Server Admin 10.4 Help
Understanding WebDAV
If you use WebDAV to provide live authoring on your website, you should create realms and set access privileges for users. Each site you host can be divided into a number of realms, each with its own set of users and groups that have either browsing or authoring privileges.
Defining Realms
When you define a realm, which is typically a folder (or directory), the access privileges you set for the realm apply to all the contents of that directory. If a new realm is defined for one of the folders within the existing realm, only the new realm privileges apply to that folder and its contents. Setting WebDAV Privileges
The Apache process running on the server needs to have access to the website's files and folders. To provide this access, Mac OS X Server installs a user named "www" and a group named "www" in the server's Users & Groups List. The Apache processes that serve webpages run as the www user and as members of the www group. You need to give the www group read access to files within websites so that the server can transfer the files to browsers when users connect to the sites. The Apache process runs with effective user id and group id of www and needs access to the files and directories in the WebDAV realm, and to the /var/run/davlocks directory.
Understanding WebDAV Security
In Mac OS X Server 10.4, WebDAV lets you use a web server as a file server. Clients use their browsers from any location, on any type of computer, to access and share files on the server. See Using WebDAV for more information about using WebDAV for file sharing.
WebDAV also lets users update files in a website while the site is running. When WebDAV is enabled, the web server must have write access to the files and folders within the site users are updating.
Both features of WebDAV—providing a file server with browser access and website updating—have significant security implications when other sites are running on the server, because individuals responsible for one site may be able to modify other sites.
You can avoid this problem by carefully setting access privileges for the site files using the Sharing module of the Workgroup Manager application. Mac OS X Server uses a predefined group www, which contains the Apache processes. You need to give the www group Read & Write access to files within the website. You also need to assign these files Read & Write access by the website administrator (Owner) and No Access to Everyone.