tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 3744


Web Distributed Authoring and Versioning (WebDAV) Access Control Protocol

Part 4 of 4, p. 60 to 72
Prev RFC Part


prevText      Top      Up      ToC       Page 60 
12.  Security Considerations

   Applications and users of this access control protocol should be
   aware of several security considerations, detailed below.  In
   addition to the discussion in this document, the security
   considerations detailed in the HTTP/1.1 specification [RFC2616], the
   WebDAV Distributed Authoring Protocol specification [RFC2518], and
   the XML Media Types specification [RFC3023] should be considered in a
   security analysis of this protocol.

12.1.  Increased Risk of Compromised Users

   In the absence of a mechanism for remotely manipulating access
   control lists, if a single user's authentication credentials are
   compromised, only those resources for which the user has access
   permission can be read, modified, moved, or deleted.  With the
   introduction of this access control protocol, if a single compromised
   user has the ability to change ACLs for a broad range of other users
   (e.g., a super-user), the number of resources that could be altered
   by a single compromised user increases.  This risk can be mitigated
   by limiting the number of people who have write-acl privileges across
   a broad range of resources.

12.2.  Risks of the DAV:read-acl and DAV:current-user-privilege-set

   The ability to read the access privileges (stored in the DAV:acl
   property), or the privileges permitted the currently authenticated
   user (stored in the DAV:current-user-privilege-set property) on a
   resource may seem innocuous, since reading an ACL cannot possibly
   affect the resource's state.  However, if all resources have world-
   readable ACLs, it is possible to perform an exhaustive search for
   those resources that have inadvertently left themselves in a
   vulnerable state, such as being world-writable.  In particular, the
   property retrieval method PROPFIND, executed with Depth infinity on
   an entire hierarchy, is a very efficient way to retrieve the DAV:acl
   or DAV:current-user-privilege-set properties.  Once found, this
   vulnerability can be exploited by a denial of service attack in which
   the open resource is repeatedly overwritten.  Alternately, writable
   resources can be modified in undesirable ways.

Top      Up      ToC       Page 61 
   To reduce this risk, read-acl privileges should not be granted to
   unauthenticated principals, and restrictions on read-acl and read-
   current-user-privilege-set privileges for authenticated principals
   should be carefully analyzed when deploying this protocol.  Access to
   the current-user-privilege-set property will involve a tradeoff of
   usability versus security.  When the current-user-privilege-set is
   visible, user interfaces are expected to provide enhanced information
   concerning permitted and restricted operations, yet this information
   may also indicate a vulnerability that could be exploited.
   Deployment of this protocol will need to evaluate this tradeoff in
   light of the requirements of the deployment environment.

12.3.  No Foreknowledge of Initial ACL

   In an effort to reduce protocol complexity, this protocol
   specification intentionally does not address the issue of how to
   manage or discover the initial ACL that is placed upon a resource
   when it is created.  The only way to discover the initial ACL is to
   create a new resource, then retrieve the value of the DAV:acl
   property.  This assumes the principal creating the resource also has
   been granted the DAV:read-acl privilege.

   As a result, it is possible that a principal could create a resource,
   and then discover that its ACL grants privileges that are
   undesirable.  Furthermore, this protocol makes it possible (though
   unlikely) that the creating principal could be unable to modify the
   ACL, or even delete the resource.  Even when the ACL can be modified,
   there will be a short period of time when the resource exists with
   the initial ACL before its new ACL can be set.

   Several factors mitigate this risk.  Human principals are often aware
   of the default access permissions in their editing environments and
   take this into account when writing information.  Furthermore,
   default privilege policies are usually very conservative, limiting
   the privileges granted by the initial ACL.

13.  Authentication

   Authentication mechanisms defined for use with HTTP and WebDAV also
   apply to this WebDAV Access Control Protocol, in particular the Basic
   and Digest authentication mechanisms defined in [RFC2617].
   Implementation of the ACL spec requires that Basic authentication, if
   used, MUST only be supported over secure transport such as TLS.

