diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays --- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-02-28 22:41:40.846000000 -0500 +++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/95Addmod_dav2ibays 2021-03-02 11:57:52.069000000 -0500 @@ -1,71 +1,92 @@ { use esmith::AccountsDB; + use esmith::DAV; my $adb = esmith::AccountsDB->open_ro(); $OUT = ""; foreach my $ibay ($adb->ibays) { my %properties = $ibay->props; my $key = $ibay->key; + my $dynamicContent = $properties{'CgiBin'} || "disabled"; + my $secureEXEC = $properties{'ModDavSecureEXEC'} || 'enabled'; + my $access = $properties{'PublicAccess'} || 'none'; + $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none'; + next if $access eq 'none'; + # true if have to be password accessible from somewhere. + my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all'; if ($properties{'ModDav'}) { if ($properties{'ModDav'} eq 'enabled') { + my $ReadRequire = esmith::DAV::getRequireUser("read", $key ); + my $WriteRequire = esmith::DAV::getRequireUser("write", $key); + my $ReadAllow = esmith::DAV::getAllow("read", $key, $localAccess ); + my $WriteAllow = esmith::DAV::getAllow("write", $key, $localAccess ); + $OUT .= "\n\n\n"; $OUT .= " # Enable DAV access for this directory tree\n"; $OUT .= " DAV On\n\n"; + #we will not seriously let you type your password over the network without encryption + $OUT .= " SSLRequireSSL\n\n"; + + if ($dynamicContent eq 'enabled' && $secureEXEC eq 'enabled') + { + # we do not want PHP or CGI to be runt there for security reason + $OUT .= " \n"; + $OUT .= " #disabling php\n"; + $OUT .= " SetHandler !\n"; # could use also SetHandler none + $OUT .= " deny from all\n" if ( $properties{'ModDavHidePHP'} || 'enabled' ) eq 'enabled'; + $OUT .= " \n"; + $OUT .= " Options -ExecCGI\n"; + $OUT .= " RemoveHandler .cgi .php .php3 .php4 .php5 .phtml .pl .py .pyc .pyo\n"; + $OUT .= " php_flag engine off\n" if ((exists $php{status} and $php{status} eq "enabled") and $phpModule eq "enabled") ;# can not use this one when php module not in use + } + + $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n" if ($properties{'ModDav-FileETag'}); - if ($properties{'ModDav-FileETag'}) - { - $OUT .= " FileETag ".$properties{'ModDav-FileETag'}."\n\n"; - } $OUT .= " AllowOverride None\n"; $OUT .= " Options +Indexes \n\n"; $OUT .= " # Allow fancy indexing by columns and download by clicking icon\n"; $OUT .= " IndexOptions FancyIndexing IconsAreLinks\n\n"; - if ($properties{'Group'}) - { - $OUT .= " AuthName \"$key\"\n"; - $OUT .= " AuthBasicProvider external\n"; - $OUT .= " AuthType Basic\n"; - $OUT .= " AuthExternal pwauth\n\n"; - # Save groupname and find it in the group list - $iBayGroup = $properties{'Group'}; - foreach my $group ($adb->groups) - { - my %groupprops = $group->props; - my $grpkey = $group->key; - if ($grpkey eq $iBayGroup) - { - # we have the group that owns the DAV iBay - # If there are members of the group validate on them, - # otherwise on the ibayname - if ($groupprops{'Members'}) - { - # need to break user list on commas then output each one... - my @values = split(',',$groupprops{'Members'}); - $OUT .= " # Replace ibay name with any valid group member to validate\n"; - $OUT .= " Require user "; - foreach my $val (@values) { - $OUT .= $val . " "; - } - $OUT .= "\n\n"; - } - else - { - # No group members so use ibay name for validation - $OUT .= " # use ibay name to validate\n"; - $OUT .