CONTENTS
[0] Technical stuff / Installation
[0.1] Perl Setup
[0.2] Apache Setup
[0.2] Davmap script installation
[1] Configuration/Running
[1.1] perms.cf
[1.2] Logs
[2] Appendices
[2.1] davmap script & modules
[2.2] Apache source diff
[2.3] Example perms.cf file
[0] - Technical stuff / Installation
build instruction:
[0.1] - Perl Setup
Get Quota (current version used 1.5.1) module for perl, build and install:
perl Makefile.PL && PATH=PATH=/tool/lang11.1/SUNWspro/bin:$PATH make install
[0.2] - Apache Setup
Get Apache and compile it with unsafe options (-DBIG_SECURITY_HOLE, to allow it
to run as root). modules/dav/main/mod_dav.c patched to chown files after
creation (could be done in the perl): See [3.2] for the patch.
(preference might be to proxy-pass from a front-end apache through to apaches
running as the user accessing the share. Would need quite a few of these
running of difference ports. Trickier to manage, harder to diagnose...)
davmap lives in /opt/davmap. Relevant lines in apache are:
> ------ CUT HERE ----------
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
DAVLockDB /var/httpd/davlocks/DAVLockDB-localroot
RewriteEngine On
RewriteLock /opt/davmap/rewrite.lck
### Main R&D site
RewriteEngine On
RewriteMap davaccessmap prg:/opt/davmap/davmap.pl
AuthType Basic
AuthName "DAV File access"
AuthUserFile /usr/local/etc/htpasswd
Require valid-user
Options -Indexes
RewriteEngine On
# Must be this order!
RewriteRule (.*) ${davaccessmap:%{REQUEST_METHOD}-%{REMOTE_USER}-$1} [L]
Dav On
> ------ CUT HERE ----------
[0.2] - Davmap script installation
Install in /opt/davmap/ (see appendices for source)
[1] Configuration/Running
[1.1] perms.cf
These define above-and-beyond the unix permission access (or lack thereof) for
users of the system.
Everyone, by default, has access to their /home directory. The permissions maps
are such that, for any given directory, you can take away access to users, or
grant them access. Unix permissions are still queried and applied. If you
grant a user access to a directory they wouldn't ordinarily have access to,
then they still shouldn't be able to access it.
The constants at the top of the perms.cf file are important and are mirrored in
the davmap.pl script, so don't change the values here.
Permissions are configured by creating a key in the hash, the name of which is
the directory you wish to apply ACLs to. This is a reference to another hash,
which defines which users are to be granted/denied access to this directory.
'ALL' is a wildcard matching everyone. Aside from this, use a user's id to set
the access for that particular user. The user's own id should override the
wildcard.
There are four values you can assign for the access requirement. NOACCESS means
the user doesn't have access at all. WRITE means they can WRITE and READ means
they can READ. The fourth value; INHERIT; means that the access is granted for
directories below here (assuming no more specific case matches, in which case,
the rules defined there will take precedent).
[1.1] Logging
There's a whole load of stuff logged in /var/log/davmap.log. - probably too
much.