Top      Up      ToC       Page 62 
14.  IANA Considerations

   This document uses the namespace defined by [RFC2518] for XML
   elements.  That is, this specification uses the "DAV:" URI namespace,
   previously registered in the URI schemes registry.  All other IANA
   considerations mentioned in [RFC2518] are also applicable to this

15.  Acknowledgements

   This protocol is the collaborative product of the WebDAV ACL design
   team: Bernard Chester, Geoff Clemm, Anne Hopkins, Barry Lind, Sean
   Lyndersay, Eric Sedlar, Greg Stein, and Jim Whitehead.  The authors
   are grateful for the detailed review and comments provided by Jim
   Amsden, Dylan Barrell, Gino Basso, Murthy Chintalapati, Lisa
   Dusseault, Stefan Eissing, Tim Ellison, Yaron Goland, Dennis
   Hamilton, Laurie Harper, Eckehard Hermann, Ron Jacobs, Chris Knight,
   Remy Maucherat, Larry Masinter, Joe Orton, Peter Raymond, and Keith
   Wannamaker.  We thank Keith Wannamaker for the initial text of the
   principal property search sections.  Prior work on WebDAV access
   control protocols has been performed by Yaron Goland, Paul Leach,
   Lisa Dusseault, Howard Palmer, and Jon Radoff.  We would like to
   acknowledge the foundation laid for us by the authors of the DeltaV,
   WebDAV and HTTP protocols upon which this protocol is layered, and
   the invaluable feedback from the WebDAV working group.

16.  References

16.1.  Normative References

   [REC-XML]         Bray, T., Paoli, J., Sperberg-McQueen, C. and E.
                     Maler, "Extensible Markup Language (XML) 1.0
                     ((Third ed)", W3C REC REC-xml-20040204, February
                     2004, <>.

   [REC-XML-INFOSET] Cowan, J. and R. Tobin, "XML Information Set
                     (Second Edition)", W3C REC REC-xml-infoset-
                     20040204, February 2004,

   [REC-XML-NAMES]   Bray, T., Hollander, D. and A. Layman, "Namespaces
                     in XML", W3C REC REC-xml-names-19990114, January
                     1999, <

   [RFC2119]         Bradner, S., "Key words for use in RFCs to Indicate
                     Requirement Levels", BCP 14, RFC 2119, March 1997.

Top      Up      ToC       Page 63 
   [RFC2518]         Goland, Y., Whitehead, E., Faizi, A., Carter, S.
                     and D. Jensen, "HTTP Extensions for Distributed
                     Authoring -- WEBDAV", RFC 2518, February 1999.

   [RFC2616]         Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
                     Masinter, L., Leach, P. and T. Berners-Lee,
                     "Hypertext Transfer Protocol -- HTTP/1.1", RFC
                     2616, June 1999.

   [RFC2617]         Franks, J., Hallam-Baker, P., Hostetler, J.,
                     Lawrence, S., Leach, P., Luotonen, A. and L.
                     Stewart, "HTTP Authentication: Basic and Digest
                     Access Authentication", RFC 2617, June 1999.

   [RFC3023]         Murata, M., St.Laurent, S. and D. Kohn, "XML Media
                     Types", RFC 3023, January 2001.

   [RFC3253]         Clemm, G., Amsden, J., Ellison, T., Kaler, C. and
                     J. Whitehead, "Versioning Extensions to WebDAV",
                     RFC 3253, March 2002.

   [RFC3530]         Shepler, S., Ed., Callaghan, B., Robinson, D.,
                     Thurlow, R., Beame, C., Eisler, M. and D. Noveck,
                     "Network File System (NFS) version 4 Protocol", RFC
                     3530, April 2003.

   [RFC3629]         Yergeau, F., "UTF-8, a transformation format of ISO
                     10646", STD 63, RFC 3629 November 2003.

16.2.  Informative References

   [RFC2251]         Wahl, M., Howes, T. and S. Kille, "Lightweight
                     Directory Access Protocol (v3)", RFC 2251, December

   [RFC2255]         Howes, T. and M. Smith, "The LDAP URL Format", RFC
                     2255, December 1997.

   [UNICODE4]        The Unicode Consortium, "The Unicode Standard -
                     Version 4.0", Addison-Wesley , August 2003,
                     ISBN 0321185781.

