[ Team LiB ] |
Recipe 6.19 Enabling WebDAV Without Making Files Writable by the Web UserProblemYou want to run WebDAV but don't want to make your document files writable by the Apache server user. SolutionRun two web servers as different users. The DAV-enabled server, for example, might run as User dav, Group dav, while the other server, which is responsible for serving your content, might run as User nobody, Group nobody. Make the web content writable by the dav user, or the dav group.
DiscussionA big security concern with DAV is that the content must be modifiable by the web server user for DAV to be able to update that content. This means that any content can also be edited by CGI programs, SSI directives, or other programs running under the web server. While the Apache security guidelines caution against having any files writable by the web server user, DAV requires it. By running two Apache servers, you can move around this limitation. The DAV-enabled web server, running on an alternate port, has the User and Group directives set to an alternate user and group, such as: User dav Group dav which is the owner of the web content in question. The other web server, which will be responsible for serving content to users, runs as a user who does not have permission to write to any of the documents. The DAV-enabled web server should be well authenticated, so that only those who are permitted to edit the site can access that portion of the server. You should probably also set up this server to be very lightweight, both in the modules that you install as well as in the number of child processes (or threads) that you run. Finally, it should be noted that the perchild MPM, under Apache 2.0, supports the idea of running different virtual hosts with different user ids, so that this recipe could be accomplished by enabling DAV just for the one particular vhost. However, as of this writing, the perchild MPM is not working yet. See Also |
[ Team LiB ] |