read only access to a webdav share using apache2 mod_dav

did you know you can configure mod_dav to allow read-only access to your webdav share (apart from the usual read-write access)? all you need is set “Options Indexes”, point your browser to the webdav url and enter your credentials. basically, i have the following mod_dav configuration[1]:

BrowserMatch “^WebDAVFS/1.[012]” redirect-carefully
BrowserMatch “Microsoft Data Access Internet Publishing Provider” redirect-carefully
BrowserMatch “Microsoft-WebDAV-MiniRedir/5.1.2600” redirect-carefully
BrowserMatch “^WebDrive” redirect-carefully
BrowserMatch “^WebDAVFS” redirect-carefully

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
DavLockDB /var/lib/dav/lockdb

DavMinTimeout 600
<Directory /path/to/the/dav>
Options Indexes
Dav On
AuthType Basic
AuthName “Please enter your webshare credentials”
AuthUserFile /path/to/the/passwordfile
Require user johndoe
</Directory>

i had to remove <Limit> restrictions as basic auth didn’t work with it for some reason. configuring a share that can be both accessed (read-write) using samba/smb/cifs and webdav is a bit more tricky and depends on which linux distribution you use. in a nutshell, you need to fiddle with directory permissions (especially the “sgid – set group id” bit) and figure out which setting works best (and the most securely) for you.

note that for security reasons, you should only allow encrypted http access (https using tls/ssl) to your share (see the <Redirect> option for example).

[1] in gentoo, edit /etc/apache2/conf/modules.d/45_mod_dav.conf

(thanks to flo for the tip)

CategoriesITTags

One Reply to “read only access to a webdav share using apache2 mod_dav”

  1. migrated comment by mux (2006-03-15 23:29:35):

    ehhhh, this is a bit misleading… you’re giving *browser* access to the DAV share, not read-only access. If someone were to do as you say, then hand out the URL to the world as “read-only access”, anyone could come along and use a DAV client on that URL to achieve read-write access.

    To *really* make a DAV share read-only, your best bet is something like this:

    [ begin /path/to/your/website/.hatccess file ]

    AuthUserFile /var/www/.htpasswd
    AuthGroupFile /var/www/.htgroup
    AuthName “This server is not for public access!”
    AuthType Basic

    [Limit PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK]
    require group webdevelopment
    [/Limit]
    ## Note, those should be triangle brackets around the Limit statements, but the blog prevents that!

    require valid-user

    [ end .htaccess file ]

    …then just put your regular list of users in your .htpasswd file, and make a htgroup file that looks like this:

    [ begin /var/www/.htgroup file ]

    webdevelopment: johndoe janedoe jimdoe

    [ end .htgroup file ]

    and you’re set. Browser access will always be read-only, but it’s also possible to restrict DAV access to read-only using htaccess.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.