[users@httpd] setting up webdav
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
[users@httpd] setting up webdav
by LuKreme
::
Rate this Message:
I have a server running Apache 2.2.11_7 on FreeBSD 6-2-RELEASE with webdav enabled. I have several domains on the machine.
I have the following directive for one domain, which works just fine with webdav: <VirtualHost *> ServerName webdav.example.com ServerAlias files.example.com DocumentRoot /usr/local/www/example.com/ ErrorLog /usr/local/www/example.com/logs/example.error_log CustomLog /usr/local/www/example.com/logs/example.access_log combined DavLockDB /tmp/DavLock.example <location /> DAV On AuthType basic AuthName BUops AuthUserFile /usr/local/www/example.com/.htdavpass Options All ForceType text/plain <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> require valid-user </Limit> </location> </VirtualHost> The document root contains an htaccess file that contains AddType application/xml .html (I'm actually not sure why this directive is there) I have another domain which gives an error overtime I try to login, but its setup is nearly identical. <virtualhost *> ServerName webdav.example.net DocumentRoot /usr/local/www/example.net/ DavLockDB /tmp/DavLock.examplenet <location /> DAV On AuthType Basic AuthName "Example.net DAV" AuthUserFile /usr/local/www/example.net/.htdavpass Options All Allow from All ForceType text/plain <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> require user jeans </limit> </location> </VirtualHost> The .htdavpass file for the second domain contains the user jeans and a password and was setup with the command htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans <PASSWORD> the error in the logs is: [error] [client 71.229.144.93] client denied by server configuration: /usr/local/www/example.net/ The only difference in the files is the require directive, but I've seen that exact syntax many times, so I don't know why that would cause a failure, and besides, if I change the directive to 'require valid-user' it still fails. both directories and all the files in them are owned by the www user (except .htdavpass which is owned by root), and I cannot figure out what the issue could be. AuthName? -- Death was familiar with the concept of the eternal, ever-renewed hero, the champion with a thousand faces. He'd refrained from commenting. --The Last Continent --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: [users@httpd] setting up webdav
by awarnier
::
Rate this Message:
LuKreme wrote:
> ... > DocumentRoot /usr/local/www/example.com/ ... > AuthUserFile /usr/local/www/example.com/.htdavpass I think that you have managed to do what no developer of Apache ever thought that a user would ever do : place the file containing the users passwords inside the very directory that this file is supposed to help protect. You might thus be exploring code pathways which nobody trod before. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
[users@httpd] Re: setting up webdav
by LuKreme
::
Rate this Message:
On 11-Nov-2009, at 17:28, André Warnier wrote: > LuKreme wrote: > ... >> DocumentRoot /usr/local/www/example.com/ > ... >> AuthUserFile /usr/local/www/example.com/.htdavpass > > I think that you have managed to do what no developer of Apache ever thought that a user would ever do : place the file containing the users passwords inside the very directory that this file is supposed to help protect. > You might thus be exploring code pathways which nobody trod before. OK, but why does it work for one domain (actually, it works for several domains on this same server) but not for others? any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file. http.conf: <Files ~ "^\.ht"> Order allow,deny Deny from all Satisfy All </Files> (the actual web site is in .../html/ or .../wordpress/, depending on the site) -- Fairy Tales are more than true; not because they tell us that dragons exist, but because they tell us that dragons can be beaten. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: [users@httpd] Re: setting up webdav
by awarnier
::
Rate this Message:
LuKreme wrote:
> > any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file. > What do you mean there is nowhere else ? What about under /usr/local/www, and name it example.com.davpasswd for instance. At least it would not be directly under your DocumentRoot, in an area potentially accessible by users. Apache will never serve a file starting with a dot, maybe. But since you have the / locations open to DAV, have you checked if someone (authenticated) can upload a file called .htdavpass ? Or download it through DAV ? (I don't know the answer, but it might be interesting) Now about the rest : ... The .htdavpass file for the second domain contains the user jeans and a password and was setup with the command htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans <PASSWORD> but then : <location /> ... AuthUserFile /usr/local/www/example.net/.htdavpass So it is not really surprising if user jeans cannot acces a site for which the password file is not the same as the one user jeans' password was created in, is it ? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
[users@httpd] Re: setting up webdav
by LuKreme
::
Rate this Message:
On 11-Nov-2009, at 18:04, André Warnier wrote:
> LuKreme wrote: >> any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file. > What do you mean there is nowhere else ? > What about under /usr/local/www, and name it example.com.davpasswd for instance. At least it would not be directly under your DocumentRoot, in an area potentially accessible by users. It's SUPPOSED to be accessible to the users. It's THEIR web space. If they want to change the webDAV passwords they are free to do so. However, I have to admit that currently there's no method for them to do so (I keep meaning to get around to setting something up). > Apache will never serve a file starting with a dot, maybe. > But since you have the / locations open to DAV, have you checked if someone (authenticated) can upload a file called .htdavpass ? > Or download it through DAV ? It doesn't show up at all via webDAV and the file is owned by root, so no, there is no way for them to change it. > AuthUserFile /usr/local/www/example.net/.htdavpass > > So it is not really surprising if user jeans cannot acces a site for which the password file is not the same as the one user jeans' password was created in, is it ? I simply forgot to obfuscate the domain in question on the htpass line. The paths are identical (and copied and pasted). Also, I am not getting a password error, I am getting [error] [client 71.229.144.93] client denied by server configuration: /usr/local/www/example.net/ -- Humans are always slightly lost. It's a basic characteristic. It explains a lot about them. --Lords and Ladies --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
[users@httpd] Re: setting up webdav
by LuKreme
::
Rate this Message:
On 11-Nov-2009, at 17:11, LuKreme wrote:
> I have the following directive for one domain, which works just fine with webdav: Never mind. Someone enabled 'evasive20_module' sometime this afternoon, and it was this event that stopped webdav mounts (all of them) to stop working. I'd been using several this morning, but when trying to access two new domains, the mounting kept failing. Sorry. The appropriate person has been beaten and whipped. -- Boy, it sure would be nice if we had some grenades, don'tcha think? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@... " from the digest: users-digest-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
