Articles February 6, 2006 at 10:53 am

WebDAV and Access Control Lists (ACL’s)

Using ACLs with WebDAV allows for much finer control.

In the past, in order to allow a user access either access locally to their home directory or remotely via WebDAV the ownerships on the folders either had to be owned by the user themselves for local access or owned by www for remote access. Because of this the POSIX permissions often got quite messy.

This is all a thing of the past now with Tiger and ACL implementation. The ability to add the user www to your existing home folders allows for many advantages over the previous way. With ACL’s administrators can override the older POSIX style UNIX permissions and bring their servers (including web based services) into the 21st century.In order to add ACL’s to your Apache’s WebDAV realm, you must first enable Access Control Lists on your server itself.

1. Launch Workgroup Manager and click on the Sharing Pane and then the All tab. Find the location where your WebSite (Or home folders are located) and enable the “Access Control Lists on this volume” under the general pane on the right.

This can also be accomplished via the CLI using the following command:

fsaclctl -p /Volumes/VOLUMENAME -e

Note: If the Folder/URL you are trying to share out is on an Xsan based volume this is the end of the line for you as currently ACLs are not supported in Xsan (v1.2) or earlier. This is where you get to deal with the good old fashioned POSIX permissions and Crontabs to change ownerships and permissions.

2. Once you have enabled ACLs on the volume, you can then get down to business. This is of course assuming you have the know how to setup a site using either non secure ports, typically port 80, or using an SSL certificate and running it on port 443. This article also assumes you understand the basics of WebDAV, what modules you need to have enabled and how the site name and HTML works.

3. What the WebSite quickly needs in order to get running via WebDAV.

    a.) A Web Name / URL: webdisk.company.com

    b.) A place where the Users folders would exist: /Volumes/data/HomeFolders

    c.) The proper modules activated: digest_module + dav_module (This is under Apache Web Server 1.3.33)

    d.) Proper Web Realms setup for the root location and all coinciding Users home folders.

    e.) Performance cache, folder listings, and so on I would leave up to you. I personally don’t allow them myself.

4. Once you are comfortable that you have the setup implemented properly for your WebSite/Realm, you can then load up workgroup manager and enable your ACL’s for both the user who needs access to the files and folders as well as enable access for the user www with at least Read and Write access into the users home directories.

5. With ACL’s enabled on your server disk, you now want to do the following:

    a.) Launch Workgroup Manager and authenticate as either the Directory Administrator, if it’s an OD Master, or as a user with administrative capabilities to manage both local /netinfo/root and /LDAPv3/127.0.0.1 domains on the server.

    b.) Navigate to your: Home Folders share point, and then select a users folder within the root folder.

    /Volumes/data/HomeFolders --> Root level
    /Volumes/data/HomeFolders/username --> Web Realm
    

    c.) Leave the ownerships as handed out with the older UNIX Posix style when you first setup the account:

    Owner: username     Read and Write      (rwx)
    Group: staff            Read Only             (r-x)
    Everyone:               Read Only             (r-x)

    d.) In the Access Control List settings, you should now click on the “Users & Groups” button on the bottom of the window and drag in the users who coincides with the username and give them “Full Control” over the files and folders. You need to do this because during the day, the users need to be able to access their home directory when logged in from a managed account on the network. You then need to select the /netinfo/root from the Directory Search Path and drag in your www user into the ACL list as well. You can give the user www any of the permissions that you need, however since this account type is only ever going to be accessed from outside the office/school environment, I generally only give the user “Read and Write” access. This should help from giving too much ability over a user account type that can be compromised with a weak password.

    Your final user setup would look like:

    Owner: 	username	Read and Write 	(rwx)
    Group: staff		Read Only         	(r-x)
    Everyone:		       Read Only	              (r-x)
    Access Control List
    username:Allow:Full Control:NO:This folder ...
    World Wide Web:Allow:Read and Write:NO:This folder ...
    

    e.) Once you have finished off with the initial setup, you want to propagate those permissions and setting within all the subfolders and files within that users home directory. In this case we only need to propagate the ACL settings from the permissions window.

