Followed https://httpd.apache.org/docs/2.4/mod/mod_dav.htmlÿ(and a few
other places). I have read access to my /dav/ folder, but when I attempt t
o write, I get:
```
The locks could not be queried for verification against a possible "If:" he ader.ÿ [500, #0]
Could not open the lock database.ÿ [500, #400]
APR does not understand this error code: [client X.X.X.X:XXXX] Could not op
en database.ÿ [500, #1]
```
I quadruple-checked that permissions were right. They're currently 777. Yes
, I'll listen to your security lecture once I get this working. I don't hav
e SELinux installed but AppArmor seems to be working. I haven't touched it from whatever the Debian installer configured.
Here are my hypotheses:1. Documentation is wrong
2. I'm missing a package to make the DavLockDB file (but I think I have all
dependent, suggested and recommended packages installed)3. AppArmor is int erfering

Suggestions?

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-02, Borden wrote:

Followed https://httpd.apache.org/docs/2.4/mod/mod_dav.htmlÿ(and a f

ew

other places). I have read access to my /dav/ folder, but when I
attempt to write, I get:
```
The locks could not be queried for verification against a possible
"If:" header.ÿ [500, #0]
Could not open the lock database.ÿ [500, #400]
APR does not understand this error code: [client X.X.X.X:XXXX] Could
not open database.ÿ [500, #1]
```

What do you set for DavLockDB ?
Please provide your apache conf for your host and for dav* mods which are enabled

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

What do you set for DavLockDB ?
Please provide your apache conf for your host and for dav* mods which are

enabled

My webdav.conf mostly copies the Apache WebDAV documentation:
```
Define _WEBDAV_URI /webdav
Define _WEBDAV_FOLDER /var/www/html/webdav
Alias ${_WEBDAV_URI} ${_WEBDAV_FOLDER}
DavLockDB ${_WEBDAV_FOLDER}/DavLockDB
<Directory ${_WEBDAV_FOLDER}>
Require all granted
DAV onÿ # I'm led to believe this is all that's _necessa
ry_AuthType basic
AuthName DAV
AuthUserFile "user.passwd"
</Directory>
```

My vhost.conf file is largely copy-and-paste from the defaults:
```
Define _SERVER_ADMIN webmaster
Define _DOMAIN mycomputer # This is on a LAN, so there's no domainDefine _H
OST ${_DOMAIN}

<VirtualHost _default_:443>
ServerName ${_HOST}
ServerAdmin ${_SERVER_ADMIN}@${_DOMAIN}
DocumentRoot /var/www/html

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on
SSLCipherSuite HIGH:!aNULL:!MD5
SSLCertificateFileÿÿÿÿÿ /etc/ssl/certs/ssl-cert-sn
akeoil.pem
SSLCertificateKeyFileÿÿ /etc/ssl/private/ssl-cert-snakeoil.key

<FilesMatch "\.(?:cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>

<VirtualHost _default_:80>
ÿÿÿÿÿÿÿ ServerName ${_HOST}
ÿÿÿÿÿÿÿ ServerAdmin ${_SERVER_ADMIN}@${_
DOMAIN}
ÿÿÿÿÿÿÿ DocumentRoot /var/www/html

ÿÿÿÿÿÿÿ RedirectMatch permanent ^(?!/.we
ll-known/acme-challenge)(.*) https://${_HOST}/$1

ÿÿÿÿÿÿÿ CustomLog ${APACHE_LOG_DIR}/redi
rect.log vhost_combined
</VirtualHost>
```

All other files are out-of-the-box unchanged. Read access to my webdav fold
er is fine, so the above config files give me something. I'm trying to get write access.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-03, Borden wrote:

My webdav.conf mostly copies the Apache WebDAV documentation:

Where do you put this webdav.conf ?

