ClearFoundation Tracker - ClearOS
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000059ClearOSapp-flexshare - Flexsharespublic2010-03-25 16:012019-03-11 06:00
Reporteruser2 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusclosedResolutionwon't fix 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0000059: Add WebDAV support to flexshare
DescriptionIn ClearOS 5.1, the "web" implementation of Flexshare is read-only. By implementing WebDAV, it will be possible to create a read/write web share.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0000115closed user2 Allow manual WebDAV support in Flexshares 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2010-03-25 16:01user2New Issue
2010-03-25 16:01user2Statusnew => assigned
2010-03-25 16:01user2Assigned To => dloper
2010-05-12 12:10dloperNote Added: 0000111
2010-05-17 10:49dloperNote Added: 0000120
2010-07-05 15:02user2Note Edited: 0000120
2010-07-05 15:04user2Relationship addedrelated to 0000115
2010-07-05 15:21user2Note Added: 0000191
2010-07-05 15:22user2Resolutionopen => suspended
2010-07-05 15:22user2Target Version5.2 =>
2010-07-06 14:52user2Relationship addedparent of 0000117
2010-07-06 14:53user2Relationship deletedparent of 0000117
2014-08-05 15:17marclaporteNote Added: 0001259
2019-03-11 05:59NickHResolutionsuspended => won't fix
2019-03-11 06:00NickHNote Added: 0010541
2019-03-11 06:00NickHStatusassigned => closed
2019-03-11 06:00NickHAssigned Todloper =>

Notes
(0000111)
dloper   
2010-05-12 12:10   
I've updated the specification for WebDAV. It is available here: https://docs.google.com/a/clearcenter.com/Doc?docid=0AVxZbmPpTYMCZHNyOTkzel8wZnF2MjZnZ2c&hl=en [^]

If you need access to this document please email me dloper {-at-} clearcenter.com
(0000120)
dloper   
2010-05-17 10:49   
(edited on: 2010-07-05 15:02)
I've updated the document and added a ClearOS 5.1 howto:

http://www.clearfoundation.com/docs/howtos/webdav [^]
(0000191)
user2   
2010-07-05 15:21   
While creating the specification for WebDAV, a fundamental security issue was discovered. While WebDAV can work in a completely trusted environment, it is not feasible to implement it in a secure manner. It will also not work with file auditing and compliance.

Here is the issue. WebDAV writes files as the web server user (apache). For comparison, other Flexshare services (Samba, FTP), write files as the authenticated user. Consider two shares with WebDAV support: share1 and share2. The share1 is for staff at a local school, while share2 is for students. There are two files that were uploaded using WebDAV:

/var/flexshare/shares/share1/file1.txt
/var/flexshare/shares/share2/testscript.php

The testscript.php file was written by a student and contains the command to delete all files in the staff flexshare.

rm /var/flexhsare/shares/share1/*

Even though the student does not have Flexshare access to the staff share1, the files in the share are writeable by apache. In other words, the script will work and delete the staff files if it can be executed. Though you can prevent script execution and block shell access, the fundamental security issue remains,

For those who still want to implement WebDAV, the Flexshare system will honor manual configuration done from the command line. See feature 0000115 for details.
(0001259)
marclaporte   
2014-08-05 15:17   
If this was revisited, http://sabre.io/ [^] would be something to look at.

Thanks!
(0010541)
NickH   
2019-03-11 06:00   
ClearOS is not intending to implement WebDAV because of the issues mentioned in this request.