= " Require user " . $key . "\n\n"; - } - } - } - } - # Ensure only valid users get to do stuff... - $OUT .= " \n\n"; - $OUT .= " Allow from all\n"; - $OUT .= " Require valid-user\n\n"; - $OUT .= " \n\n"; + + # bug with httpd-2.4 fixed in httpd-2.5 only see https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 PROPFIND will fail + $OUT .= " #because of bug https://bz.apache.org/bugzilla/show_bug.cgi?id=54914 in httpd 2.4 DirectoryIndex disabled is needed for webdav to work\n"; + $OUT .= " DirectoryIndex disabled\n\n" unless ( ($properties{'ModDavNoDirectoryIndex'}||"enabled" ) eq "disabled"); + $OUT .= " #DirectoryIndex disabled : DavNoDirectoryIndex has been defined to force DirectoryIndex \n\n" if ( ($properties{'ModDavNoDirectoryIndex'}||"enabled" ) eq "disabled"); + + $OUT .= " order deny,allow\n"; + $OUT .= " deny from all\n"; + $OUT .= " " . $ReadAllow . "\n"; + $OUT .= " AuthName \"$properties{'Name'}\"\n"; + $OUT .= " AuthBasicProvider external\n"; + $OUT .= " AuthType Basic\n"; + $OUT .= " AuthExternal pwauth\n"; + $OUT .= " " . $ReadRequire . "\n"; + $OUT .= " Satisfy $satisfy\n\n"; + + # Ensure only valid users get to do stuff... update 2021/02: + # GET, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK + # some suggest : AllowMethods HEAD GET POST CONNECT PUT DELETE OPTIONS PROPFIND PROPPATCH MKCOL MKCALENDAR COPY MOVE LOCK UNLOCK TRACE + # TRACE is not supposed to be limited by this directive, should use TraceEnable + # LimitExcept is suggested over Limit in order to catch all non standard methods + # however we put our limit to the whole folder with the Require user .... above, so the whole block under seems useless + # unless we reduce it to one user, or are fool to enlarge to Require valid-user +# $OUT .= " \n\n"; +# $OUT .= " Allow from all\n"; +# $OUT .= " Require user $userlist\n\n"; +# $OUT .= " \n\n"; + + $OUT .= " \n"; + $OUT .= " " . $WriteRequire . "\n"; + $OUT .= " Satisfy All\n"; + $OUT .= " ". $WriteAllow ."\n"; + $OUT .= " \n\n"; $OUT .= "\n"; } } + else + { + $OUT .= "\n # DAV disabled for ibay $key\n"; + } } } diff -Nur smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav --- smeserver-mod_dav-1.1.old/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-mod_dav-1.1/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/21IbayWebDav 2021-03-02 11:57:55.866000000 -0500 @@ -0,0 +1,34 @@ +{ +# this fragment is to force SSL redirection for webdav activated account in case it is not already enabled +# could be removed if core fragment 20IbaysContent introduce forced ssl for DAV + use esmith::AccountsDB; + my $adb = esmith::AccountsDB->open_ro(); + $OUT = ""; + foreach my $ibay ($adb->ibays) + { + my %properties = $ibay->props; + my $key = $ibay->key; + my $dynamicContent = $properties{'CgiBin'} || "disabled"; + my $secureEXEC = $properties{'ModDAVsecureEXEC'} || 'enabled'; + my $access = $properties{'PublicAccess'} || 'none'; + $OUT .= "\n # ibay $key disabled for httpd so no DAV access\n" if $access eq 'none'; + next if $access eq 'none'; + # true if have to be password accessible from somewhere. + my $ispassibay = $access =~ /-pw/; + my $satisfy = ($access eq 'global-pw-remote')? 'any': 'all'; + if ($properties{'ModDav'}) + { + if ($properties{'ModDav'} eq 'enabled') + { + # we force SSL redirection in case DAV is enabled + if (( $port ne $httpsPort ) && (($ibay->prop('SSL') || 'disabled') ne 'enabled')) + { + my $portspec = ($httpsPort eq 443) ? "" : ":$httpsPort"; + $OUT .= " RewriteEngine on\n"; + $OUT .