Could you provide
ls -l /etc/apache2/mods-enabled/dav*
cat /etc/apache2/mods-enabled/dav*

Define _WEBDAV_URI /webdav
Define _WEBDAV_FOLDER /var/www/html/webdav
Alias ${_WEBDAV_URI} ${_WEBDAV_FOLDER}
DavLockDB ${_WEBDAV_FOLDER}/DavLockDB

Could you provide
ls -ld /var/www/html
ls -ld /var/www/html/webdav
ls -l /var/www/html/webdav/DavLockDB
ls -l /var/www/html/webdav/user.passwd

DAV on # I'm led to believe this is all that's _necessary_AuthType basic

I suppose AuthType is on a separate line ?

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Sorry for the delay in responding. To your questions:

ÿWhere do you put this webdav.conf ?

/etc/apache2/sites-enabled/webdav.conf

ÿCould you provide ls -l /etc/apache2/mods-enabled/dav*

lrwxrwxrwx 1 root root 29 Jan 31ÿ 2023 /etc/apache2/mods-enabled/dav_f
s.conf -> ../mods-available/dav_fs.conf
lrwxrwxrwx 1 root root 29 Jan 31ÿ 2023 /etc/apache2/mods-enabled/dav_f
s.load -> ../mods-available/dav_fs.load
lrwxrwxrwx 1 root root 26 Jan 31ÿ 2023 /etc/apache2/mods-enabled/dav.l
oad -> ../mods-available/dav.load
lrwxrwxrwx 1 root root 31 Jan 31ÿ 2023 /etc/apache2/mods-enabled/dav_l
ock.load -> ../mods-available/dav_lock.load

ÿCould you provideÿcat /etc/apache2/mods-enabled/dav*

DAVLockDB ${APACHE_LOCK_DIR}/DAVLock
# Depends: dav
LoadModule dav_fs_module /usr/lib/apache2/modules/mod_dav_fs.so
<IfModule !mod_dav.c>
ÿÿÿÿÿÿÿ LoadModule dav_module /usr/lib/a
pache2/modules/mod_dav.so
</IfModule>
LoadModule dav_lock_module /usr/lib/apache2/modules/mod_dav_lock.so

In case it makes a difference, APACHE_LOCK_DIR appears to be set in /etc/ap ache2/envvars:
export APACHE_LOCK_DIR=/run/lock/apache2$SUFFIX

ls -lr /run/lock/apache2:
total 0

ls -ld /run/lock/apache2:
drwxr-xr-x 2 www-data root 40 Marÿ 6 16:00 /run/lock/apache2

ÿCould you provide ls -ld /var/www/html

drwxr-xr-x 1 root root 32 Marÿ 1 17:49 /var/www/html

Could you provide ls -ld /var/www/html/webdav

drwxrwxrwx 1 www-data www-data 20 Marÿ 1 18:07 /var/www/html/webdav/

Could you provide ls -l /var/www/html/webdav/DavLockDB

ls: cannot access '/var/www/html/webdav/DavLockDB': No such file or directo
ry
# Which I've always known. Apache doesn't create the file.

Could you provide ls -l /var/www/html/webdav/user.passwd

# ditto. Nobody creates it.

ÿI suppose AuthType is on a separate line ?

Yes, sorry. Strictly speaking though, the documentation doesn't say what di fference it makes. The documentation leads me to believe that I can set up
DAV with no authentication system. I can worry about it and proper permissi
ons once I get it working.

If something is not set as it should be, then that ought to be a bug becaus
e I haven't fiddled with anything. It's all out of the box.

With thanks,

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-07, Borden wrote:

ÿCould you provideÿcat /etc/apache2/mods-enabled/dav*

DAVLockDB ${APACHE_LOCK_DIR}/DAVLock
# Depends: dav
LoadModule dav_fs_module /usr/lib/apache2/modules/mod_dav_fs.so
<IfModule !mod_dav.c>
ÿÿÿÿÿÿÿ LoadModule dav_module /usr/lib

/apache2/modules/mod_dav.so

</IfModule>
LoadModule dav_lock_module /usr/lib/apache2/modules/mod_dav_lock.so

In case it makes a difference, APACHE_LOCK_DIR appears to be set in /etc/

apache2/envvars:

export APACHE_LOCK_DIR=/run/lock/apache2$SUFFIX

You redefine DavLockDB in your webdav.conf with
DavLockDB ${_WEBDAV_FOLDER}/DavLockDB>
So remove this line from your webdav.conf to use DavLockDB from
dav_fs.conf

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

I'm grateful for your reply, since you seem the best able to figure out wha
t's wrong with Apache.

