Possible: WebDav as file system without copy or clear text password?

cfr · 2017-10-25 03:43:17

I've been having trouble with my institution's network file storage, which I've always accessed via the web. I thought I might try seeing if I could access it directly.

Following https://wiki.archlinux.org/index.php/WebDAV (client part), I can access it fine using cadaver. However, I would ideally like to mount it in a similar way to the way I mount a remote file system over SSH. (By similar, I mean in terms of the resulting interface and not in terms of the way I get that interface to appear.)

https://wiki.archlinux.org/index.php/Davfs recommends davfs2. However, there seem to be two disadvantages to this approach. One, I think I probably have to avoid. Two, I would merely like to avoid.

The first is that the configuration requires me to store my credentials in a clear text file, ~/.davfs2/secrets. Now, obviously, I can make the permissions for the directory 700 and those for the file 600. However, that is really no protection at all as the file is fully exposed whenever I'm logged in. If this is the only possibility, I think I have to abandon the project and accept that this is just currently an OS X/Windows option not available on Linux. (Possibly why my institution provides instructions only for Windows and Mac, although this is pretty standard, albeit they sometimes omit the Mac, too, but perhaps they have an unusually good reason in this case.)

In my ideal world, I'd have gpg-agent handle the credentials and present me with its usual pin-entry dialogue box and it would squirrel my credentials away somewhere in encrypted form. However, I realise that is not how this is going to work. I am fine being prompted to enter my password or even my password and user name when I try to access the web dav resource. Or I'm fine if I can store them encrypted. (I'm assuming they need to be usable by my user, so they can't, for example, just be readable by root or some special user.)

netctl profiles for eduroam have something of the same problem, but here the password can be turned into a hash, at least, and the file can be readable only by root, so it is not akin to putting clear text in a file under my home directory, readable by me, which seems to be what davfs2 requires.

The second is that I would really hope to find a solution which does not require local copies of files for editing etc. https://bbs.archlinux.org/viewtopic.php?id=217548 asks a similar question, but received no answers. It does suggest that Nautilus can do it, which suggests that something underneath must be making the networked files available in the desired manner. However, it is years since I briefly used Nautilus and I am not sure if (1) it really does this or (2) how it does it, if it does.

In the AUR, fusedav-git, kiofuse-svn, cloudfusion-git and wdfs all have descriptions which suggest they might do something along the lines of my second desiderata, but I'm suspicious that the wiki does not even mention them, preferring davfs2, if the former are really superior. Moveover, kiofuse-svn appears to be for KDE 4 rather than KDE 5, which probably spells trouble shortly, if not right now.

Moreover, I'm not sure how to find out whether or how any of these options might support secure handling of credentials. I could build them and install them and then play around with them all, but I'm not sure I know enough about webdav that I'd recognise a suitable option if it leapt out of a manual page and clobbered me over the head, so this method is not likely to prove terribly informative in my case, I suspect. Unless it says pretty much 'this option lets you do what you do for sshfs' or 'this option lets you do what you do for eduroam', it is probably going to pass me by.

Is there a good option for this and, if so, is there documentation explaining it somewhere? Maybe a wiki page I haven't found? (I almost missed the davfs page because I searched for 'webdav' and the webdav page didn't seem to signpost it. Luckily, https://bbs.archlinux.org/viewtopic.php?id=220829 referenced it, so a forum search threw it up, showing that even dustbinned threads can contain, if not gold, at least small change in amongst the fish heads.)

I could also, apparently, access the same files using CIFS. I haven't yet investigated this, since this would only work on campus and not remotely. I don't know if I could tunnel something over SSH, but the webdav route would be the more reliable, if I can make that work.

I wonder if kioclient5/kioclient can do this, but there are no manual pages and the examples may or may not exhaust the supported protocols.

Last edited by cfr (2017-10-25 03:52:49)

nesk · 2017-10-25 07:55:15

cfr wrote:

In my ideal world, I'd have gpg-agent handle the credentials and present me with its usual pin-entry dialogue box and it would squirrel my credentials away somewhere in encrypted form. ... Or I'm fine if I can store them encrypted. (I'm assuming they need to be usable by my user, so they can't, for example, just be readable by root or some special user.)

Looking at davfs man page, this seems feasible, albeit with a little more manual labour than you describe
Assuming GNOME Keyring, libgnome-keyring (just in case) and libsecret are installed and Login keyring is properly unlocked on login, the following should work:
1) Do this once:

secret-tool store --label='My uni DavFS creds' descr "creds for university WebDAV" username "WebDAV_user" servername "my.dav.server"
Password: << enter password here

2) Script to mount with davfs:

#!/usr/bin/sh
secret-tool lookup descr "creds for university WebDAV" username "WebDAV_user" servername "my.dav.server" | mount -t davfs -o user,uid=username,gid=groupname,username=WebDAV_user,rw webdavserver.com /mount/point

I never used davfs2 and I don't have WebDAV server to experiment on, so the mounting part might need some ironing.
Hope this helps.

Arch Linux

#1 2017-10-25 03:43:17

Possible: WebDav as file system without copy or clear text password?

#2 2017-10-25 07:55:15

Re: Possible: WebDav as file system without copy or clear text password?

Board footer