WebDAV directory permissions

[davidcl]

Hey Matt and others--

I was looking at your DIY .mac tutorial and unless I missed something, it doesn't seem to cover WebDAV permissions on a per-user basis.  It looks like all users on your system have full access to each other's directories?

If I'm wrong (or even if I'm right) I'd love to learn how to configure mod_dav so each user has access to his/her own directory but not other people's directories, preferrably without manually tweaking the httpd.conf for each user.

Any suggestions?

[matt]

I'd love to be wrong about this, but as I read the webdav spec, what you're trying to do isn't possible. I would love to have webdav access to ~matt/html, but unless I change the ownershp of it to www:www, that's not possible.

I have mod_dav configured so that /home/idisk/html/matt, and /home/idisk/html/user2, etc, based on who the user authenticates as.

Matt

[davidcl]

matt wrote on Wed, 30 March 2005 08:21

I'd love to be wrong about this, but as I read the webdav spec, what you're trying to do isn't possible. I would love to have webdav access to ~matt/html, but unless I change the ownershp of it to www:www, that's not possible.

I was able to get access to portions of home directories by changing the ownership to matt:www and giving group write permissions-- not the most secure thing in the world but I can live with it since there's no other access to these folders.

Quote:

I have mod_dav configured so that /home/idisk/html/matt, and /home/idisk/html/user2, etc, based on who the user authenticates as.

If I'm understanding your reply correctly, this is what I'm trying to do.  How did you accomplish it?

David

[matt]

Quote:

I have mod_dav configured so that /home/idisk/html/matt, and /home/idisk/html/user2, etc, based on who the user authenticates as.

If I'm understanding your reply correctly, this is what I'm trying to do.  How did you accomplish it?[/quote]

I'm just using Apache's authentication. The directory the user has access to (/matt, or /user2, etc) is based on who they are authenticated as.

<Directory "/usr/home/idisk/html">
       Dav on
       AuthType Digest
       AuthName iTools
       AuthDigestDomain "/"
       AuthDigestFile /usr/home/idisk/WebDavUsers
       AuthGroupFile /usr/home/idisk/WebDavGroups
       Options None
       AllowOverride None

       <LimitExcept GET HEAD OPTIONS>
               require user matt
       </LimitExcept>
       Order allow,deny
       Allow from All
</Directory>

<Directory "/usr/home/idisk/html/*/Public">
       Options +Indexes
</Directory>

<Directory "/usr/home/idisk/html/mattsimerson">
       <LimitExcept GET HEAD OPTIONS>
               require user mattsimerson matt
       </LimitExcept>
</Directory>

<Directory "/usr/home/idisk/html/jen">
       <LimitExcept GET HEAD OPTIONS>
               require user jen
       </LimitExcept>
</Directory>

<Directory "/usr/home/idisk/html/Calendars">
       <LimitExcept GET HEAD OPTIONS>
               require valid-user
       </LimitExcept>
</Directory>

[davidcl]

Okay, so you're hard-coding it.  That's what I've done so far also.

I'm hoping to do this for 700+ users, so I'd rather not hard-code it.  I can't figure out a way to avoid that, so far.

Yes, I can write a script that does the hard-coding for me.  No, I don't really want to do it that way if I can avoid it-- it's ugly and inelegant, and it isn't a real-time solution.

mod_vhost_alias has spoiled me, I guess.

[walinskydotcom]

Actually it seems like this _can_ be done;

*accidently* I came across this posting.

The following directives should get you going...

Code Select Expand

RewriteEngine On
RewriteRule ^/(.*) /srv/web/%{LA-U:REMOTE_USER}/$1

<Directory /srv/web>
DAV On
Options Indexes
Options +FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "WebDAV"
AuthUserFile /etc/apache2/vhost.dav
require valid-user
</Directory>