september 2003 siguccs ‘03 paper # 62 webdav: what it is, what it does, why you need it by luis o....
TRANSCRIPT
September 2003
SIGUCCS ‘03SIGUCCS ‘03Paper # 62Paper # 62WebDAV: What It Is, What It Does, Why You Need ItWebDAV: What It Is, What It Does, Why You Need It
byby
Luis O. HernándezLuis O. Hernández
Mahmoud PegahMahmoud Pegah
September 2003
The WebDAV SessionThe WebDAV Session
Explain WebDAVExplain WebDAV Demonstrate the use of WebDAV in Demonstrate the use of WebDAV in
both Windows and Apple systemsboth Windows and Apple systems Share Ringling School’s frameworkShare Ringling School’s framework Address issues that Ringling School Address issues that Ringling School
has experienced with WebDAVhas experienced with WebDAV Propose suggestions that could make Propose suggestions that could make
WebDAV stronger and more usableWebDAV stronger and more usable
September 2003
WebDAV: What Is It?WebDAV: What Is It?
WebDAV: Web Distributed Authoring WebDAV: Web Distributed Authoring and Versioningand Versioning
Allows web development teams and Allows web development teams and other workgroups to share filesother workgroups to share files
Allows easy setup for administrators Allows easy setup for administrators and ease of use for usersand ease of use for users
September 2003
Distribution, Installation, and ConfigurationDistribution, Installation, and Configuration
September 2003
WebDAV: Distribution UsedWebDAV: Distribution Used
Apache v1.3.27Apache v1.3.27 WebDAV module v1.3.6WebDAV module v1.3.6 LDAP module v2.3LDAP module v2.3 Netscape LDAP v4.1Netscape LDAP v4.1
September 2003
WebDAV: InstallationWebDAV: Installation
Include the WebDAV and LDAP module Include the WebDAV and LDAP module with the Apache installation during with the Apache installation during configuration:configuration:
# Apache web server configure command./configure \--prefix=/local/apache_1.3.27 \--enable-module=proxy \--activate-module=src/modules/dav/libdav.a \--activate-module=src/modules/ldap/mod_auth_ldap.c
September 2003
WebDAV: Configuration (Part 1)WebDAV: Configuration (Part 1)
You do not need to do anything to the You do not need to do anything to the Apache configuration until you require Apache configuration until you require LDAP support:LDAP support:
# Enable WebDAV support# Enable WebDAV supportAddmodule mod_dav.cAddmodule mod_dav.cDAVLockDB /local/apache/var/DAVLockDAVLockDB /local/apache/var/DAVLock
September 2003
WebDAV: Configuration (Part 2)WebDAV: Configuration (Part 2)
Two configuration options for Two configuration options for authentication mechanisms:authentication mechanisms: WebDAV with standard WebDAV with standard htpasswdhtpasswd support support WebDAV with LDAP supportWebDAV with LDAP support
September 2003
WebDAV: Configuration (Part 3)WebDAV: Configuration (Part 3)
Simple configuration within a directory enables Simple configuration within a directory enables WebDAV support:WebDAV support:
# WebDAV folder for a Project<Directory "[DocumentRoot]/project">
DAV On# RSADShareDAVOwnerUID [owneruid]# RSADShareDAVSize [Quota in MB]
AllowOverride NoneAuthName "[Project Title]"AuthType BasicAuthUserFile [/.hiddenFolder/.hiddenFile]<Limit [PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK
UNLOCK]>Require user [user names]Order Deny,AllowDeny from allAllow from trusteddomain.com
</Limit></Directory>
September 2003
WebDAV: Configuration (Part 4)WebDAV: Configuration (Part 4)
Simple WebDAV ConfigurationSimple WebDAV Configuration
Web Server
Mac OS X Clients
Windows Clients
Other Clients
September 2003
WebDAV: Configuration (Part 5)WebDAV: Configuration (Part 5)
WebDAV configuration with LDAP supportWebDAV configuration with LDAP support
# WebDAV folder for a Project<Directory "[DocumentRoot]/project">
DAV On# RSADShareDAVOwnerUID [owneruid]# RSADShareDAVSize [Quota in MB]
AllowOverride NoneAuthName "[Project Title]"AuthType Basic<Limit [PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK]>
Require user [user names]Order Deny,AllowDeny from allAllow from trusteddomain.com
</Limit>LDAP_Server ldap.yourdomain.comLDAP_Port 389Base_DN "[BaseDN]"UID_Attr uid
</Directory>
September 2003
WebDAV: Configuration (Part 6)WebDAV: Configuration (Part 6)
WebDAV configuration with LDAP WebDAV configuration with LDAP support for user authenticationsupport for user authentication
Web Server
Mac OS X Clients
Windows Clients
Other Clients
LDAP Server
September 2003
WebDAV: Configuration (Part 7)WebDAV: Configuration (Part 7)
User files are available through the User files are available through the Internet. Unless user publishes a Internet. Unless user publishes a website, s/he may want to prevent website, s/he may want to prevent Internet access to those files. To do Internet access to those files. To do that, include the “GET” and “POST” that, include the “GET” and “POST” attributes in the “Limit” directive.attributes in the “Limit” directive.