[2] Appendices
[2.1] - davmap script & modules
> ------ CUT HERE ----------
begin-base64 644 davmap.tar
H4sIAE6g7UkAA+1aa1MbyZKdr+JXFEK2WjNCLWFj78JimzGyhxgMXMDjuwtY0ZJKUo9b
3aIfCC0wv/2ezKrqhxD4MTF3diMsgpC665FZWZknH1V7wXDo+sPGZPzDX/Zp4vPs6VP+
xkd/t8xz83nz6Q+tVmu9tbbefPb8Od63nrTW139o/nUsZZ8kip0QJMMgiB/qF8QjGT7Q
zktaW08X+f/kM3F6n5yhFHtKDzaXlpJIivbVJAhjGeLx1e7x9tbF1DKvavSu/c/Dg6MT
eh1MpN/xgqHoeUEk+Rf+PdeXInb7kwl1H89EBQ9iSzTxFCVdkY66XirRb2vv4G29+uJF
VTRENHIHsXjVqYmbGxHKOAl9GleKpCd7MfXEnKXKzVYLk5m3xyc7B+9P0HCrCGTcgAI/
6IG63fCI1hV6ENhdMDyWdTGW8Sjo14Xv0NPA9aRw/D44iRIvpu7WOIhiEQwwxo3E1PU8
0ZXC9XkOBwLFF6aM8Bwkw1FtqbRUmoSuHwuwIKqnvMie4zkhuuGbyFo1vCyL3Z0NJapz
Ua5DBnVRPvPLKdcsUeKZ+vz0E7+HFP7M/m/3ejKK3seuF/1lGMA2vr5+j/23njVbLbL/
50+erOHnE7b/58+/2/+/42PsP6cHGgPe9PzYE9WNcdCX1c05WKCnFDLo4R9JEDt6ZBSH
bi/WD5dOGAkABeGI0MBR+zyujJ1JZyLDcdQJPonEd6/mnhzmV6gveuv6btzBKDEKxrLv
huKCOEILTRwkobAquqVHFloXlcTtR/gahkEyifTLR0yFhqyIbeG52tCDyaonL6UnJk48
IsN2YvE7NAfPYIJmjxzQnwlM0vtE/hTjqzYRrIppkHh9wfozdSGRgeN6d8aAk67sOSQx
NxYY7UZ+FcSnvuyL7kwkIBMSyNBAZrmhlvUIzHWILcCrtVQyRLdeiFadHidh8DsQ0ryp
aQTuO5cdhXSdUDp9BYRgEfQDX0KwoRTcEPjerCG2/RnQzh8K6RGHEAEaY7DmAAFDN5aN
pZLGatfvyyurKm4Ojw4O3+zu79y8bZ/c/NLe3rk5ODzZPdg/vqnWRfWGYLDSOW2e4xtP
NSEvxGpLvBRNsSFaKeblGGVCxKmmNLcGi2erFWZYUSCtREz7KNQ+DiBMGmPznE7Xkw2x
OxAOsPzg1zqkDRHk9IzmCdQsjPJoD0XP8YVRQ4yj91NnJvrYs4bivai3YBye0KrQYOgd
7Rm+aAE17N2rDrmzFXFC/EKrkjFYcKF7TjiUMWaVrBDyinQStHwxlVVsUo82gnbG8eWU
3VOU53SCjfRj+CBMZS2L1YEiLB4/Fnjqq6ca8VZSDVt/RPaZffrxzD7/qWLbAXwt5Eic
vwJSxuCUviw1blNwS4UwglrYzQ2s8qPm0wAOrEJdT9fOxWPRfI4POW7j0SEcj0SnPSFP
vilWSKpYpiZFprLEYiF9nEq2h9CGGTiiF4QhFFsZg7DcoR+gT5XtrCqUHS+VtKO3ym+O
N/TSidkNxTN22u03hnC4Fo8TapZ+bUPz/vS8oX6sn5fJdIrzsRpgu3hLsbMMKdf8dFur
K84iuPWG+D1wfYvUvv5JziLx6LqSxx095LbGJGin5rXeUnqiNmpF72+quwogwEKgsQGd
aJac/I87ux/eHx/RvpuVia0tUWSZZ0+XWKUlfkhphPIikRH2iCmNYPj0Q+OiMk1lDVXa
5tItQcUCJt4eHRITrMeQ3AIxXBuJfzVDPNfDHMkFU7434/1gwbBSLgaFKeSnubu8o2+R
8RHh7IPiZST+Auke/Vnp3sNKXrB3eDHqSA33aaMRmnhQ+HemviN7mMd9MDVvmwXsJT9N
