Is there a multi-user webdav server available for linux?
If you have the username and/or the uid, you can do this with nginx + lua + luarocks ljsyscall
On a debian system, configured as:
apt-get -y install nginx libnginx-mod-http-dav-ext libnginx-mod-http-lua luarocks
luarocks install ljsyscall
And nginx configured the following way:
user root;
worker_processes 1;
load_module modules/ngx_http_dav_ext_module.so;
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
sendfile on;
keepalive_timeout 65;
gzip on;
server {
listen 80;
listen [::]:80;
location / {
rewrite ^ http://$host$request_uri?; # permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl on;
# [ SSL Sections Omitted ]
# Set the maximum size of uploads
client_max_body_size 200m;
# Default is 60, May need to be increased for very large uploads
client_body_timeout 120s;
# other configs
location /webdav/ {
autoindex on;
alias /data/www/;
client_body_temp_path /data/client_temp;
dav_methods PUT DELETE MKCOL COPY MOVE;
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
# Not sure if you want to tweak this
# dav_access group:rw all:r;
# Let's assume you have an auth subrequest that can set X-UID
auth_request /auth
auth_request_set $auth_status $upstream_status;
auth_request_set $saved_remote_user $upstream_http_REMOTE_USER;
auth_request_set $saved_remote_uid $upstream_http_X_UID;
# Per-Request Impersonation
access_by_lua_block {
# Boilerplate because ljsyscall doesn't have setfsuid implemented directly
local syscall_api = require 'syscall'
local ffi = require "ffi"
local nr = require("syscall.linux.nr")
local sys = nr.SYS
local uint = ffi.typeof("unsigned int")
local syscall_long = ffi.C.syscall -- returns long
local function syscall(...) return tonumber(syscall_long(...)) end
local function setfsuid(id) return syscall(sys.setfsuid, uint(id)) end
-- If you only have ngx.var.saved_remote_user, install luaposix and do this ...
-- local pwd = require 'posix.pwd'
-- local new_uid = pwd.getpwnam(ngx.saved_remote_user).pw_uid
local new_uid = tonumber(ngx.var.saved_remote_uid)
ngx.log(ngx.NOTICE, "[Impersonating User #" .. new_uid .. "]")
local previous = setfsuid(new_uid)
local actual = setfsuid(new_uid)
if actual ~= new_uid then
ngx.log(ngx.CRIT, "Unable to impersonate users")
ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
end
}
}
location = /auth {
internal;
proxy_pass http://localhost:8080/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Method $request_method;
}
}
}
This will execute setfsuid on every request serviced by the nginx worker. Unfortunately, it seems you must be running nginx as root in order for this to work right currently. I believe it's possible for this to work with a different user provided the process started as root, dropped to a different user, with CAP_SETUID preserved (see documentation for capsh), and the user directive is absent in the nginx config file.
You may also need to set the group IDs, potentially.
See "Effect of user ID changes on capabilities" in http://man7.org/linux/man-pages/man7/capabilities.7.html