Siguccs 03 paper 62 webdav what it is what it does why you need it
Download
1 / 37

SIGUCCS ‘03 Paper # 62 WebDAV: What It Is, What It Does, Why You Need It - PowerPoint PPT Presentation


  • 90 Views
  • Uploaded on
  • Presentation posted in: General

SIGUCCS ‘03 Paper # 62 WebDAV: What It Is, What It Does, Why You Need It. by Luis O. Hernández Mahmoud Pegah. The WebDAV Session. Explain WebDAV Demonstrate the use of WebDAV in both Windows and Apple systems Share Ringling School’s framework

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha

Download Presentation

SIGUCCS ‘03 Paper # 62 WebDAV: What It Is, What It Does, Why You Need It

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


SIGUCCS ‘03Paper # 62WebDAV: What It Is, What It Does, Why You Need It

by

Luis O. Hernández

Mahmoud Pegah


The WebDAV Session

  • Explain WebDAV

  • Demonstrate the use of WebDAV in both Windows and Apple systems

  • Share Ringling School’s framework

  • Address issues that Ringling School has experienced with WebDAV

  • Propose suggestions that could make WebDAV stronger and more usable


WebDAV: What Is It?

  • WebDAV: Web Distributed Authoring and Versioning

  • Allows web development teams and other workgroups to share files

  • Allows easy setup for administrators and ease of use for users


Distribution, Installation, and Configuration


WebDAV: Distribution Used

  • Apache v1.3.27

  • WebDAV module v1.3.6

  • LDAP module v2.3

  • Netscape LDAP v4.1


WebDAV: Installation

  • Include the WebDAV and LDAP module with the Apache installation during configuration:# Apache web server configure command./configure \--prefix=/local/apache_1.3.27 \--enable-module=proxy \--activate-module=src/modules/dav/libdav.a \--activate-module=src/modules/ldap/mod_auth_ldap.c


WebDAV: Configuration (Part 1)

  • You do not need to do anything to the Apache configuration until you require LDAP support:# Enable WebDAV supportAddmodule mod_dav.cDAVLockDB /local/apache/var/DAVLock


WebDAV: Configuration (Part 2)

  • Two configuration options for authentication mechanisms:

    • WebDAV with standard htpasswd support

    • WebDAV with LDAP support


WebDAV: Configuration (Part 3)

  • Simple configuration within a directory enables WebDAV support:# WebDAV folder for a Project<Directory "[DocumentRoot]/project">DAV On#RSADShareDAVOwnerUID [owneruid]#RSADShareDAVSize [Quota in MB]AllowOverride NoneAuthName "[Project Title]"AuthType BasicAuthUserFile [/.hiddenFolder/.hiddenFile]<Limit [PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK]>Require user [user names]Order Deny,AllowDeny from allAllow from trusteddomain.com</Limit></Directory>


WebDAV: Configuration (Part 4)

  • Simple WebDAV Configuration

Web Server

Other Clients

Mac OS X Clients

Windows Clients


WebDAV: Configuration (Part 5)

  • WebDAV configuration with LDAP support# WebDAV folder for a Project<Directory "[DocumentRoot]/project">DAV On#RSADShareDAVOwnerUID [owneruid]#RSADShareDAVSize [Quota in MB]AllowOverride NoneAuthName "[Project Title]"AuthType Basic<Limit [PUT DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK]>Require user [user names]Order Deny,AllowDeny from allAllow from trusteddomain.com</Limit>LDAP_Server ldap.yourdomain.comLDAP_Port 389Base_DN "[BaseDN]"UID_Attr uid</Directory>


WebDAV: Configuration (Part 6)

  • WebDAV configuration with LDAP support for user authentication

Web Server

LDAP Server

Other Clients

Mac OS X Clients

Windows Clients


WebDAV: Configuration (Part 7)

  • User files are available through the Internet. Unless user publishes a website, s/he may want to prevent Internet access to those files. To do that, include the “GET” and “POST” attributes in the “Limit” directive.