IAkUz8F6OQdIudcaojXEGUeUDzsWQLnBcG54pcCdQa3OSMOW/cr46WjiwctX7Wo6WIE/
IIhhrh8QCGYofinDGXsvi7y78ek1gTX1JPWY0Wg1auRcQoE1LGILeCvgK9I0xaJ0RjkP
hjuSC6Mf4JL8otVsNCord/yCsAjEiOdXqg3pGZ6I8dIi10Ajv8IvFHfPxFHGTSb20B5v
GKuyjQ7bTIG38WHHsmSs1URL1zzxvA0wbRUKQ4COTxEOiUSJYBW/E8iuGA6WC5raUprK
ZvGNPqsALAsgRPnub7Lx/Po4DF2F2akoM9TxJc9WXmR9OVPXZjAw6jXnd5ZFEZb+qVHx
znvA1ZdwKKpXVdGFxRiCtoqAF7JZKk1gKKyjOnZ5YHfzCED1BG3rhezj83FbAZMMGvEY
JShtMca5LwsVBKj95vWnLL5DBkNbQumM6yABgQauCqeLHAnmUNT0+eW92z7cEK+N5UTu
eAIw7jnA3akL9hSTKlapZAD4fzjoXCksAixyZ8JySAW6qk0Av+BARg2OE33jQai/vALQ
9tzYmzE0YRRZmtT7YCyI96EACFo82N5VNujsudD5urq9t1e9xVx9OXApU1vU/NAEyl7v
nUA1F9CRN5m1TwvV0fFnPbfu3Pam6pKmyqlWGiUGecOfL9WKc0HOHGWmSRqqsBCyh7Fs
iq7T+xSHDqsek1X7h6nRt542S/LAWCk2yZ+J3f1f2ke7J1Hj877xrmOaM/TPuimgV7oU
vYipoqCs4DMqcUcn/rxS/HmtWLg5d9Sgjl2C2kOqrspGLC14q8Zlx7oubqbNhq/HIuuo
oNaXV7FxsAt6LeLpa1T1a3T1vpB+oZ5qV6FDyAxADeBndaTrInLPJ+hFKmmYQoWnbA4F
t6Y2AGXnSZgFhTymTV6I/YPt16/bx8dWbd4TEAHtrfpuRJE1mxtPbkYpUzPJwJ2CiOKd
YTe3qUft7R3a0QX0OBon2GfRcSiZC8rvpZbPUe+Q+wDVaH85vXwGlhFchEXOXVeeD8OK
O603GpCRePAEHV0M7HDcZHb9lVcXj3r4T/A/ZFiYjugEAC1QAfjEyRSezexVpXdd8U6b
57dkwR7iLcahpPByTb0c6pf09YTb5lg8I7pnRPjs0TBl1xQxv7B4pPMGCjwRMiSxGs8e
HTkCBaTU7vT7OhcCJFiuzBUS1H7WspiIxi5WK0VxFiSqEOZNHcQ0oRwH2EOgROjA5SaD
wXJxLgUH0PvqTnuvfdKu6lCp0peXWAiXkTc2IOgLrGJoWSY+EOMVSwcINXulRoU+nWtV
ur16pRvhf4R/+JqKixcuXrh44ca1bFqkteHMIlL1uaxcLYZiHughFzrJY2nBqbDDpYrg
JzgN3+Yggl4gNFUS1kCdW6sGyRTBu71NwURYmVWs1Av8CIJCbhRxUy8JKXASXS+gcqVD
FhH2heeO3VgDR7cnXkCvuhxM0dfyVhPKaA7KrGZdlHk4dctGq5FbL2hIDZYibgsE6ZRr
MT1X0XMVPXchPTV6nl46cgG9bIFRMIj1EAJKCJSOw4QnB/MrjogDfVb2Ahst5tjQ685m
nZ/vgWV/nguzmiIX7h0utPCNKO/jIYOpeVxS2VwRliojIBX5ol6xyuAtQqhhmEMoDps4
orKFXWfsMeEMgVeH8WhN4RFpe5pUMkXqcNdtVnop1+asRfGpUostdYKb5VXVqjEGT/pD
k4Jk7RnN3PmMyXVf3vN+A9OmbKRnP5oPjpYyRoT+9APThJiwD9wrv+Zic/q+nPVNPc2R
ZAcIUx24Q6RiHCDp2kIhjaPzW3U8ZGwezloNK6sq0s/tt7v7fHzb3v/t+nD75Jfbraqd
RKHdRcQKgXzBERUpwGIfxtHXQjW6M21+PuKMMt+/+yDy++dv+cC3w3AaE+8vpPHw+X/z
2fpak8//11rN9WfrTT7/bz55+v38/9/wWVk2AGQDx7yllbkXYnV6og7yPbeLRDqYxLbS