ÿYou redefine DavLockDB in your webdav.conf with
DavLockDB ${_WEBDAV_FOLDER}/DavLockDB
So remove this line from your webdav.conf to use DavLockDB fromÿdav_

fs.conf

I *knew* you were going to say that, although I would have been very annoye
d if that were the (only) problem. A proper error message would be "DavLock
DB redefined" as opposed to "Vague write error. You're on your own," especi ally considering that `apache2ctl configtest` yields no errors.

Needless to say, it still doesn't work with this change enacted. As a remin der, apache2/error.log reads:

[dav:error] [pid Y:tid Y] [client 127.0.0.1:46XXX] Unable to PUT new conten
ts for /webdav/test-text-file.txt.ÿ [500, #0]
[dav:error] [pid Y:tid Y] (30)Read-only file system: [client 127.0.0.1:46XX
X] An error occurred while opening a resource for writing: /var/www/html/we bdav/test-text-file.txt.ÿ [500, #0]

Should I file a bug?

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, Mar 08, 2026 at 20:38:09 +0100, Borden wrote:

Needless to say, it still doesn't work with this change enacted. As a reminder, apache2/error.log reads:

[dav:error] [pid Y:tid Y] [client 127.0.0.1:46XXX] Unable to PUT new contents for /webdav/test-text-file.txt.? [500, #0]
[dav:error] [pid Y:tid Y] (30)Read-only file system: [client 127.0.0.1:46XXX] An error occurred while opening a resource for writing: /var/www/html/webdav/test-text-file.txt.? [500, #0]

Assuming you didn't actually mount this file system read-only,
my first two guesses for where this additional restriction is coming
from would be "systemd unit configuration" or "AppArmor configuration".

Check the systemd unit and the /etc/apparmor.d/ directory for anything
that might be causing the web server to run with directory restrictions.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-08, Borden wrote:

Needless to say, it still doesn't work with this change enacted. As a reminder, apache2/error.log reads:

But it fixes the lock error we begin with.

[dav:error] [pid Y:tid Y] [client 127.0.0.1:46XXX] Unable to PUT new
contents for /webdav/test-text-file.txt.ÿ [500, #0]
[dav:error] [pid Y:tid Y] (30)Read-only file system: [client
127.0.0.1:46XXX] An error occurred while opening a resource for
writing: /var/www/html/webdav/test-text-file.txt.ÿ [500, #0]

This error is a new one. It seems to be about filesystem rights on /var/www/html/webdav/. To make sure it is the problem please provide

sudo -u www-data touch /var/www/html/webdav/newtest
ps aux|grep apache
ls -ld /var/www/html/webdav
ls -al /var/www/html/webdav/

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

ÿAssuming you didn't actually mount this file system read-only

It's my root partition, so I'd have a lot more symptoms if that were the ca
se

ÿCheck the systemd unit

$ systemctl list-units | grep -i dav
radicale.serviceÿ loaded active runningÿ A simple CalDAV (calenda
r) and CardDAV (contact) server
apache2.serviceÿ loaded active runningÿ The Apache HTTP Server

