mod_dav: a DAV module for Apache

mod_dav is an Apache module to provide DAV capabilities (RFC 2518) for your Apache web server. It is an Open Source module, provided under an Apache-style license. This page serves as a distribution point, as documentation, and as a FAQ for mod_dav. Updates, clarifications, questions, etc, are gratefully accepted at gstein@lyra.org.

A FAQ for mod_dav is being developed and is now available.

mod_dav 1.0 was released on June 13, 2000. Please see the press release for related information.

More information about DAV can be found on the WebDAV Resources site.

On this page Quick links
mod_dav's license
The Bug Database
Anonymous CVS access
CVS web access
Issues for people running old versions

Downloads
mod_dav-1.0.3-1.3.6
install help

davlib.py

Mailing Lists
dav-announce
dav-dev
dav-checkins

How do I get mod_dav?

Right here. The current version is 1.0.3 and has been built and tested against Apache 1.3.x on a Linux system. Other Unix(-like) platforms should not have a problem with mod_dav. There is a separate page for mod_dav on the Win32 platform.

http://www.webdav.org/mod_dav/mod_dav-1.0.3-1.3.6.tar.gz

mod_dav prefers to build against Apache 1.3.6 or later, but it is possible to use it with Apache 1.3.4. Earlier versions are not supported at all, since it is not possible to deploy a secure DAV server unless you use 1.3.4 (the Limit configuration directive is not available for DAV methods in prior versions).

The configuration, compilation, and installation instructions are included with the distribution and are available here for reference. If you're familiar with Apache, then you shouldn't have a problem. The install instructions also cover how to enable the DAV module in your Apache setup.

Problems with your installation? If the above instructions do not help, and you still have problem, then see this section of the installation documentation.

There is a mailing list where I'll be sending announcements about mod_dav releases (and possibly other, important related announcements). Visit the dav-announce list information page to subscribe.

A second mailing list for users and developers is available. Visit the dav-dev list information page to subscribe.

Please note the licensing section below.

You may also need the following packages:

mod_dav is available through anonymous, read-only CVS. Please see the instructions for more information. The CVS archive is also available through your web browser.

mod_dav on Win32

mod_dav works natively on the Win32 platform. Please see the separate page for more information.

Some other options for Apache and mod_dav on Win32 include:


Tell me more about this DAV implementation

mod_dav currently implements a Class 1 and Class 2 DAV server. This means that it provides all the basic DAV facilities for manipulating resources (files) on the target web server, along with manipulating properties on those resources. In addition, it handles the (un)locking of resources so that clients can have exclusive access to modify resources.

This is the final, 1.0 release. It is very stable and well-tested, after its nineteen month development period. Since there is no rush to market on an Open Source product, mod_dav was not labelled as 1.0 until it really felt like a 1.0 release.

Additional patches and releases will be created for mod_dav 1.0 as problems arise. For example, mod_dav 1.0.1 was released on June 28, 2000 to fix a problem on the Win32 platform. mod_dav 1.0.2 was released in October, 2000 to improve the configuration and build process, enhance the conformance to various specifications, fix a number of bugs, and provide for operation on EBCDIC machines.

mod_dav has been incorporated directly into the Apache server's next major release -- Apache 2.0. Development of new functionality and features will be focused on Apache's DAV implementation.

Note: it is entirely possible that some people will want to continue developing a version of mod_dav that works with the Apache 1.3 server. Information will appear here, if this happens.

The implementation is quite complete, except for a few variations from the spec, which I discuss below, along with other known problems. These problems will be fixed in future releases. Also see the Futures section for where mod_dav is headed.

The DAV server operates against the file system to fetch and store the DAV resources and collections (files and directories). Within each directory is a sub-directory named .DAV that contains SDBM (or GDBM) databases to hold properties for the directory itself and each file within the directory.

mod_dav's custom properties

mod_dav is built to provide for custom, live properties defined by plugin modules. The default filesystem plugin defines a single property for managing the "executable" permission flag on files. Setting this flag to true is similar to doing a chmod +x filename. This allows an author to upload a CGI script, then to mark it as executable by the operating system.

Name: executable
Namespace: http://apache.org/dav/props/
Purpose: Describes the executable status of the resource.
Value: "T" | "F"    (case is significant)
Description: This property is defined by mod_dav's default repository, the "filesystem" repository. It corresponds to the "executable" permission flag in most filesystems.

This property is not defined on collections.

Storage of dead properties

Hoo boy. If you want a hot issue, this is one. I asked a simple question about property values and caused a big discussion on the authoring list. Oops. In any case, it does mean that this is a hot topic, so I've called it out special.

mod_dav stores and returns dead properties in almost the same form as the XML that was provided in the PROPPATCH. Here are the specifics:

Here is an example of a PROPPATCH fragment and the resulting PROPFIND fragment:

  <prop>
  <x:myprop xmlns:x="http://host.domain.com/">
    <x:elem x:attr="value" />
  </x:myprop>
  </prop>
  <response xmlns:ns0="http://host.domain.com/">
  <propstat>
  <prop>
  <ns0:myprop>
    <ns0:elem ns0:attr="value"/>
  </ns0:myprop>
  </prop>
  </propstat>
  </response>

Note: I have avoided indentation of the elements to demonstrate the preservation of whitespace within the property value. The <status> and <href> elements have been omitted from the response for clarity.