mao+4C/cHCjcC1jSl3TomLqyc/D6/bv2/knn6ODgpLSlT8ftaBbFcmxPp1PMpzpu/9b5
efv1r+39Heo2iuPJhm231p43mvhrbfwHPsSC6X+yt1Pi+fDONi/3Dt6+2d1rq4ZLJ7SB
55rvBn6abofto3fHqlO2MJsBvdEb0Aorx7tvr395f0ge8uyxcTSWGknuN+dH6CYTOQ4K
K5bLxumZu06WYYpGLZgoH95TkJxF+aG8UDcSVHiv6nTG98peHISuPrGnc2gl10fXR+13
Byftzvvj9tEtxlrdJFZZwCQMugj2OR2oYVoVYSxwPF/ud1a+xe8s6cCl0sHc//WC45Le
KJjAjfFFJ3ZolpHF3FELRm39MbYRnFinH1eRFIgVnbzg1dkqlQ7lxAkdCKfQx0nQJ+Sy
Ks1Il7zEwhGNH2t4pY/C6BgAvC6V7OCKYy7aEy7bcPEJz5zWIOJwBlLnSmmaVErjImqk
32qfa7nCsYjsj0UTIb22z2y72OmRddpc/U9ndbC9+ub8eu22ZtMFHqvcK9dH8sqqtGo1
eyhVNtMLJjMOQDklo5W4dNiwg/W4vhO7gb9RzQ7GRiFdVjPX2ELJOSFNEyYeVe2Chvgg
OdVDuMSXKihc9HlQX46JjgrkGrq6qkXyh/3x55fW64PD/755d/Bbu2ar+BOxH8Ll6mvw
aDN/OiaHWppiRzXbda0DWINRgc3SkqpGpaVGOi1I1K2VCHnVhuJCLJuoU+uiln2Bi/1A
RElvxBrxFVQVgZETdaLZGNHip0iffXFSsELlLojLHcPgLuUYi6tjT+guUCijwLskSPU/
qQIR19Y5KXyZsXWsZ2WJeF4w/UqZ6PUXTkIXVhAKwniP7nwU5UIzIEio7Ywy3eWvos2g
ckFGfxGSvZpCxkL6m+akACPyvJQ5b9fJsmEDMTjmLH+1IBK/L0OGruK5bUawVa8e/Irp
uSfrS7X+AJECjVTa+aOjzwv7MCdnSmC+SdYrIuBzF1/VWtQ6HmadOE7vyBLQLsF4Y66I
ckaVQtU9qR0/86nNh59sOxhm2ZxO7m5z8yg8NDPpp9xc6g3Ndvpxe/V/zucmVM1Zspea
W+4q2Kqn75K9RB67kav3oT3NormaGw3vES0BfK6Wxs8E8bl4hG6s0etCIXgqklOe8FyM
T3nKczE5ZQex+kL1PyedBWV10KDuAlciym2pF1JZOx5PbAKwRnwVVzezG8OF678aNtRt
P7UoPuMAZtMZO5J8OvYw96c3sw5BEqdnKHpELbvA0uFyXKOqCwNasfgkNd+edkhPXXja
wgg6k0miUdoMsXbIT5jEv1OseYJddTUqPa7hKU1xIQes+eXmF5sXiZXeHAcV/dv4Z64K
qLEYlt0yN+2ZaPLHko0t4pC5hpFNpfiR8fvHFMBT9iywEyFAgilTGRXGyEPUOaqKzeB1
EZ2RQdTovByzKWfA90i7cAbO/84waOpAMOWKKTlqCmWSYqb5uTsW+eLqog4Lq+AZFt4p
LOcrTEZkBSlXJrryyjUitBYdq4o9upKr0IPEU+cVDmUPlzKMkoh/O12HfXYQ9vgYWUSe
A70JVPQhfYq3rhDUSrr5wgXZBhlFdoJnnHq/l53h3bkCYtSOGN3MjwZe0siFg5Ts7TIF
XAjKaCyHYfnx23t74uDXZWXPhVre353Pff98/3z/fP986edfZLY0mAA4AAA=
====
> ------ CUT HERE ----------
[2.2] - Apache source diff
(diff against 2.2.11)
> ------ CUT HERE ----------
--- mod_dav.c.orig Wed Mar 11 12:57:25 2009
+++ mod_dav.c Thu Apr 16 15:56:01 2009
@@ -42,6 +42,9 @@
* so that we can keep the connection open.