6. With these settings done, you now need to add the user and the path for their home access to the WebSite that you setup back in step 3. To do this, in Server Admin, select your Web Site and then click on the “/” button to go into editing mode. Select the Realms button. To add a user to the realm, you need to do the following:

    a.) Click on the “+” button on the lower left hand side. Give your Realm a name (I usually do the user name of the realm I am adding)

    b.) Select Basic, Digest, or Kerberos. I almost always select Digest as it’s more secure than basic and chances are that 99% of the users who need to access their home directories from outside the office will not have a kerberized ticket for the the server in question on their workstation.

    c.) Navigate to the path where the users home folder lives: /Volumes/data/HomeFolders/username. Click OK.

    d.) Select the “Everyone” setting under the Users section and uncheck “Can Browse”

    e.) Click on the “+” button under the Users section and enter the shortname of your user and check off: User can: Browse and Author.

    f.) Don’t worry about the Groups section in the bottom. Click on save. You now have a functioning web realm that is secure and will allow users to mount their home directories over the web and copy to and from and work off of the files remotely (Bandwidth available of course). This will have to be replicated for every user who requires remote WebDAV access.

    Note: You do not need to worry about adding the user www to the Users section in the Realm as they have already been added via the ACL’s that we did in step 5.

7. Propagating these permissions via the CLI interface:
(Ed. note. You can also propagate with Workgroup Manager.)

    a.) Navigate to the root level of the users folder: /Volumes/data/HomeFolders

    b.) adding the user www Recursively to all the folders:

    chmod -R +a www allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,
    writeattr,readextattr,writeextattr,readsecurity,file_inherit,directory_inherit" *

    This will allow the user www to have Read and Write access to all the users folders. However, this will not give user “joe” access to user “sallys” home folders as the username and password are still controlled by the username within Open Directory and not the www ACL.

    Note: If you have your Profiles and Shared Folders in this folder as well, you should temporarily move those folders out of the HomeFolders directory when you inherently make those changes so that the ACL’s do not propagate into those folders as well.

    c.) If you want to add your users with Full Control from the CLI, you can issue this following command on an individual basis:

    chmod -R +a "username allow list,add_file,search,delete,add_subdirectory,delete_child,readattr,
    writeattr,readextattr,writeextattr,readsecurity,writesecurity,chown,file_inherit,directory_inherit" username

    Note: You need to change the ‘username’ in 2 places in order to do this from the command line. I would think there would be a way to pull the shortnames from dscl and then pipe it into the chmod command, but I have not had time to play around with it too much. (Someone else may have an easy way to do it for the individual users).

    Stop and Start your Web Server. Done!

What this does: This type of setup gives the end user the ability to access their home folders across the web and mount them on their desktop as if they were hard disks.

This gives them the ability to have full read and write access to their files and folders when they are local in their office environment and access to those files when they are located remotely.

Even though they are prompted for a user name and password, the file and folders that are copied and worked on are changed to www when moving data back and forth remotely.

The biggest thing they need to remember is the URL to their folders:

http://webdisk.company.com/username

The biggest thing you as an administrator need to ensure is that you have the best security type available chosen and that your users do not have easy to guess passwords on their accounts.

No Comments

  • I followed these directions, but I still have one major problem. I cannot copy
    folders onto a WebDAV volume. When I drag a folder from the Desktop to the
    WebDAV volume, I get the following error:

    "The operation cannot be completed because you do not have sufficient
    privileges for some of the items."

    My user on the server has full control over the WebDAV volume via ACL, and
    the www user has read-write access via ACL. What permissions aren’t
    sufficient? And for what items? Why can I create folders but not copy them?
    Why can I copy files and not folders? Why can’t OS X give me a more specific
    error message detailing what privileges aren’t sufficient, and/or what items
    the privileges are insufficient for?


    http://www.aaronadams.net
    My two-bit, half-assed opinion concerning whatever it is I fee like writing about.

  • Thanks for the reply. That was indeed my problem. The solution is to either
    remove the .DS_Store files before attempting to copy the folder to the WebDAV
    volume, or edit /etc/httpd/httpd.conf to allow .DS_Store files to be uploaded
    (although I don’t know that I can recommend it for security reasons).


    http://www.aaronadams.net
    My two-bit, half-assed opinion concerning whatever it is I fee like writing about.

  • OK, fair enough.

    I have 25,000 users in my OpenLDAP domain. I can script the creation/maintenance of the home folders and the ACLs (we do that already on all our servers). But if I understand you correctly, I’m going to [basically] have to create a separate realm and permission entry in my httpd.conf file (or an include) for each user and restart apache after each change…? That’s going to get pretty big. I wonder what the upper limit is on the size of an apache.conf file.

    It would be great if the ACLs were respected in WebDAV the way they are for AFP…

Leave a reply

You must be logged in to post a comment.