Clarification of instructions

[cgKAF]

Hello :)

I just wanted a little clarification on how the app should be configured, please. The description says:

• Access to Webdav directory thanks to URL: https://domain-name/my_webdav
• NB1: do not add user's name at the end of URL
• NB2: the file myfile, in https://domain-name/my_webdav/myfile will be stored, on the server, in the path of the connected user: /home/yunoshot.multimedia/user

My questions are:

1. Why (and when) shouldn't we add the user's name at the end of the URL? When connecting to a WebDav client, adding user1 to the end of the URL shows user1 their subfolder in /home/yunohost.multimedia on signing in. Also, on my laptop (using Thunar in Linux), trying to navigate to davs://domain-name/my_webdav/ results in an error, and signing in by adding user1 to the end is the only way that works.
2. Adding a file to /home/yunohost.multimedia/user1 displays it at https://domain-name/my_webdav/user1/. Likewise, adding a file to /home/yunohost.multimedia/ displays it in https://domain-name/my_webdav/. This seems at odds with the instructions, and happens no matter which user is signed in -- am I missing something?
3. Users can view and edit the contents of other users' folders in /home/yunohost.multimedia/ by default. Is it necessary to change subfolder permissions?

Also, as an additional comment, https://domain-name/my_webdav is only accessible to WebDav clients if visitors have permission to view it in the Yunohost web admin --> Users --> Manage groups and permissions. Otherwise, clients are denied connections.

[Marc-Flender]

Hello, Thank you for your remarks. The nginx server uses this conf to operate the webdav connexions You will find this file here on your server, in the directory names /etc/nginx/conf.d/YOUR-DOMAIN-NAME.d/my_webdav.conf

This line of this file says that any HTTP path to webdav will be completed with the webdav login-name (=$remote-user) in order to arrive at /home/yunohost.multimedia/$remote-user So if you are logged with user1, then user1 will be added to any path I decided to use this kind of path in order to separate webdav directories of any users. user1 should not access user2's webdav directory

In your case, it seems that any visitor can access webdav. Is that true?

If so, then you can log to webdav wthout any credential, and this explains why you need to add the user name at the end of the URL for the connection.

On my laptop, with Thunar and DAVS, i can not connect if i add the user name at the end of the URL.

Maybe i missed some point when i configured the webdav_ynh toml file here because visitors should not access the server

[cgKAF]

When I try to connect via davs:// with Thunar on my laptop, going to the URL ending in /my_webdav/ results in an error message and no authentication prompt appears. I can't connect this way using Thunar. When I do the same by using /my_webdav/user1, the authentication prompt appears and I can log in, so visitors from the Web in general do not have access to my server (thankfully).

When I try to connect via a WebDav client on my phone, I still need to authenticate but I can do it to /my_webdav/ without adding the user's name on the end, and this shows me the /home/yunohost.multimedia/ folder with the three users' subfolders in it. I can also sign in by adding the user's name to the end, and this requires authentication too.

Either way, I and non-privileged users who sign in are still able to see contents of each other's folders. It seems the owner and group of anything that's added to those subfolders is www-data, even though the folders themselves are owned by the individual users.

[Marc-Flender]

Hi,

Strange.

Can you show me the nginx configuration file, named /etc/nginx/conf.d/YOUR-DOMAIN-NAME.d/my_webdav.conf ?

[cgKAF]

Of course. I ran it through cat and the output was:

# Aide en cas de problème:
# http://www.webdav.org/

 rewrite ^/my_webdav$ /my_webdav/ permanent;
location /my_webdav/ {

  # Path to source
#    location ~ ^/(.*)$ {

# CHEMIN UTILISATEURS: défini en dur dans _common.sh
alias /home/yunohost.multimedia/$remote_user/$1;

#    root     /var/www/webdav/$remote_user/$1;

    dav_methods PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods PROPFIND OPTIONS;
    dav_access  user:rw group:rw ;

    client_max_body_size 0;
    create_full_put_path  on;

#répertoire temporaire: défini en tant que subdir dans manifest.toml
# ATTENTION: risque de dysfonctionnement si le répertoire temporaire n'a pa l'accès en "rwx"
# cet accès est défini dans manifest.toml
    client_body_temp_path /home/yunohost.app/my_webdav/tmp/;

        auth_pam "Restricted";
        auth_pam_service_name "common-auth";

  # Include SSOWAT user panel.
  include conf.d/yunohost_panel.conf.inc;
}

Edit: I've also just realised I have no /var/www/webdav/ folder, if that makes a difference?

[Marc-Flender]

Hello,

Thank you. No you don't need the folder "/var/www/webdav". It was used during developpment, now the corresponding line is not used in the conf file

This nginx conf file is correct.

Please can you show me the file : /etc/ssowat/conf.json ?