WebDAV: Other Distributions

  • Servers

    • Internet Information Server

    • Mac OS X Server

    • Neon Web Server v0.23.9, open source


WebDAV: Other Distributions

  • Clients

    • Microsoft Windows 2000 and up

    • Mac OS X

    • GNOME Nautilus

    • KDE

    • Goliath (Mac OS 9)

    • Java DAV Explorer for JVM

    • Cadaver for UNIX terminals


WebDAV: Other Distributions

  • Additional Client Distributions

    • jEdit WebDAV plugin for Jedit text-editing application

    • Eldav for Emacs

  • APIs

    • PerlDAV

    • PythonDAV

  • File-system driver

    • DAVfs for Linux


How to Connect to a Web Share


WebDAV: Connect from Windows

  • Depends on the version


WebDAV: Connect from Apple

  • Click on the Desktop

  • Press Command Key + K

  • Enter the share address and your credentials when prompted


WebDAV: Monitoring the Shares

  • Ringling School created custom monitoring tools to check for quota usage on each share

  • The following attributes were added to the WebDAV Apache configuration for the custom tool:

    • RSADShareDAVOwnerUID (user name)

    • RSADShareDAVSize (MB)

  • Scripts are available at http://www.rsad.edu/~lhernand/webdav


Security


WebDAV: Authentication

  • WebDAV authentication is sent in clear text

  • For security purposes, allow only campus connections to the shares

  • Apple will enable encrypted connections to WebDAV shares from their upcoming OS, Panther


WebDAV: DoS Attacks

  • Multiple users could create a DoS situation if they upload large files at the same time

  • An increase in server memory and an increase in Apache processes should diminish the probability of DoS


WebDAV: Module Signature

  • All Apache modules, including WebDAV, are identified in the server signature

  • NetCraft.net provides information about any server on the Internet

  • Malicious intruders can use the server signature to find vulnerabilities in the system


Lessons Learned

No Quota System

Single Authoritative User

Replication


WebDAV: No Quota System

  • Custom monitoring tools necessary to enforce quota usage

  • Tools report quota breach to administrator

  • Tools available at http://www.rsad.edu/~lhernand/webdav


WebDAV: Single Authoritative User

  • A typical install of Apache does not allow for changing the running user identification

  • Apache can be installed to allow for changing the running user identification, but then it must also run as root, which is in itself a security vulnerability

  • All web shares are owned by one user who also owns Apache running processes

  • Users can overwrite each other’s files in a share


WebDAV: Replication

  • Apache v1.3.27

  • WebDAV module v1.3.6

  • LDAP module v2.3

  • Netscape LDAP v4.1

  • Solaris 8

  • SunFire 280R, 2GB memory


Helpful Suggestions

Directory Quotas

Quota Attributes

Apache SetUID

WebDAV Support in NAS Devices


WebDAV: Directory Quotas

  • Some software vendors (Novell) already support directory quotas

  • No open source solution yet available

  • Allows web shares to comply with quota limits with a single authoritative user


WebDAV: Quota Attributes

  • New attributes that work with the WebDAV module would alert users of quota breaches and would set quota limits

    • DAVDiskLimit – sets quota limit in MB

    • DAVOwner – email address of user

    • DAVAlertOn – alarm limit to alert owner


WebDAV: Apache SetUID

  • Allow the WebDAV module to set the ownership of the running process so that it can act on behalf of authenticated users and not the process owner of the web server

  • Internet Draft, Quota and Size Properties for DAV Collections, explains properties and minor behaviors needed for clients to interoperate with quota implementations on web foloders


WebDAV: Support in NAS Devices

  • Network Appliance Servers support CIFS, NFS, HTTP, FTP, and NDMP, but not WebDAV

  • WebDAV support in NAS devices would be easy to implement since HTTP is already supported

  • Administration of WebDAV enabled NAS devices would improve with a WebDAV “broker”


WebDAV: NAS WebDAV Broker

  • Clients would connect to the WebDAV broker instead of the NAS devices

  • The WebDAV broker would be responsible for authenticating the users with an LDAP server

NAS

NAS

NAS

LDAP Server

WebServer

Other Clients

Mac OS X Clients

Windows Clients


WebDAV: NAS WebDAV Broker

  • After authentication, the broker would send a list of available shares to the client

  • The client then connects to the NAS devices directly

NAS

NAS

NAS

Other Clients

Mac OS X Clients

Windows Clients


WebDAV: Announcing a New Service!

  • Service initially released with a minimal amount of users

  • Faculty learns of web share availability with introduction to IT upon employment

  • Online tutorials available at http://www.it.rsad.edu

  • Students have been helpful in spreading the word


Thank You!


ad
  • Login