Top      Up      ToC       Page 64 
Appendix A. WebDAV XML Document Type Definition Addendum

   All XML elements defined in this Document Type Definition (DTD)
   belong to the DAV namespace. This DTD should be viewed as an addendum
   to the DTD provided in [RFC2518], section 23.1.

   <!-- Privileges -- (Section 3)>

   <!ELEMENT read EMPTY>
   <!ELEMENT write EMPTY>
   <!ELEMENT write-properties EMPTY>
   <!ELEMENT write-content EMPTY>
   <!ELEMENT unlock EMPTY>
   <!ELEMENT read-acl EMPTY>
   <!ELEMENT read-current-user-privilege-set EMPTY>
   <!ELEMENT write-acl EMPTY>
   <!ELEMENT bind EMPTY>
   <!ELEMENT unbind EMPTY>

   <!-- Principal Properties (Section 4) -->

   <!ELEMENT principal EMPTY>

   <!ELEMENT alternate-URI-set (href*)>
   <!ELEMENT principal-URL (href)>
   <!ELEMENT group-member-set (href*)>
   <!ELEMENT group-membership (href*)>

   <!-- Access Control Properties (Section 5) -->

   <!-- DAV:owner Property (Section 5.1) -->

   <!ELEMENT owner (href?)>

   <!-- DAV:group Property (Section 5.2) -->

   <!ELEMENT group (href?)>

   <!-- DAV:supported-privilege-set Property (Section 5.3) -->

   <!ELEMENT supported-privilege-set (supported-privilege*)>
   <!ELEMENT supported-privilege
    (privilege, abstract?, description, supported-privilege*)>

   <!ELEMENT privilege ANY>
   <!ELEMENT abstract EMPTY>
   <!ELEMENT description #PCDATA>

Top      Up      ToC       Page 65 
   <!-- DAV:current-user-privilege-set Property (Section 5.4) -->

   <!ELEMENT current-user-privilege-set (privilege*)>

   <!-- DAV:acl Property (Section 5.5) -->

   <!ELEMENT acl (ace)* >
   <!ELEMENT ace ((principal | invert), (grant|deny), protected?,

   <!ELEMENT principal (href)
    | all | authenticated | unauthenticated
    | property | self)>

   <!ELEMENT authenticated EMPTY>
   <!ELEMENT unauthenticated EMPTY>
   <!ELEMENT property ANY>
   <!ELEMENT self EMPTY>

   <!ELEMENT invert principal>

   <!ELEMENT grant (privilege+)>
   <!ELEMENT deny (privilege+)>
   <!ELEMENT privilege ANY>

   <!ELEMENT protected EMPTY>

   <!ELEMENT inherited (href)>

   <!-- DAV:acl-restrictions Property (Section 5.6) -->

   <!ELEMENT acl-restrictions (grant-only?, no-invert?,
    deny-before-grant?, required-principal?)>

   <!ELEMENT grant-only EMPTY>
   <!ELEMENT no-invert EMPTY>
   <!ELEMENT deny-before-grant EMPTY>

   <!ELEMENT required-principal
    (all? | authenticated? | unauthenticated? | self? | href*

   <!-- DAV:inherited-acl-set Property (Section 5.7) -->

   <!ELEMENT inherited-acl-set (href*)>

   <!-- DAV:principal-collection-set Property (Section 5.8) -->

Top      Up      ToC       Page 66 
   <!ELEMENT principal-collection-set (href*)>

   <!-- Access Control and Existing Methods (Section 7) -->

   <!ELEMENT need-privileges (resource)* >
   <!ELEMENT resource ( href, privilege )

   <!-- ACL method preconditions (Section 8.1.1) -->

   <!ELEMENT no-ace-conflict EMPTY>
   <!ELEMENT no-protected-ace-conflict EMPTY>
   <!ELEMENT no-inherited-ace-conflict EMPTY>
   <!ELEMENT limited-number-of-aces EMPTY>
   <!ELEMENT grant-only EMPTY>
   <!ELEMENT no-invert EMPTY>
   <!ELEMENT deny-before-grant EMPTY>
   <!ELEMENT no-abstract EMPTY>
   <!ELEMENT not-supported-privilege EMPTY>
   <!ELEMENT missing-required-principal EMPTY>
   <!ELEMENT recognized-principal EMPTY>
   <!ELEMENT allowed-principal EMPTY>

   <!-- REPORTs (Section 9) -->

   <!ELEMENT acl-principal-prop-set ANY>
   ANY value: a sequence of one or more elements, with at most one
   DAV:prop element.