*/
+/* andyw 20090311 */
+#include
+
#include "apr_strings.h"
#include "apr_lib.h" /* for apr_is* */
@@ -72,6 +75,14 @@
DAV_ENABLED_ON
};
+/* andyw 20090416 */
+struct dav_resource_private {
+ apr_pool_t *pool; /* memory storage pool associated with request */
+ const char *pathname; /* full pathname to resource */
+ apr_finfo_t finfo; /* filesystem info */
+};
+
+
/* per-dir configuration */
typedef struct {
const char *provider_name;
@@ -103,7 +114,6 @@
};
static int dav_methods[DAV_M_LAST];
-
static int dav_init_handler(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp,
server_rec *s)
{
@@ -616,6 +626,9 @@
return DONE;
}
+/* andyw 20090311 */
+static int do_rd_own(request_rec*);
+
/* handy function for return values of methods that (may) create things */
static int dav_created(request_rec *r, const char *locn, const char *what,
int replaced)
@@ -622,6 +635,8 @@
{
const char *body;
+ do_rd_own(r);
+
if (locn == NULL) {
locn = r->uri;
}
@@ -4800,6 +4815,44 @@
dav_core_register_uris(p);
}
+/* andyw 20090311 - attempt own the resource as REMOTE_USER */
+static int do_rd_own(request_rec *r)
+{
+ dav_resource *resource;
+ dav_error *err;
+ struct passwd *ht_pwnam;
+
+ err = dav_get_resource(r, 0 /* label_allowed */, 0 /* use_checked_in */,
+ &resource);
+
+ if (err != NULL) {
+ err = dav_push_error(r->pool, err->status, 0,
+ "do_rd_own: Unable to fetch dav resource.",
+ err);
+ return dav_handle_err(r, err, NULL);
+ }
+
+ ht_pwnam = getpwnam( r->user );
+
+ if (ht_pwnam == NULL) {
+ err = dav_push_error(r->pool, err->status, 0,
+ "do_rd_own: Unable to fetch passwd struct.",
+ err);
+ return dav_handle_err(r, err, NULL);
+ }
+
+ chown((const char *) resource->info->pathname, ht_pwnam->pw_uid, ht_pwnam->pw_gid);
+ if (err != NULL) {
+ err = dav_push_error(r->pool, err->status, 0,
+ "do_rd_own: Unable to chown resource.",
+ err);
+ return dav_handle_err(r, err, NULL);
+ }
+
+ return 1;
+}
+
+
/*---------------------------------------------------------------------------
*
* Configuration info for the module
> ------ CUT HERE ----------
[2.3] - Example perms.cf file
> ------ CUT HERE ----------
#!/usr/bin/perl
# LDAP Directory/user permissions
use constant NOACCESS => 0x0;
use constant READ => 0x1;
use constant WRITE => 0x2;
# INHERIT - subdirectories inherit perms.
use constant INHERIT => 0x4;
# access for everyone is done via the keyword 'ALL'
our %perms = (
'/project/yamis/www' => {
ALL => READ | INHERIT,
},
'/project/yamis/www/t' => {
andyw => READ|WRITE|INHERIT,
},
'/project/yamis/www/icons' => {
ALL => NOACCESS,
},
'/project/davtest' => {
markv => READ|WRITE|INHERIT,
andyw => READ|WRITE|INHERIT,
justink => READ|WRITE|INHERIT,
},
'/project' => {
ALL => READ,
andyw => READ|INHERIT,
},
'/home' => {
ALL => READ|WRITE|INHERIT,
},
);
> ------ CUT HERE ----------
this is a standard perl hash. perl -c perms.cf should say 'Syntax OK'.
You should just be able to type 'make' when you change the hash. Syntax is checked
and if valid, pushed out to dav0 and apache restarted.