September 2003
WebDAV: Other DistributionsWebDAV: Other Distributions
ServersServers Internet Information ServerInternet Information Server Mac OS X ServerMac OS X Server Neon Web Server v0.23.9, open sourceNeon Web Server v0.23.9, open source
September 2003
WebDAV: Other DistributionsWebDAV: Other Distributions
ClientsClients Microsoft Windows 2000 and upMicrosoft Windows 2000 and up Mac OS XMac OS X GNOME NautilusGNOME Nautilus KDEKDE Goliath (Mac OS 9)Goliath (Mac OS 9) Java DAV Explorer for JVMJava DAV Explorer for JVM Cadaver for UNIX terminalsCadaver for UNIX terminals
September 2003
WebDAV: Other DistributionsWebDAV: Other Distributions
Additional Client DistributionsAdditional Client Distributions jEdit WebDAV plugin for Jedit text-editing jEdit WebDAV plugin for Jedit text-editing
applicationapplication Eldav for EmacsEldav for Emacs
APIsAPIs PerlDAVPerlDAV PythonDAVPythonDAV
File-system driverFile-system driver DAVfs for LinuxDAVfs for Linux
September 2003
WebDAV: Connect from WindowsWebDAV: Connect from Windows
Depends on the versionDepends on the version
September 2003
WebDAV: Connect from AppleWebDAV: Connect from Apple
Click on the DesktopClick on the Desktop Press Command Key + KPress Command Key + K Enter the share address and your Enter the share address and your
credentials when promptedcredentials when prompted
September 2003
WebDAV: Monitoring the SharesWebDAV: Monitoring the Shares
Ringling School created custom monitoring Ringling School created custom monitoring tools to check for quota usage on each sharetools to check for quota usage on each share
The following attributes were added to the The following attributes were added to the WebDAV Apache configuration for the WebDAV Apache configuration for the custom tool:custom tool: RSADShareDAVOwnerUID (user name)RSADShareDAVOwnerUID (user name) RSADShareDAVSize (MB)RSADShareDAVSize (MB)
Scripts are available at Scripts are available at http://www.rsad.edu/~lhernand/webdavhttp://www.rsad.edu/~lhernand/webdav
September 2003
WebDAV: AuthenticationWebDAV: Authentication
WebDAV authentication is sent in clear WebDAV authentication is sent in clear texttext
For security purposes, allow only For security purposes, allow only campus connections to the sharescampus connections to the shares
Apple will enable encrypted connections Apple will enable encrypted connections to WebDAV shares from their upcoming to WebDAV shares from their upcoming OS, PantherOS, Panther
September 2003
WebDAV: DoS AttacksWebDAV: DoS Attacks
Multiple users could create a DoS Multiple users could create a DoS situation if they upload large files at the situation if they upload large files at the same timesame time
An increase in server memory and an An increase in server memory and an increase in Apache processes should increase in Apache processes should diminish the probability of DoSdiminish the probability of DoS
September 2003
WebDAV: Module SignatureWebDAV: Module Signature
All Apache modules, including All Apache modules, including WebDAV, are identified in the server WebDAV, are identified in the server signaturesignature
NetCraft.net provides information about NetCraft.net provides information about any server on the Internetany server on the Internet
Malicious intruders can use the server Malicious intruders can use the server signature to find vulnerabilities in the signature to find vulnerabilities in the systemsystem
September 2003
Lessons LearnedLessons Learned
No Quota SystemNo Quota System
Single Authoritative UserSingle Authoritative User
ReplicationReplication
September 2003
WebDAV: No Quota SystemWebDAV: No Quota System
Custom monitoring tools necessary to Custom monitoring tools necessary to enforce quota usageenforce quota usage
Tools report quota breach to Tools report quota breach to administratoradministrator
Tools available at Tools available at http://www.rsad.edu/~lhernand/webdavhttp://www.rsad.edu/~lhernand/webdav
September 2003
WebDAV: Single Authoritative UserWebDAV: Single Authoritative User
A typical install of Apache does not allow for A typical install of Apache does not allow for changing the running user identificationchanging the running user identification
Apache can be installed to allow for changing Apache can be installed to allow for changing the running user identification, but then it the running user identification, but then it must also run as root, which is in itself a must also run as root, which is in itself a security vulnerabilitysecurity vulnerability