Assuming that a hypothetical config error would be in the latter:
$ systemctl cat apache2
```
# /usr/lib/systemd/system/apache2.service
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target Documentation=https://httpd.apache.org/docs/2.4/

[Service]
Type=notify
Environment=APACHE_STARTED_BY_SYSTEMD=true
ExecStart=/usr/sbin/apachectl start
ExecStop=/usr/sbin/apachectl graceful-stop
ExecReload=/usr/sbin/apachectl graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
PrivateTmp=true
Restart=on-abnormal
OOMPolicy=continue
RemoveIPC=yes

DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
PrivateDevices=yes
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
ProtectProc=invisible
ProcSubset=pid

ReadWritePaths=-/var/log/apache2 ReadWritePaths=-/var/cache/apache2/mod_cache_disk

InaccessiblePaths=/boot
InaccessiblePaths=/root
InaccessiblePaths=-/etc/sudoers
InaccessiblePaths=-/etc/sudoers.d
InaccessiblePaths=-/etc/ssh
InaccessiblePaths=-/etc/apt
InaccessiblePaths=-/etc/.git
InaccessiblePaths=-/etc/.svn

[Install]
WantedBy=multi-user.target
```
... and I have no idea what in there would be causing problems.

and the /etc/apparmor.d/ directory

$ ls /etc/apparmor.d
```
1password abi abstractions balena-etcher brave buildah busybox cam ch-check
ns chrome chromium ch-run code crun devhelp disable Discord element-desktop
epiphany evolution firefox flatpak foliate force-complain geary github-des ktop goldendict guestfs-tools ipa_verify kchmviewer keybase lc-compliance l ibcamerify libreoffice-oosplash libreoffice-senddoc libreoffice-soffice.bin
libreoffice-xpdfimport libvirt linux-sandbox local loupe lsb_release lxc-a ttach lxc-create lxc-destroy lxc-execute lxc-stop lxc-unshare lxc-usernsexe
c mariadbd_akonadi mmdebstrap MongoDB_Compass msedge mysqld_akonadi nautilu
s notepadqq nvidia_modprobe obsidian opam opera pageedit plasmashell polypa
ne postgresql_akonadi privacybrowser qcam qmapshack QtWebEngineProcess qute browser rootlesskit rpm rssguard runc sbuild sbuild-abort sbuild-adduser sb uild-apt sbuild-checkpackages sbuild-clean sbuild-createchroot sbuild-destr oychroot sbuild-distupgrade sbuild-hold sbuild-shell sbuild-unhold sbuild-u pdate sbuild-upgrade scide signal-desktop slack slirp4netns steam stress-ng
surfshark systemd-coredump toybox transmission trinity tunables tup tuxedo -control-center unix-chkpwd unprivileged_userns userbindmount usr.bin.akona diserver usr.bin.evince usr.bin.man usr.bin.passt usr.bin.pasta usr.bin.tcp dump usr.lib.ipsec.lookip usr.lib.libvirt.virt-aa-helper usr.lib.snapd.snap -confine.real usr.sbin.cups-browsed usr.sbin.cupsd usr.sbin.libvirtd uwsgi- core vdens virtiofsd vivaldi-bin vpnns wike wpcom Xorg zoomÿ
```

I don't see anything there that would be relevant to WebDAV. Besides, they'
re all stock files, I haven't touched any of them, so it wouldn't make sens
e that I'm the only person in the world unable to get WebDAV working.

ÿBut it fixes the lock error we begin with.

Somewhat. We already know that Apache cannot write to /var/www/html/webdav
, so trying to put the DBLock file there won't work. The fix, not that I'm complaining, relocated the DBLock file to a directory where Apache can writ
e, but it has yet to explain why /var/www/html/webdav *isn't* writeable.

But I think we established that Apache *can* write to some directories (lik
e /var/log/apache2/). Just not that one.

ÿTo make sure it is the problem please provide
sudo -u www-data touch /var/www/html/webdav/newtest

Works. I can read and write whatever I want wherever I want from bash. Just
not from WebDAV.

