[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-developers] limiting access to WebDav

Subject: [cobalt-developers] limiting access to WebDav
From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
Date: Tue Mar 19 01:36:08 2002
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

[roadrunner's mailservers went down, sorry if this shows up twice]

OK, it's been a while, and I don't use this anymore, becuase there's only
one site that uses webdav, but this should allow you to limit uploads to the
virtual sites that use webdav.

Put the following lines into the <VirtualHost></VirtualHost> section of
httpd.conf file.  Make sure to modify it for the site your working on.

Alias /sitefiles/ /home/sites/site4/web/
<Location /sitefiles>
DAV On
ForceType text/plain
<Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>
AuthType basic
AuthName SiteFiles
Require group site4
</Limit>
</Location>

I should tell you what that does.  First, the ForceType text/plain is not
required, but if your site has an index.php, then you won't be able to
upload unless you disable PHP.  Likewise if your site is index.cgi or
index.pl, you'll get the same problem.
The Limit statement prevents anyone from using webdav for anything at all,
unless they are in the group site4.

This is important to consider.  It does not say, "unless they are a
siteadmin for site4", it says "if they are a member of site4".  I don't know
how to require them to be in two groups, which is the only way I know of to
require the uploader to be a siteadmin.  All users for a site are part of
the group site4 (where 4 is the site number), and all site admins are
members of the group site-adm.  It would be nice if you specify two groups
that the server would say that you have to be a member of site4 AND
site-adm.  I think that if you specify more than one group though, they get
an OR put between them, and you wouldn't want siteadmins from site3 to have
access to site4.

Of course to use the above you will have to already have put in the other
stuff for webdav, such as:

Loadmodule dav_module libexec/libdav.so
Addmodule mod_dav.c
DAVLockDB /tmp/DAVLock
DAVMinTimeout 600

Here are some cool things I would like to see somebody do with this.
1, move this out of the VirtualHost section and create some rewrite rules so
that if someone requests http://<SITE_NAME>/~user/sitefiles or possibly
http://<SITE_NAME/sitefiles/~user it will show the person's user directory.
2, figure out how to AND two groups together so that they can limit access
to siteadmins
3, create an admin form so that you can put check boxes next to sites that
should have Dav enabled.

I've laid the ground work, and I'm happy to help anyway that I can with the
above, but I don't have the time to do the work completely.

Hope this is useful to someone,
Matt Nuzum

Prev by Date: Re: [cobalt-developers] Upgrade PHP
Next by Date: RE: [cobalt-developers] deleting dns entries from with a Perl or PHP script
Previous by thread: [cobalt-developers] limiting access to WebDav
Next by thread: [cobalt-developers] how can My php to contact with oracle?

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index