Re: webdav security problem

bag@xxxxxxxxxxx wrote:
I maintain a very small office network. Some of our people work far
away, and we need a way to share some of our files.

So I set up a webdav directory on the BSD/Apache server we are using
for our website. I made a folder available as a subdoman (for
example, common.xyz.com) and set up the necessary config file
parameters for webdav in that directory. Our staff can now connect
via an XP or OSX network connection and treat the directory as a
folder on their computers.

However, I can navigate to the directory with my browser without
using an ID or password. I simply navigate to common.xyz.com, and I
see all the files that are in the directory. This was a big surprise,
because users need to enter id/password to connect by webdav. I
realized that webdav requires that GET headers must NOT require valid
users - so any browser can get in.

So, I added an index.html file to the directory, and that effectively
blocked access to the files by browser. You would think that this
solved the problem.

But no. I discovered one day that someone had deleted the index.html
file. Anyone with access to the directory can do that.

So I tried to set unix permissions to prevent deletion of the file.
Nothing I did worked. I disabled write permission on the file for all
users, but people could still delete it. I think that I would have to
disable write permission for the whole directory to prevent file
deletion. But that's not feasible, since my users need to delete
other files.

Does anyone have any idea how I can either 1) set a rule on the file
so it cannot be deleted (but the other files can be), or 2) keep
browsers out of the directory, or 3) implement something that's more
secure than webdav, but is simple (I don't want to do VPN, for
example).

Thank you

Check your apache httpd.conf file. That is where webdav access is
controlled. A while back, I wrote a how-to on webdav, ssl & two-factor
authentication. While you probably don't need the latter, the steps for
the first two may help you:

http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication

nick

--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
irc.freenode.net: #wikid

Relevant Pages

  • Adding .Mac iDisk to Windows XP (*without*using iDisk Utility for Windows)
    ... 9/2/2001 Accessing iDisk from a PC or any WebDAV browser: ... window and then its disconnected, ...
    (uk.comp.sys.mac)
  • Re: 1&1 Mediacenter
    ... Goliath oder Transmit oder sonstwie eine https webdav verbindung zu ... Lies mal die FAQ von 1und1 zu MediaCenter. ... Hostnamen für Webdav und Browser (mc vs. ...
    (de.comp.sys.mac.internet)
  • Re: Sonderzeichen im Exchange Public Folder Pfad
    ... Slash von WebDAV sowie einem Browser als Unterteilung für zwei Folder. ...
    (microsoft.public.de.exchange)
  • Re: WebDAV and permissions
    ... Integrated Authentication turned on. ... If this fails ask yourself the question, "Am I trying to access my WebDAV ... you will get a login dialog box with only 2 text fields as ... > from domainadmins and user x can't login. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Digest access to UNC share
    ... change it to UNC share. ... WebDAV is basically a protocol over HTTP, so you are really looking at ... different WebDAV clients, one within Windows and the other within IE, both ... basic authentication or even no authentication. ...
    (microsoft.public.inetserver.iis.security)