= " RewriteRule ^/$key(/.*|\$) https://%{HTTP_HOST}${portspec}/$key\$1 \[L,R\]\n"; + } + } + } + } +} + diff -Nur smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm --- smeserver-mod_dav-1.1.old/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-mod_dav-1.1/root/usr/share/perl5/vendor_perl/esmith/DAV.pm 2021-03-02 12:07:13.442000000 -0500 @@ -0,0 +1,118 @@ + +package esmith::DAV; + +use strict; +use warnings; +use esmith::AccountsDB; +my $adb = esmith::AccountsDB->open_ro(); + +use vars qw( $AUTOLOAD @ISA ); + + sub getRequireUser { + my ($mode, $key) = @_; + my $ibay = $adb->get($key) or return "Require user admin"; + my %properties = $ibay->props or return "Require user admin"; + my $iBayGroup = $properties{'Group'} || 'admin'; + my $accessMode = $properties{'UserAccess'} || 'wr-admin-rd-group'; + my $access = $properties{'PublicAccess'} || 'none'; + my $ispassibay = $access =~ /-pw/; + my $Anonymous = $properties{'ModDavAnonymousRead'} || "disabled"; + my $MEMBERS = getMembers( $key, $iBayGroup); + my $REQUIRE = ""; + if ($mode eq "read") + { + if ($accessMode eq "wr-group-rd-everyone") + { + if ( $Anonymous eq "enabled" ) + { + $REQUIRE = "# Allowing unauthenticated read access"; + } + else + { + my $EVERYONE = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )); #shared user members + #$REQUIRE = "#wr-group-rd-everyone : members of shared\n"; + $REQUIRE .= "Require user " . $EVERYONE; + } + } + else + { + $REQUIRE = "Require user " . $MEMBERS; + if ($accessMode eq "wr-admin-rd-group") + { + # add "admin" to the read group to avoid read/write auth conflicts + $REQUIRE .= " admin"; + } + } + if ($ispassibay) + { + #we have local-pw or global-pw or global-pw-remote + $REQUIRE = ( $REQUIRE =~ /Require user / ) ? "$REQUIRE $key" : "Require user $key"; + $REQUIRE .= " $MEMBERS" if ( $access =~ /remote/ ); + } + } + else + { + if ($accessMode eq "wr-admin-rd-group") + { + $REQUIRE = "Require user admin"; + } + else + { + $REQUIRE = "Require user " . $MEMBERS; + } + } + return $REQUIRE; + } + + sub getAllow { + my ($mode, $key, $localAccess ) = @_; + $localAccess = (defined $localAccess ) ? $localAccess : "127.0.0.1"; + my $ibay = $adb->get($key) or return "allow from 127.0.0.1"; + my %properties = $ibay->props or return "allow from 127.0.0.1"; + my $Public = $properties{'PublicAccess'} || 'none'; + + my $allow = "allow from 127.0.0.1"; + if ($Public eq 'none') + { + $allow = "# allow from set to NONE"; + } + elsif ($Public =~ /(local|remote)/ ) + { + $allow = "allow from " . $localAccess; + } + elsif ($Public =~ /global/) + { + $allow = "allow from all"; + } + return $allow; + } + + sub getMembers { + my ($key, $iBayGroup) = @_; + my $MEMBERS = $key; + foreach my $group ( ($adb->groups, $adb->get('admin'), $adb->get('shared') ) ) + { + my %groupprops = $group->props; + my $grpkey = $group->key; + if ($grpkey eq $iBayGroup) + { + # we have the group that owns the DAV iBay + # If there are members of the group validate on them, + # otherwise on the ibayname + my $GroupMembers = $groupprops{'Members'} || undef; + $GroupMembers = "admin" if ( $grpkey eq "admin" ); + $GroupMembers = join(' ' , ( (map { $_->key } $adb->users) , qw (admin) )) if ( $grpkey eq "shared" ) ; + + if ($GroupMembers) + { + # need to break user list on commas then output each one... + my @values = split(',',$GroupMembers); + $MEMBERS = "" unless (!@values) ; + foreach my $val (@values) { + $MEMBERS .= $val . " "; + } + } + } + } + return $MEMBERS; + }