0000059: Add WebDAV support to flexshare - ClearFoundation Tracker

ClearOS Bug Tracker

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

ID

Project

Category

View Status

Date Submitted

Last Update

0000059

ClearOS

app-flexshare - Flexshares

public

2010-03-25 16:01

2019-03-11 06:00

Reporter

user2

Assigned To

Priority

normal

Severity

feature

Reproducibility

N/A

Status

closed

Resolution

won't fix

Platform

OS

OS Version

Product Version

Target Version

Fixed in Version

Summary

0000059: Add WebDAV support to flexshare

Description

In ClearOS 5.1, the "web" implementation of Flexshare is read-only. By implementing WebDAV, it will be possible to create a read/write web share.

Tags

No tags attached.

Relationships

related to

closed

user2

Allow manual WebDAV support in Flexshares

Notes
(0000111) dloper (administrator) 2010-05-12 12:10	I've updated the specification for WebDAV. It is available here: https://docs.google.com/a/clearcenter.com/Doc?docid=0AVxZbmPpTYMCZHNyOTkzel8wZnF2MjZnZ2c&hl=en [^] If you need access to this document please email me dloper {-at-} clearcenter.com

(0000120) dloper (administrator) 2010-05-17 10:49 edited on: 2010-07-05 15:02	I've updated the document and added a ClearOS 5.1 howto: http://www.clearfoundation.com/docs/howtos/webdav [^]

(0000191) user2 2010-07-05 15:21	While creating the specification for WebDAV, a fundamental security issue was discovered. While WebDAV can work in a completely trusted environment, it is not feasible to implement it in a secure manner. It will also not work with file auditing and compliance. Here is the issue. WebDAV writes files as the web server user (apache). For comparison, other Flexshare services (Samba, FTP), write files as the authenticated user. Consider two shares with WebDAV support: share1 and share2. The share1 is for staff at a local school, while share2 is for students. There are two files that were uploaded using WebDAV: /var/flexshare/shares/share1/file1.txt /var/flexshare/shares/share2/testscript.php The testscript.php file was written by a student and contains the command to delete all files in the staff flexshare. rm /var/flexhsare/shares/share1/* Even though the student does not have Flexshare access to the staff share1, the files in the share are writeable by apache. In other words, the script will work and delete the staff files if it can be executed. Though you can prevent script execution and block shell access, the fundamental security issue remains, For those who still want to implement WebDAV, the Flexshare system will honor manual configuration done from the command line. See feature 0000115 for details.

(0001259) marclaporte (manager) 2014-08-05 15:17	If this was revisited, http://sabre.io/ [^] would be something to look at. Thanks!

(0010541) NickH (developer) 2019-03-11 06:00	ClearOS is not intending to implement WebDAV because of the issues mentioned in this request.

Issue History
Date Modified	Username	Field	Change
2010-03-25 16:01	user2	New Issue
2010-03-25 16:01	user2	Status	new => assigned
2010-03-25 16:01	user2	Assigned To	=> dloper
2010-05-12 12:10	dloper	Note Added: 0000111
2010-05-17 10:49	dloper	Note Added: 0000120
2010-07-05 15:02	user2	Note Edited: 0000120
2010-07-05 15:04	user2	Relationship added	related to 0000115
2010-07-05 15:21	user2	Note Added: 0000191
2010-07-05 15:22	user2	Resolution	open => suspended
2010-07-05 15:22	user2	Target Version	5.2 =>
2010-07-06 14:52	user2	Relationship added	parent of 0000117
2010-07-06 14:53	user2	Relationship deleted	parent of 0000117
2014-08-05 15:17	marclaporte	Note Added: 0001259
2019-03-11 05:59	NickH	Resolution	suspended => won't fix
2019-03-11 06:00	NickH	Note Added: 0010541
2019-03-11 06:00	NickH	Status	assigned => closed
2019-03-11 06:00	NickH	Assigned To	dloper =>

Sitemap

Foundation

Company

Partners

Purchase

Contact Us

Copyright © 2009- ClearCenter Ltd.