Variations from RFC 2518

mod_dav has a few items that cause it to be not fully compliant with RFC 2518. The cost for implementation was considered too high, and these issues are not present in typical operation. They may be fixed in some future version of mod_dav.

The section numbers below refer to RFC 2518

Other implementation-specific details

These details are listed as the result of questions regarding the behavior of different DAV servers. As new questions and answers arise, I'll list them here. Note that these behaviors do not contradict RFC 2518; they are considered "implementation-specific."

Futures

Now that mod_dav 1.0.0 has been released, I'll be concentrating on integrating mod_dav directly into the Apache 2.0 codebase. Additional features will be developed as part of Apache 2.0. I plan to add Versioning, Access Control, and then Bindings, References, and DASL (Searching).

Some people are looking at integrating mod_dav with PHP and for use in the Midgard Project. Rational Software has been experimenting with using mod_dav to access their ClearCase product.


Security issues

DAV allows users to place and manipulate files in a directory on your web server. This means that you should take particular care in configuring your DAV server.

When you enable DAV for a directory or location, you should also enable authentication and authorization for that space. If authorization (for authenticated users) is not enabled, then an anonymous user would have full control of the DAV-enabled portion of your web server.

Please see the installation instructions for information on how to properly configure your DAV server to prevent anonymous browsing and updating of your DAV-enabled web content.

At this time, the files that are managed within the DAV directory should be read/write for the web server process. Files and directories that are created by the DAV server will have read/write/exec privileges for the user and group (but not the world) of the server process and will be owned by the process' user/group. For example, if you run your web server as "nobody:nogroup", then you will want to create a base directory owned by nobody:nogroup and give it read/write/exec privs to the user and group.

Possible security attacks

Mostly, the DAV server is subject to Denial of Service attacks. These are listed below:


Known Problems

The mod_dav 1.0 release had no known bugs at the time of its release. If you find a problem, then please enter it into the mod_dav bug database.

Also, please see the install/configuration page if you are experiencing problems. A solution may exist there.

I'm also maintaining a page detailing significant, operational problems found in prior versions for people who haven't upgraded yet.


You've got patches to submit?

I'm absolutely interested in any patches that you may have. If you find and fix bugs, have platform-specific fixes, or you have patches for additional functionality, then please send them my way. I'll review and incorporate them, add your name to the list of acknowledgements, and release a new version.

A mailing list for users and developers is available at the dav-dev list information page.

Here is the current list of (code) contributors to mod_dav:

I'd also like to thank all of the people who have provided bug reports, clarifications, interoperability experiences, etc. The number has simply grown to large to properly list them here. If you have ever dropped me an email with your issues, then you have my thanks!

I'd also like to thank Ken Coar for assistance in setting up mod_dav's anonymous CVS server.

Note: until requested, I won't add mailto: links in case people are leery of spam.


Licensing

The mod_dav software is licensed under an Apache-style license. A full copy of this license is available for reading, and is also enclosed with the software.

The goal for licensing this software is three-fold:

The choice of license to use was actually quite difficult because I would like to ensure that any changes that a commercial entity might make are delivered back to the community (a GPL or MPL style of license). Unfortunately, licenses along that line are hard to manage -- all of the existing, common licenses prevent commercial entities from working with the software (typically, due to patent issues), so a custom license would be required. The Apache-style or BSDish licenses typically don't have these restrictions, but they also don't require changes to be Open Source.

I am hoping that commercial entities using mod_dav will decide to contribute their changes back to the Open Source version. Personally, I believe it is in their best interest (primarily, because the community can debug/enhance/maintain the changes, rather than that companies in-house staff doing so, and dealing with remerging their changes with new versions of mod_dav).

I would like to publicly thank both IBM and Rational for following the spirit of mod_dav's Open Source development. Both companies have contributed extensive patches to mod_dav. IBM contributed the Class 2 locking facilities (by Keith Wannamaker), and Rational contributed the repository-independent subsystem hooks (by John Vasta). Thank you!

It is also interesting to note that Red Hat ships mod_dav as part of their E-Commerce Server.

Please contact me if you have any questions, or you are interested in including mod_dav in your Apache software.

Additional notes

Early versions of mod_dav (0.9.0 through 0.9.5) were licensed under the LGPL. I changed this to ensure that mod_dav reached the broadest audience possible.

Versions of mod_dav prior to 0.9.7 used GDBM to hold properties. The GDBM library is GPL'd, meaning that you cannot (by default) link against it without using the GPL yourself. Starting with 0.9.7, the properties are stored in SDBM databases, and GDBM has been relegated to an option. My understanding is that this satisfies GDBM's licensing.


DAV clients

Please see additional information on the Projects and Software page.

For my own testing, I've been using a couple Python scripts:


Change History

Please see the CHANGES file in the distribution for the changes to earlier versions.


Greg Stein
Last modified: Mon Nov 5 16:28:09 PST 2001