All web shares are owned by one user who All web shares are owned by one user who also owns Apache running processesalso owns Apache running processes
Users can overwrite each other’s files in a Users can overwrite each other’s files in a shareshare
September 2003
WebDAV: ReplicationWebDAV: Replication
Apache v1.3.27Apache v1.3.27 WebDAV module v1.3.6WebDAV module v1.3.6 LDAP module v2.3LDAP module v2.3 Netscape LDAP v4.1Netscape LDAP v4.1 Solaris 8Solaris 8 SunFire 280R, 2GB memorySunFire 280R, 2GB memory
September 2003
Helpful SuggestionsHelpful Suggestions
Directory QuotasDirectory Quotas
Quota AttributesQuota Attributes
Apache SetUIDApache SetUID
WebDAV Support in NAS DevicesWebDAV Support in NAS Devices
September 2003
WebDAV: Directory QuotasWebDAV: Directory Quotas
Some software vendors (Novell) already Some software vendors (Novell) already support directory quotassupport directory quotas
No open source solution yet availableNo open source solution yet available Allows web shares to comply with quota Allows web shares to comply with quota
limits with a single authoritative userlimits with a single authoritative user
September 2003
WebDAV: Quota AttributesWebDAV: Quota Attributes
New attributes that work with the New attributes that work with the WebDAV module would alert users of WebDAV module would alert users of quota breaches and would set quota quota breaches and would set quota limitslimits DAVDiskLimit – sets quota limit in MBDAVDiskLimit – sets quota limit in MB DAVOwner – email address of userDAVOwner – email address of user DAVAlertOn – alarm limit to alert ownerDAVAlertOn – alarm limit to alert owner
September 2003
WebDAV: Apache SetUIDWebDAV: Apache SetUID
Allow the WebDAV module to set the Allow the WebDAV module to set the ownership of the running process so that it ownership of the running process so that it can act on behalf of authenticated users and can act on behalf of authenticated users and not the process owner of the web servernot the process owner of the web server
Internet Draft, Internet Draft, Quota and Size Properties for Quota and Size Properties for DAV CollectionsDAV Collections, explains properties and , explains properties and minor behaviors needed for clients to minor behaviors needed for clients to interoperate with quota implementations on interoperate with quota implementations on web folodersweb foloders
September 2003
WebDAV: Support in NAS DevicesWebDAV: Support in NAS Devices
Network Appliance Servers support CIFS, Network Appliance Servers support CIFS, NFS, HTTP, FTP, and NDMP, but not NFS, HTTP, FTP, and NDMP, but not WebDAVWebDAV
WebDAV support in NAS devices would be WebDAV support in NAS devices would be easy to implement since HTTP is already easy to implement since HTTP is already supportedsupported
Administration of WebDAV enabled NAS Administration of WebDAV enabled NAS devices would improve with a WebDAV devices would improve with a WebDAV “broker”“broker”
September 2003
WebDAV: NAS WebDAV BrokerWebDAV: NAS WebDAV Broker
Clients would Clients would connect to the connect to the WebDAV broker WebDAV broker instead of the NAS instead of the NAS devicesdevices
The WebDAV broker The WebDAV broker would be responsible would be responsible for authenticating the for authenticating the users with an LDAP users with an LDAP serverserver
NAS NAS NAS
WebServerLDAP Server
Other Clients
Windows Clients
Mac OS X Clients
September 2003
WebDAV: NAS WebDAV BrokerWebDAV: NAS WebDAV Broker
After authentication, After authentication, the broker would the broker would send a list of send a list of available shares to available shares to the clientthe client
The client then The client then connects to the NAS connects to the NAS devices directlydevices directly
NAS NAS NAS
Other Clients
Windows Clients
Mac OS X Clients
September 2003
WebDAV: Announcing a New Service!WebDAV: Announcing a New Service!
Service initially released with a minimal Service initially released with a minimal amount of usersamount of users
Faculty learns of web share availability Faculty learns of web share availability with introduction to IT upon employmentwith introduction to IT upon employment
Online tutorials available at Online tutorials available at http://www.it.rsad.eduhttp://www.it.rsad.edu
Students have been helpful in spreading Students have been helpful in spreading the wordthe word