WebDAV (Web Distributed Authoring and Versioning) is another popular form of file sharing built into Mac OS X. Apple's .Mac service provides iDisk access via WebDAV, and the Mac OS X Apache distribution includes mod_dav , enabling your machine to serve other Linux, Windows, and Mac clients .
WebDAV is unique in that it doesn't introduce another protocol or server process to your machine. Instead, it piggybacks on HTTP, using the Apache server process and all its access controls to manage who can access what. See RFC 2518 for more information http://asg.web.cmu.edu/rfc/rfc2518.html.
As far as security goes, consider this statement, taken from the mod_dav FAQ:
Apache and mod_dav are quite secure. There has not been a single reported exploit of the code in the past three years (when it was first released). You can misconfigure your Apache/ mod_dav system (in fact, SuSE Linux released an RPM like this and had to issue a security advisory and upgrade). But given that you take the precautions listed in the installation document, Apache and mod_dav are quite secure.
Although there are no known exploits of mod_dav , there are several potential problems:
Improper file permissions can lead to files being modified that shouldn't be. mod_dav runs with the Apache server permissions, meaning files/directories that can be written to by the www user or group can be modified through WebDAV.
Users can store arbitrarily large files on the server, eating up disk space.
Large recursive requests can be sent to the server, using up resources and potentially resulting in a DoS attack.
Although you can deal with the first two issues with basic system administration skills, the third may require fine-tuning the mod_dav DAVDepthInfinity and LimitXMLRequestBody directives, discussed shortly.
To enable WebDAV, edit the file /etc/httpd/httpd.conf . You need to do this as root to make changes.
Look for the (noncontiguous) lines
#LoadModule dav_module libexec/httpd/libdav.so #AddModule mod_dav.c
Remove the comments from both lines, so that they read
LoadModule dav_module libexec/httpd/libdav.so AddModule mod_dav.c
Normally we would recommend that software be installed from scratch, but because the mod_dav code has remained largely static for the past two years this seems unnecessary. Apache 2.0 incorporates mod_dav in the base distribution, so this won't even be a consideration when Apple makes the migration to the new server in the future.
If you would like to download and compile mod_dav by hand, it is available from http://www.webdav.org/mod_dav/.
The mod_dav module adds several special directives to the Apache configuration that you'll need to use to set up your WebDAV shares. These are listed in Table 16.2.
DAVLockDB < Path and Lock base name >
Required . The path and base file name (such as /var/tmp/moddavlock ) that will be used for mod_dav lock files. This is a global directive that should be used once in the /etc/httpd/httpd.conf file.
Optional . The minimum lifetime of a file lock in seconds. May be used within an Apache container or globally in httpd.conf .
Required . Used in an Apache container, this directive enables WebDAV support within that container. The standard Apache access directives are still needed to control security for the resource.
Optional . If off (the default), mod_dav will not allow infinite depth commands to be processed . This will prevent remote machines from collecting (recursively) information about every resource under the WebDAV share, potentially using a great deal of server resources and possibly creating a denial of service condition. Can be used either globally or in an Apache container.
LimitXMLRequestBody <byte limit>
Optional . Sets a limit on the size of the XML request that the client can send. All WebDAV functions are encoded in XML, and mod_dav will attempt to parse the requests in RAM ”again leading to a resource usage problem and potential DoS condition. The default is 1,000,000 bytes.
Each WebDAV operation is sent as an HTTP function to the remote server along with an XML body containing the details of that request. If you've used HTTP, you're probably already familiar with GET and POST methods of sending and retrieving information from a server. WebDAV introduces several others that are needed for the additional file sharing features it offers:
PROPFIND . Return information about a given resource (file) or a collection of files (directory).
PROPPATCH . Change information about a specified resource or collection (such as author).
MKCOL . Create a new collection (directory).
COPY . Create a duplicate of an existing resource.
DELETE . Remove an existing resource.
MOVE . Move a resource from one location to another.
LOCK . Lock a resource or collection.
UNLOCK . Unlock a resource or collection.
Obviously, you can't have every user issuing these commands to the server, so it must be protected against unauthorized access. This is performed with Apache's <Limit> directive. One simply needs to limit the dangerous functions to the appropriate users.
Because Apache security is discussed in depth in Chapter 15, "Web Server Security," we won't repeat it here. A sample configuration that shares the /Library/Webserver/Documents directory to a user with an account on the Mac OS X machine is shown in Listing 16.1. This assumes that the mod_auth_apple module (also discussed in Chapter 15) is present and active.
1: DAVLockDB /var/tmp/moddavlock 2: DAVDepthInfinity off 3: <Directory "/Library/WebServer/Documents"> 4: DAV On 5: AuthType Basic 6: AuthName "Webserver documents" 7: <Limit DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> 8: require valid-user 9: </Limit> 10: </Directory>
Because WebDAV works over HTTP, it suffers from the same authentication and privacy issues as Apache. If you want to use an encrypted login, for example, you need digest passwords. If you want completely encrypted transfers, you need mod_ssl up and running ”and you'll also need to provide secure ( https : ) connection URLs to the clients.