apache22 suexec webdav

[Seeker]

I've configured apache22 to run with suexec.
Then I added webdav and here is a problem.

ALL files created with webdav, are owned by user under which apache22 server runs initially and is www
This completely ignores suexec user and group for a given virtual host.

How can I make webdav be affected by suexec and create edit files under user who owns virtual host?

WebDAV Configuration (mod_dav)

WebDAV provides a useful way to be able to treat web folders as local folders. This is can be great for providing people ways to upload, download and edit their web content directly and without having an actual system account on the server.

There are two big disadvantages to DAV, first that there are no popular browsers or OS's which natively support DAV over SSL, so make sure that any usernames and passwords you configure aren't privledged for anything else. Second, all actions performed through the DAV service are performed as the user which your web server runs as and can't be over-ridden by suexec. This is a security consideration in a virtualhosting enviroment because users can potentially read and/or overwrite each others files, and it's also an major inconvenience if you want to provide users with shell access as well as DAV access to their files (because files uploaded via DAV aren't owned by the shell user). I've talked to the Apache people about this and apparently it's a inherent limitation in the way Apache and the DAV module interact which they have no intention of addressing. Suck.

But then again..., this IS FreeBSD and someone / something must make this possible!

 

[Seeker]

Ok lets propose alternative.
In this case, client is adding / editing / deleting files, with editor that supports Secure FTP.

Pass must not be sent in plain text.
And all file interaction must be over encrypted connection.
Newly created files must be of suexec user as well as file manipulations.

Does Secure FTP abides to all above rules?
If yes, then which port would be a most appropriate for this?

 

[DutchDaemon]

You could look into e.g. ftp/filezilla (cross-platform; runs on Windows, Linux, *BSD, OSX and more), which supports SFTP (FTP over SSH) and FTPS/FTPES (FTP over TLS/SSL).

http://en.wikipedia.org/wiki/Sftp
http://en.wikipedia.org/wiki/FTPS

For all intents and pruposes, this behaves like regular ftp, so users can manage their remote files under their own account uids.

 

[Seeker]

I am a little bit confused with SFTP term
It stands for SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol or SFTP) and NOT FTP over SSH (not SFTP)

Right?

Client will be Dreamwaver CS4 and in it's panel stands option FTP, under which you can choose:
Use Secure FTP (SFTP)

That SFTP will be used.

PS: Ah, new pic you have there.
Smoking will kill ya men!

 

[DutchDaemon]

I am a little bit confused with SFTP term
It stands for SSH File Transfer Protocol (sometimes called Secure File Transfer Protocol or SFTP) and NOT FTP over SSH (not SFTP)

Right?

FTP over SSH involves awkward tunnelling, whereas SFTP is native to SSH and therefore easier. Either way, the connection takes place over the ssh port.

Client will be Dreamwaver CS4 and in it's panel stands option FTP, under which you can choose:
Use Secure FTP (SFTP)

That SFTP will be used.

Well, "Secure FTP" != SFTP, so I wonder which one they actually mean ...

Smoking will kill ya men!

So will life, eventually.

 

[Seeker]

Well, "Secure FTP" != SFTP, so I wonder which one they actually mean ...

And look at theirs official explanation:

SFTP uses encryption and public keys to secure a connection to your testing server.

LOL!
Looks like I'll simply have to try it on my own.

 

[Seeker]

Hey hey hey!
You've screwed me up!
LOL!

I installed filezilla on my FreeBSD 8.0 with thought that is a server, which it is not!
It is just a client.

And I am talking here about setting up replacement for WebDAV that will behave as suexec and affect only that web tree!

So, I need replacement in a form of SFTP server setup.
Guide? Anyone did this already? Recommendations? Best port?

 

[DutchDaemon]

Can't you simply use sshd (a separate instance of it, if you need it) and chroot the users inside their own file tree? Then all they need is a client like Filezilla for SFTP. That was what I was getting at all along...

 

[Seeker]

I would use only SFTP, but have to keep FTP users and Secure FTP users in mind, SO...

I will go for vsftpd.
Tell me what is a diff between vsftpd-ext and vsftpd?

They have same options when issued:

# make config

And what does RC_NG (install RC_NG script) does?

 

[Seeker]

Actually I went for SFTP
I use inproces-sftp which when chrooted for one sftp client works while for the other one it doesn't.
What could be a cause?

Now I run inproces-sftp but without chroot, so all clients could access.

 

[DutchDaemon]

Have you read the ChrootDirectory chapter of sshd_config(5)? It's pretty particular.

 

[Seeker]

Yes I did.
I use inprocess-sftp server that requires no support files when used with ChrootDirectory.
And it works, but not for all clients.

After I dropped ChrootDirectory and leaved only inprocess-sftp it works for all clients.