Allow,Deny
Allow from all

AuthType Digest
AuthName WebDiskUpload
AuthUserFile "/home/admin/webdav.passwd"
<LimitExcept GET OPTIONS>
require user topdog
</LimitExcept>
</Directory>
The webdisk folder, located in public_html is Chmod 755. Is this permission incorrect? The group and owner are Apache.
The Auth file webdav.passwd is Chmod 0640, it's owner and group are Apache. Is this too incorrect?
In the extra/httpd-dav.conf file, the DavLockDB is set to: "/var/db/DavLock"
I was told to chown the DavLock.dir to apache, as well as the DavLock.pag to apache.
What am I doing wrong here?
As a test, I set the webdisk directory to 0777 and it doesn't still want to work. It brings up the login prompt, but it keeps bringing it up in the Add Network Location area in vista.

 

[daveyw]

John, could mod_ruid2 not solve this problem and some addings in the user httpd.conf for enabling WebDAV for each user?

 

[DirectAdmin Support]

Hello,

I'm not too farmiliar with mod_ruid2 so I'm not too sure. It depends at what point the uid change is done by mod_ruid2: before or after the webdav module is run. If it's before, then there would be a good chance it would work.

John

 

[daveyw]

Its just a module that first of all will be loaded (LoadModule @ httpd.conf)
Then you need to add 3 lines to the users httpd.conf (DA template)

RMode config
RUidGid |USER| |GROUP|
RGroups apache

Maybe if you want I'll can setup a testbox with DA and installing mod_ruid. Only my experience with WebDAV is currently not much, since I've never used it.

 

[daveyw]

John,

I'm trying / testing WebDAV with mod_ruid but currently I got this problem;

I've generated a file htpasswd for the login
When I try it via HTTP I can login and see empty directory.

When I'm trying to add it as Network Drive to my PC It doesn't accept my username/password, what could be wrong??

If you want I'll can send you my configuration details about WebDAV by email (if you give me an address)

## UPDATE ##
I've tested it too with 'cadaver' and WebDAV seems to work, but I though it should work too with Network Drive ?