Security – Managing Apache to Compensate for WebDAV’s Security Masking

apache-2.2Securitywebdav

When a user creates a file via WebDAV, the default behavior is that the file is owned by the user and group running the Apache process, with a umask of 022.

Unfortunately, this makes it impossible for unprivileged users to write to the files by other means without being a member of the group Apache runs under (which strikes me as a particularly bad idea).

My current solution is to set umask 000 in Apache's envvars and remove all world permissions from the webdav parent directory for the user. So, if the WebDAV share is /home/foo/www, then /home/foo/www is owned by www-data:foo with permissions of 770. This keeps other unprivileged users out, more or less, but it's hokey at best and a security disaster awaiting at worst.

From my research and poking around at mod_dav and Apache, I cannot find a reasonable solution short of a cron job flipping all the permissions back (I'd rather not have the load and increased complexity on the server). SuExec won't work, either, because WebDAV operations are not going to execute as a different user.

Any thoughts on this? Thank you.

Best Answer

I circumvented Apache's lack of user switching capabilities by using Posix ACL. These allow you to add more group and user entries on every file and also allow setting up default permissions on directories which are automatically added to each file created within.

If I guess right and you're running Linux, you can enable Posix ACL you need to remount you file system with the acl option. Then you can use setfacl and getfacl to manage additional permissions. On Debian-based systems these tools can be found in the package acl. You can further read about Posix ACL in man acl and man setfacl. Posix ACL are also available on some BSD systems and MacOS, but I never used them there.

For example you could set up a folder in which group fileserver always has read and write access to all files within:

setfacl -Rm default:group:fileserver:rw,group:fileserver:rx /srv/fileserver

That would result in getfacl /srv/fileserver reporting something like this:

# file: /srv/fileserver
# owner: aef
# group: aef
user::rwx
group::rwx
group:fileserver:r-x
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:fileserver:rw-
default:mask::rwx
default:other::r-x

A warning though: You will probably need some time to get used to Posix ACLs, they add quite a bit more complexity, even as it doesn't seem so at first.

Best Answer

Related Solutions

Linux File Permissions – Best Way to Handle Apache 2’s www-data User in /var/www

Freebsd – How to adjust subversion repository file permissions automatically for use w. Apache/DAV

Related Topic