   <!ELEMENT principal-match ((principal-property | self), prop?)>
   <!ELEMENT principal-property ANY>
   ANY value: an element whose value identifies a property. The
   expectation is the value of the named property typically contains
   an href element that contains the URI of a principal
   <!ELEMENT self EMPTY>

   <!ELEMENT principal-property-search ((property-search+), prop?) >
   <!ELEMENT property-search (prop, match) >
   <!ELEMENT match #PCDATA >

   <!ELEMENT principal-search-property-set (
    principal-search-property*) >
   <!ELEMENT principal-search-property (prop, description) >
   <!ELEMENT description #PCDATA >

Top      Up      ToC       Page 67 
Appendix B. WebDAV Method Privilege Table (Normative)

   The following table of WebDAV methods (as defined in RFC 2518, 2616,
   and 3253) clarifies which privileges are required for access for each
   method.  Note that the privileges listed, if denied, MUST cause
   access to be denied.  However, given that a specific implementation
   MAY define an additional custom privilege to control access to
   existing methods, having all of the indicated privileges does not
   mean that access will be granted.  Note that lack of the indicated
   privileges does not imply that access will be denied, since a
   particular implementation may use a sub-privilege aggregated under
   the indicated privilege to control access.  Privileges required refer
   to the current resource being processed unless otherwise specified.

Top      Up      ToC       Page 68 
   | METHOD                          | PRIVILEGES                      |
   | GET                             | <D:read>                        |
   | HEAD                            | <D:read>                        |
   | OPTIONS                         | <D:read>                        |
   | PUT (target exists)             | <D:write-content> on target     |
   |                                 | resource                        |
   | PUT (no target exists)          | <D:bind> on parent collection   |
   |                                 | of target                       |
   | PROPPATCH                       | <D:write-properties>            |
   | ACL                             | <D:write-acl>                   |
   | PROPFIND                        | <D:read> (plus <D:read-acl> and |
   |                                 | <D:read-current-user-privilege- |
   |                                 | set> as needed)                 |
   | COPY (target exists)            | <D:read>, <D:write-content> and |
   |                                 | <D:write-properties> on target  |
   |                                 | resource                        |
   | COPY (no target exists)         | <D:read>, <D:bind> on target    |
   |                                 | collection                      |
   | MOVE (no target exists)         | <D:unbind> on source collection |
   |                                 | and <D:bind> on target          |
   |                                 | collection                      |
   | MOVE (target exists)            | As above, plus <D:unbind> on    |
   |                                 | the target collection           |
   | DELETE                          | <D:unbind> on parent collection |
   | LOCK (target exists)            | <D:write-content>               |
   | LOCK (no target exists)         | <D:bind> on parent collection   |
   | MKCOL                           | <D:bind> on parent collection   |
   | UNLOCK                          | <D:unlock>                      |
   | CHECKOUT                        | <D:write-properties>            |
   | CHECKIN                         | <D:write-properties>            |
   | REPORT                          | <D:read> (on all referenced     |
   |                                 | resources)                      |
   | VERSION-CONTROL                 | <D:write-properties>            |
   | MERGE                           | <D:write-content>               |
   | MKWORKSPACE                     | <D:write-content> on parent     |
   |                                 | collection                      |
   | BASELINE-CONTROL                | <D:write-properties> and        |
   |                                 | <D:write-content>               |
   | MKACTIVITY                      | <D:write-content> on parent     |
   |                                 | collection                      |

Top      Up      ToC       Page 69 

      ACL method  40

      Condition Names
         DAV:allowed-principal (pre)  42
         DAV:deny-before-grant (pre)  41
         DAV:grant-only (pre)  41
         DAV:limited-number-of-aces (pre)  41
         DAV:missing-required-principal (pre)  42
         DAV:no-abstract (pre)  41
         DAV:no-ace-conflict (pre)  41
         DAV:no-inherited-ace-conflict (pre)  41
         DAV:no-invert (pre)  41
         DAV:no-protected-ace-conflict (pre)  41
         DAV:not-supported-privilege (pre)  42
         DAV:number-of-matches-within-limits (post)  48, 53
         DAV:recognized-principal (pre)  42

