[lug] WebDav For Apache - the standard for a read-write web!!

Neal McBurnett nealmcb at lucent.com
Wed Jun 14 09:56:21 MDT 2000 

WebDAV (Distributed Authoring and Versioning) is a standards effort in
the IETF (RFC2518) for making the Web a read-write medium again (like
it was in 1992 or so in the NeXT implementation).  Imagine - an
integrated, standard alternative to FTP or NFS for getting content
onto the server!  Think "groupware".
	http://www.webdav.org/

Yesterday the stable, 1.0 release of mod_dav was announced:
	http://www.webdav.org/mod_dav/press-release.html 
	http://www.webdav.org/mod_dav/

See also the slashdot story:
 http://slashdot.org/article.pl?sid=00/06/12/2212239&mode=nested

 mod_dav 1.0 has been released, providing WebDAV functionality for the
 Apache HTTP Server. mod_dav is an Open Source, fully functional,
 standards compliant WebDAV add-on for Apache, providing remote
 authoring capabilities through clients such as sitecopy, cadaver,
 GoLive and Web Folders. In addition, the Apache Software Foundation
 is announcing that Apache 2.0 will directly incorporate mod_dav's
 functionality into the standard distribution.

Despite the name, "Versioning" is not yet part of the standard.
See http://www.webdav.org/deltav/

The security expectations of mod_dav are important to note.
Originally in the web the expectation was that the web server ran as
"nobody" and should not be able to really do anything like write to
files.  The web content was owned by different userids.  But of course
people often wrote cgi-bin scripts to manage databases and write
access to all those databases, as well as read access to most of the
server was shared among all cgi-bin authors.

In mod_dav, everything under DAV control is *owned* by the server's
run-time userid.  So you should compartmentalize a webdav server from
other servers in which there are lots of cgi-bin scripts running as
"nobody".  E.g. I would use a different server process with a
different userid and perhaps a different host for webdav, and control
cgi-bin access on that host even more carefully than normal, since it
can write as well as read all the content.  If all the cgi-bin
scripts are completely safe, everything is ok, but that seems
to rarely be the case in the real world.

Finally, note that mod_dav does not use a GPL license - it is more
like the old BSD license with its troublesome advertising clause.
	http://www.gnu.org/philosophy/bsd.html

So it can be reused in products at the cost of a public acknowledgement.

Cheers,

Neal McBurnett <neal at bcn.boulder.co.us>  303-538-4852
Bell Labs / Lucent Technologies
http://bcn.boulder.co.us/~neal/      (with PGP key)

More information about the LUG mailing list