setting up webdav

I have a server running Apache 2.2.11_7 on FreeBSD 6-2-RELEASE with =
webdav enabled. I have several domains on the machine.

I have the following directive for one domain, which works just fine =
with webdav:


ServerName webdav.example.com
ServerAlias files.example.com
DocumentRoot /usr/local/www/example.com/
ErrorLog /usr/local/www/example.com/logs/example.error_log
CustomLog /usr/local/www/example.com/logs/example.access_log combined
DavLockDB /tmp/DavLock.example

DAV On
AuthType basic
AuthName BUops
AuthUserFile /usr/local/www/example.com/.htdavpass
Options All
ForceType text/plain
UNLOCK>
require valid-user




The document root contains an htaccess file that contains=20
AddType application/xml .html

(I'm actually not sure why this directive is there)

I have another domain which gives an error overtime I try to login, but =
its setup is nearly identical.


ServerName webdav.example.net
DocumentRoot /usr/local/www/example.net/
DavLockDB /tmp/DavLock.examplenet

DAV On
AuthType Basic
AuthName "Example.net DAV"
AuthUserFile /usr/local/www/example.net/.htdavpass
Options All
Allow from All
ForceType text/plain
UNLOCK>
require user jeans




The .htdavpass file for the second domain contains the user jeans and a =
password and was setup with the command

htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans =


the error in the logs is:

[error] [client 71.229.144.93] client denied by server configuration: =
/usr/local/www/example.net/

The only difference in the files is the require directive, but I've seen =
that exact syntax many times, so I don't know why that would cause a =
failure, and besides, if I change the directive to 'require valid-user' =
it still fails.

both directories and all the files in them are owned by the www user =
(except .htdavpass which is owned by root), and I cannot figure out what =
the issue could be. AuthName?


--=20
Death was familiar with the concept of the eternal, ever-renewed hero, =
the champion with a thousand faces. He'd refrained from commenting. =
--The Last Continent


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: setting up webdav

LuKreme wrote:
>
....
> DocumentRoot /usr/local/www/example.com/
....
> AuthUserFile /usr/local/www/example.com/.htdavpass

I think that you have managed to do what no developer of Apache ever
thought that a user would ever do : place the file containing the users
passwords inside the very directory that this file is supposed to help
protect.
You might thus be exploring code pathways which nobody trod before.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: setting up webdav

On 11-Nov-2009, at 17:28, Andr=E9 Warnier wrote:

> LuKreme wrote:
> ...
>> DocumentRoot /usr/local/www/example.com/
> ...
>> AuthUserFile /usr/local/www/example.com/.htdavpass
>=20
> I think that you have managed to do what no developer of Apache ever =
thought that a user would ever do : place the file containing the users =
passwords inside the very directory that this file is supposed to help =
protect.
> You might thus be exploring code pathways which nobody trod before.

OK, but why does it work for one domain (actually, it works for several =
domains on this same server) but not for others?

any file named .ht* is never served by apache, and there's really =
nowhere else to place the .htdavpass file.

http.conf:

Order allow,deny
Deny from all
Satisfy All


(the actual web site is in .../html/ or .../wordpress/, depending on the =
site)


--=20
Fairy Tales are more than true; not because they tell us that
dragons exist, but because they tell us that dragons can be
beaten.


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Re: setting up webdav

LuKreme wrote:
>
> any file named .ht* is never served by apache, and there's really nowhere else to place the .htdavpass file.
>
What do you mean there is nowhere else ?
What about under /usr/local/www, and name it example.com.davpasswd for
instance. At least it would not be directly under your DocumentRoot, in
an area potentially accessible by users.
Apache will never serve a file starting with a dot, maybe.
But since you have the / locations open to DAV, have you checked if
someone (authenticated) can upload a file called .htdavpass ?
Or download it through DAV ?
(I don't know the answer, but it might be interesting)

Now about the rest :

....
The .htdavpass file for the second domain contains the user jeans and a
password and was setup with the command

htpasswd -bc /usr/local/www/jenandersontarver.com/.htdavpass jeans


but then :

...
AuthUserFile /usr/local/www/example.net/.htdavpass

So it is not really surprising if user jeans cannot acces a site for
which the password file is not the same as the one user jeans' password
was created in, is it ?



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: setting up webdav

On 11-Nov-2009, at 18:04, Andr=E9 Warnier wrote:
> LuKreme wrote:
>> any file named .ht* is never served by apache, and there's really =
nowhere else to place the .htdavpass file.
> What do you mean there is nowhere else ?
> What about under /usr/local/www, and name it example.com.davpasswd for =
instance. At least it would not be directly under your DocumentRoot, in =
an area potentially accessible by users.

It's SUPPOSED to be accessible to the users. It's THEIR web space. If =
they want to change the webDAV passwords they are free to do so. =
However, I have to admit that currently there's no method for them to do =
so (I keep meaning to get around to setting something up).

> Apache will never serve a file starting with a dot, maybe.
> But since you have the / locations open to DAV, have you checked if =
someone (authenticated) can upload a file called .htdavpass ?
> Or download it through DAV ?

It doesn't show up at all via webDAV and the file is owned by root, so =
no, there is no way for them to change it.

> AuthUserFile /usr/local/www/example.net/.htdavpass
>=20
> So it is not really surprising if user jeans cannot acces a site for =
which the password file is not the same as the one user jeans' password =
was created in, is it ?

I simply forgot to obfuscate the domain in question on the htpass line. =
The paths are identical (and copied and pasted). Also, I am not getting =
a password error, I am getting=20

[error] [client 71.229.144.93] client denied by server configuration: =
/usr/local/www/example.net/


--=20
Humans are always slightly lost. It's a basic characteristic. It =
explains a lot about them. --Lords and Ladies


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: setting up webdav

On 11-Nov-2009, at 17:11, LuKreme wrote:
> I have the following directive for one domain, which works just fine =
with webdav:


Never mind. Someone enabled 'evasive20_module' sometime this afternoon, =
and it was this event that stopped webdav mounts (all of them) to stop =
working. I'd been using several this morning, but when trying to access =
two new domains, the mounting kept failing.

Sorry. The appropriate person has been beaten and whipped.

--=20
Boy, it sure would be nice if we had some grenades,=20
don'tcha think?=20


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org