      DAV header
         compliance class 'access-control'  38
      DAV:acl property  23
      DAV:acl-principal-prop-set report  48
      DAV:acl-restrictions property  27
      DAV:all privilege  13
      DAV:allowed-principal precondition  42
      DAV:alternate-URI-set property  14
      DAV:bind privilege  12
      DAV:current-user-privilege-set property  21
      DAV:deny-before-grant precondition  41
      DAV:grant-only precondition  41
      DAV:group property  18
      DAV:group-member-set property  14
      DAV:group-membership property  14
      DAV:inherited-acl-set property  29
      DAV:limited-number-of-aces precondition  41
      DAV:missing-required-principal precondition  42
      DAV:no-abstract precondition  41
      DAV:no-ace-conflict precondition  41
      DAV:no-inherited-ace-conflict precondition  41
      DAV:no-invert precondition  41
      DAV:no-protected-ace-conflict precondition  41
      DAV:not-supported-privilege precondition  42
      DAV:number-of-matches-within-limits postcondition  48, 53
      DAV:owner property  15

Top      Up      ToC       Page 70 
      DAV:principal resource type  13
      DAV:principal-collection-set property  30
      DAV:principal-match report  50
      DAV:principal-property-search  51
      DAV:principal-search-property-set  56
      DAV:principal-URL property  14
      DAV:read privilege  10
      DAV:read-acl privilege  11
      DAV:read-current-user-privilege-set privilege  12
      DAV:recognized-principal precondition  42
      DAV:supported-privilege-set property  18
      DAV:unbind privilege  12
      DAV:unlock privilege  11
      DAV:write privilege  10
      DAV:write-acl privilege  12
      DAV:write-content privilege  10
      DAV:write-properties privilege  10

         ACL  40

         DAV:all  13
         DAV:bind  12
         DAV:read  10
         DAV:read-acl  11
         DAV:read-current-user-privilege-set  12
         DAV:unbind  12
         DAV:unlock  11
         DAV:write  10
         DAV:write-acl  12
         DAV:write-content  11
         DAV:write-properties  10
         DAV:acl  23
         DAV:acl-restrictions  27
         DAV:alternate-URI-set  14
         DAV:current-user-privilege-set  21
         DAV:group  18
         DAV:group-member-set  14
         DAV:group-membership  14
         DAV:inherited-acl-set  29
         DAV:owner  15
         DAV:principal-collection-set  30
         DAV:principal-URL  14
         DAV:supported-privilege-set  18

Top      Up      ToC       Page 71 
         DAV:acl-principal-prop-set  47
         DAV:principal-match  49
         DAV:principal-property-search  51
         DAV:principal-search-property-set  56
      Resource Types
         DAV:principal  13

Authors' Addresses

   Geoffrey Clemm
   20 Maguire Road
   Lexington, MA  02421


   Julian F. Reschke
   greenbytes GmbH
   Salzmannstrasse 152
   Muenster, NW  48159


   Eric Sedlar
   Oracle Corporation
   500 Oracle Parkway
   Redwood Shores, CA  94065


   Jim Whitehead
   U.C. Santa Cruz, Dept. of Computer Science
   1156 High Street
   Santa Cruz, CA  95064


Top      Up      ToC       Page 72 
Full Copyright Statement

   Copyright (C) The Internet Society (2004).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed
   to pertain to the implementation or use of the technology
   described in this document or the extent to which any license
   under such rights might or might not be available; nor does it
   represent that it has made any independent effort to identify any
   such rights.  Information on the procedures with respect to
   rights in RFC documents can be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use
   of such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository

   The IETF invites any interested party to bring to its attention
   any copyrights, patents or patent applications, or other
   proprietary rights that may cover technology that may be required
   to implement this standard.  Please address the information to the
   IETF at


   Funding for the RFC Editor function is currently provided by the
   Internet Society.