[cgKAF]

Here it is:

{
    "cookie_name": "yunohost.portal",
    "cookie_secret_file": "/etc/yunohost/.ssowat_cookie_secret",
    "domain_portal_urls": {
        "default": "/yunohost/admin",
        "domain.tld": "domain.tld/yunohost/sso",
        "domain.tld": "domain.tld/yunohost/sso"
    },
    "permissions": {
        "core_skipped": {
            "auth_header": false,
            "public": true,
            "uris": [
                "domain.tld/yunohost/admin",
                "hat.domain.tld/yunohost/admin",
                "domain.tld/yunohost/api",
                "hat.domain.tld/yunohost/api",
                "domain.tld/yunohost/portalapi",
                "hat.domain.tld/yunohost/portalapi",
                "re:^[^/]*/502\\.html$",
                "re:^[^/]*/\\.well-known/ynh-diagnosis/.*$",
                "re:^[^/]*/\\.well-known/acme-challenge/.*$",
                "re:^[^/]*/\\.well-known/autoconfig/mail/config-v1\\.1\\.xml.*$"
            ],
            "users": []
        },
        "hat.main": {
            "auth_header": "basic-with-password",
            "public": true,
            "uris": [
                "hat.domain.tld"
            ],
            "users": [
                "user1",
                "user2",
                "user3"
            ]
        },
        "my_webdav.main": {
            "auth_header": "basic-with-password",
            "public": true,
            "uris": [
                "domain.tld/my_webdav"
            ],
            "users": [
                "user1",
                "user2",
                "user3"
            ]
        },
        "vaultwarden.admin": {
            "auth_header": "basic-with-password",
            "public": false,
            "uris": [
                "domain.tld/vw/admin"
            ],
            "users": [
                "user3"
            ]
        },
        "vaultwarden.api": {
            "auth_header": false,
            "public": true,
            "uris": [
                "domain.tld/vw/api",
                "domain.tld/vw/identity"
            ],
            "users": []
        },
        "vaultwarden.main": {
            "auth_header": "basic-with-password",
            "public": true,
            "uris": [
                "domain.tld/vw"
            ],
            "users": [
                "user1",
                "user2",
                "user3"
            ]
        }
    },
    "redirected_urls": {},
    "session_folder": "/var/cache/yunohost-portal/sessions"

[Marc-Flender]

Ok, here is the problem. The webdav authentification process is in the following lines:

  "my_webdav.main": {
        "auth_header": "basic-with-password",
        "public": true,
        "uris": [
            "domain.tld/my_webdav"
        ],
        "users": [
            "user1",
            "user2",
            "user3"

which means that any visitor can connect, because of "public= true"

Those should be:

        "my_webdav.main": {
            "auth_header": true,
            "label": "my_webdav",
            "public": false,              
            "uris": [
                ""domain.tld/my_webdav"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
etc

Your configuration is strange because the installation through the Yunohost admin page does not allow to give access to any visitor I recommend you te desinstall and re-install it

Please can yo tell me how you made the installation? Using command line or using admin page? And when?

Marc

[cgKAF]

OK thank you, I will try reinstalling and let you know.

I installed it from the apps catalogue via the Yunohost web-admin - fairly recently too, within the last 7 days.

[cgKAF]

I've just tried uninstalling and re-installing twice -- once from the web admin and once from the command line -- and the /etc/ssowat/conf.json file looks identical both times.

The only difference I can see is the "public": false, line you referred to, and that only becomes true when I add My WebDav to the visitors permissions on the 'Users' --> 'Groups and permissions' page in the web admin. Everything else looks the same.

[Marc-Flender]

Hello, When you change group permissions for giving access to visitors, the admin web page says that you have to control that the application is authorized for this kind of access. So i don't understand your questions. If you give access to visitors, then don't need credentials, and they directly access to /home/yunohost.multimedia. As a matter of fact, in nginx.conf, the rewrited path is alias /home/yunohost.multimedia/$remote_user/$1; This means that if you want to access https://domain-name/my_webdav/SOMEPATH then it wll be rewritten to /home/yunohost.multimedia/$remote_user/SOMEPATH

For a visitor, $remote_user is void, so any visitor can access /home/yunohost.multimedia/ This is why you shoud not let any visitor access your webdav...

[cgKAF]

When I deny permissions to visitor group: In Thunar:

• Going to davs://domain.tld/my_webdav/ results in an error message that says "Failed to open 'my_webdav': Message is already in session queue."
• Going to davs://domain.tld/my_webdav/user1 results in an authentication prompt. Entering the details results in an error message that says: "Failed to open 'user1': HTTP Error: Found." On a phone WebDav client, both options result in a 405 error.

Enabling visitor group permissions and doing the same:

• Thunar, davs://domain.tld/my_webdav/: same error message as above
• Thunar, davs://domain.tld/my_webdav/user1: authentication prompt appears. Entering the details results in access to the entire `/home/yunohost.multimedia/ folder.
• Phone, davs://domain.tld/my_webdav/ gives access to the entire /home/yunohost.multimedia/ folder.
• Phone, davs://domain.tld/my_webdav/user1 gives access to the /home/yunohost.multimedia/user1 folder but going up a level also gives access to the whole /home/yunohost.multimedia/ folder.

[HuguesReynaud]

Hi, I am in a similar situation to cgKAF :

• same /etc/ssowat/conf.json config
• I need to give access to visitors otherwise connection fails
• Enabling visitors permission give me access to every users directories, without the need of any login/password

I am using yunohost 12.0.7.

[Marc-Flender]

Hello,

Can you try the following ? in /etc/ssowat/conf.json , under "my_webdav.main": {

change "auth_header": "basic-with-password", to "auth_header": true,

then restart nginx: service nginx restart

and tell me the results

[cgKAF]

I tried what you suggested and I get exactly the same results as I wrote in my last post.

Interestingly, when I add or remove visitor permissions, the "auth_header": true, reverts to "auth_header": "basic-with-password" by itself, with or without restarting nginx.