Hack 95 Turning on WebDAV

Share a space on your web server for remote file sharing and collaboration.

WebDAV (Web-based Distributed Authoring and Versioning, also called DAV) is a set of extensions to HTTP/1.1 (Hypertext Transfer Protocol, the protocol spoken by web browsers and servers) allowing you to edit documents on a remote web server. DAV provides support for:

Editing

Creating, updating, deleting

Properties

Title, author, publication date, and so on

Collections

Analogous to a filesystem's directory or desktop folder

Locking

Prevents the confusion and data corruption caused by two or more people editing the same content at the same time

WebDAV is platform-independent, both in terms of client and server. This means that Macintosh, Unix, and Windows users can collaborate on web content without all the usual conversion problems. Furthermore, it doesn't matter whether your documents are hosted on an Apache or Microsoft IIS server.

WebDAV is software agnostic. As long as your web-authoring tools are DAV-compliant, it makes little difference which particular product you're using.

WebDAV is (at least should be) seamless. Because DAV is simply a set of extensions to HTTP, it's easy for companies to build support into any product that already understands the Web. And, since DAV rides on top of HTTP, firewalls tend not to get in the way of accessing your web content remotely.

WebDAV makes use of the standard authorization and authentication methods built right into every web server. In the same manner as one restricts access to a portion (whether a file, folder, or entire site) of one's web site to a particular set of users or machines, so too can one finely tune WebDAV access to resources.

95.1 Mac OS X and WebDAV

While Mac OS X doesn't provide Apache support for providing WebDAV shares right out of the box, WebDAV functionality is available as a small downloadable module, easy to build and configure.

95.2 Install the Apache mod_dav Module

Download [Hack #61] the latest mod_dav module (http://www.webdav.org/mod_dav/) and extract it using Terminal [Hack #49]; I chose to use tar:

% curl -O http://www.webdav.org/mod_dav/mod_dav-1.0.3-1.3.6.tar.gz % tar -xvzf mod_dav-1.0.3-1.3.6.tar.gz mod_dav-1.0.3-1.3.6 mod_dav-1.0.3-1.3.6/sdbm ... mod_dav-1.0.3-1.3.6/mod_dav.mak mod_dav-1.0.3-1.3.6/autogen.sh

With the archive unpacked, it's time to build the module. It goes a little something like this:

% cd mod_dav-1.0.3-1.3.6 % ./configure % ./make % ./sudo make install

Between each command, the screen will fill with line after line of incomprehensible jibberish. I've left these out for brevity's sake; the only thing to watch out for is the process suddenly stopping with an error.

The module should now safely be installed in the right location (along with the other Apache modules) and DAV minimally enabled in the Apache server configuration. But there's more to do than simply making Apache aware of its new WebDAV functionality.

95.3 Configure WebDAV in Apache

Open [Hack #51] the Apache server's main configuration file [Hack #89], /etc/httpd/httpd.conf , for editing. You'll need to authenticate yourself as an administrator using sudo [Hack #50] to do so:

% sudo pico /etc/httpd/httpd.conf

Zoom down to the end of the file and add the following text:

DAVLockDB /etc/httpd/dav/DAVLock DAVMinTimeout 600 <Location /dav/>   DAV On   AuthType Basic   AuthName "WebDAV Restricted"   AuthUserFile /etc/httpd/dav/.passwd   <LimitExcept GET HEAD OPTIONS>     Require valid-user </LimitExcept> </Location>

The first line sets up a database file that WebDAV uses to track who's editing which file. It will lock a file to prevent something dangerous from happening, such as two people trying to update it at once. The second line tells the web server not to wait forever if the remote computer loses connection with it. The <Location> tags set the context of the WebDAV settings to be for the directory /dav, which we will set up under the document root.

The security we're using is AuthTypeBasic, which requires a username and password to make modifications. The password will be stored in a file called /Library/WebServer/.passwd, and the username required is webdav.

There is a risk to using basic authentication. The username and password are weakly encoded, so it is possible that someone could listen to your network and steal the password. A few years ago, a new authentication scheme called digest authentication was developed for Apache. This scheme uses strong encryption to protect the password. Unfortunately, the digest-authentication module that ships with Apache Version 1.3 (the one that comes with Mac OS 10.2) is old and not compatible with most browsers and client software. My attempts to use it with iCal failed. There is a more recent version of the module, but it requires Apache Version 2.0, which is not trivial to set up and therefore out of the scope of this hack. Hopefully, Apple will upgrade Apache to a more modern version, but in the meantime, keep an eye out for an Apache v2 package that will compile on Darwin (perhaps from the Fink project).

The <LimitExcept> directive gives us some protection from malicious intent. First, it locks down all the actions that can be performed on WebDAV files except those that are read-only. Second, it limits the write privileges to one user, named webdav. This user will not have any other abilities on the system but to write files in this directory.

95.4 Setting Up Directories

First, you need to set up the realm of WebDAV documents. Based on what we put in the configuration file, this will be in a subdirectory of the document root called /dav (that's /Library/WebServer/Documents/dav). You'll need to create that directory yourself, as well as changing the permissions and ownership so that the web server can write to it.

% sudo mkdir /Library/WebServer/Documents/dav % sudo chgrp www /Library/WebServer/Documents/dav % sudo chmod 775 /Library/WebServer/Documents/dav

Next, you need to find a place for the WebDAV lock database file. For lack of a better place, I created a directory alongside the httpd.conf configuration file, /etc/httpd/dav. Again, set the permissions so that the server can write files here:

% sudo mkdir /etc/httpd/dav % sudo chgrp www /etc/httpd/dav % sudo chmod 775 /etc/httpd/dav

95.5 Creating Users

While our configuration specifies that only valid users [Hack #97] are allowed to alter the contents of the dav directory via WebDAV, we've not yet created said users. We'll do so now.

Don't use an existing user's name and password. A malicious hacker sniffing your communications can grab that username and use it to sneak inside your system. The username we will create will be limited to WebDAV files only, which will be useless to a would-be intruder.

First, create a password file using the htpasswd utility. (Again, to keep everything related to DAV together, I used /etc/httpd/dav/.) You'll simultaneously create a user account and password for webdav. You'll be prompted for a password. Invent something secure and save it someplace safe. Make the password unique (don't use one that you use elsewhere), because of the basic authentication risk I mentioned earlier.

% htpasswd -c /etc/httpd/dav/.passwd webdav New password:  Re-type new password:  Adding password for user webdav

95.6 Restart the Server

An apache control script, apachectl, does away with the need to kill and restart the Apache server by hand. Simply issue a start, stop, or restart and apachectl will comply. In this case, you want to restart the server, so type:

% sudo apachectl restart /usr/sbin/apachectl restart: httpd restarted

If Apache isn't already running, apachectl is smart enough to go ahead and start it up for you:

% sudo apachectl restart /usr/sbin/apachectl restart: httpd not running, trying to start Processing config directory: /private/etc/httpd/users Processing config file: /private/etc/httpd/users/rael.conf /usr/sbin/apachectl restart: httpd started

Your WebDAV server is now ready for use by anyone (with the proper authentication, that is) who can reach your Web server. Mac OS X has built-in support for mounting WebDAV shares[Hack #74] and treating them like just about any other hard drive.

Did you know that iDisk is WebDAV-based?

95.7 See Also

• [Hack #30]

• [Hack #3]

• WebDAV Resources (http://www.webdav.org)

Erik T. Ray and Rael Dornfest