ps aux|grep apache

```
rootÿÿÿÿÿÿÿ 5017ÿ 0.0ÿ 0.0?
? 27640 15736 ?ÿÿÿÿÿÿÿ Ssÿÿ
11:23ÿÿ 0:01 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5021ÿ 0.0ÿ 0.1ÿ 39068 21800 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:23ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5022ÿ 0.0ÿ 0.1ÿ 39068 21788 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:23ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5023ÿ 0.0ÿ 0.1ÿ 39068 21796 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:23ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5024ÿ 0.0ÿ 0.1ÿ 39068 21796 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:23ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5025ÿ 0.0ÿ 0.1ÿ 39068 21904 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:23ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5058ÿ 0.0ÿ 0.1ÿ 39068 21788 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:23ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5693ÿ 0.0ÿ 0.1ÿ 39068 21900 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:26ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 5892ÿ 0.0ÿ 0.1ÿ 39068 21800 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:36ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
www-dataÿÿÿ 6227ÿ 0.0ÿ 0.1ÿ 39068 21796 ??
?ÿÿÿÿÿÿ Sÿÿÿ 11:51ÿ?
? 0:00 /usr/sbin/apache2 -k start -DFOREGROUND
```

ls -ld /var/www/html/webdav

drwxrwxrwx 1 www-data www-data 38 Mar 13 16:07 /var/www/html/webdav

ls -al /var/www/html/webdav/

total 4
drwxrwxrwx 1 www-data www-data 38 Mar 13 16:07 .
drwxr-xr-x 1 rootÿ ÿrootÿ ÿ90 Sep 26 15:49 ..
-rw-rw-r-- 1 rootÿ ÿrootÿ ÿ41 Marÿ 1 18:07 index.h
tml
-rw-rw-r-- 1 www-data www-dataÿ 0 Mar 13 16:07 newtest

Sigh. I'm wondering whether it's more efficient for me to upload the conten
ts of my hard drive to the Internet rather than copy and paste it here...

Nevertheless, thank you for your help.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Sorry for the spam. I don't know if this is relevant:
I have my static directory, /var/www/html/ and the webdav folder within it /var/www/html/webdav . I configured the /html/ folder with:

<Directory /var/www/html>
ÿÿÿ Options FollowSymLinks Indexes
ÿÿÿ AllowOverride Limit Options FileInfo
ÿÿÿ DirectoryIndex index.html index.php
ÿÿÿ Require all granted
</Directory>

Which hasn't caused problems before, but I can't tell whether one of these directives has messed /html/webdav/ up.

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, Mar 13, 2026 at 21:26:04 +0100, Borden wrote:

$ systemctl cat apache2
```
# /usr/lib/systemd/system/apache2.service

...

ProtectSystem=full
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
ProtectProc=invisible
ProcSubset=pid

ReadWritePaths=-/var/log/apache2 ReadWritePaths=-/var/cache/apache2/mod_cache_disk

...

According to systemd.exec(5):

ProtectSystem=
Takes a boolean argument or the special values "full" or "strict".
If true, mounts the /usr/ and the boot loader directories (/boot and
/efi) read-only for processes invoked by this unit. If set to
"full", the /etc/ directory is mounted read-only, too. If set to
"strict" the entire file system hierarchy is mounted read-only,
except for the API file system subtrees /dev/, /proc/ and /sys/

Therefore, the /usr, /boot, /efi and /etc directories should be read-only
for Apache. The /var directory shouldn't be affected, as far as I can
see.

Somewhat. We already know that Apache cannot write to /var/www/html/webdav , so trying to put the DBLock file there won't work. The fix, not that I'm complaining, relocated the DBLock file to a directory where Apache can write, but it has yet to explain why /var/www/html/webdav *isn't* writeable.

But I think we established that Apache *can* write to some directories (like /var/log/apache2/). Just not that one.

If the restriction is coming from systemd, then the fact /var/log/apache2
is writable comes from

ReadWritePaths=-/var/log/apache2

The man page says:

Use
ReadWritePaths= in order to allow-list specific paths for write
access if ProtectSystem=strict is used.

If your systemd unit had ProtectSystem=strict then we would have the
answer already. Since you have ProtectSystem=full I don't know what
the whole picture is. It seems to be acting as if you had =strict.

ls -ld /var/www/html/webdav

drwxrwxrwx 1 www-data www-data 38 Mar 13 16:07 /var/www/html/webdav

Just for the record: is /var a plain old directory? Are /var/www and /var/www/html and /var/www/html/webdav all plain old directories? No
symbolic links, no weird mounts?

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Found the problem after a few agonising days. During a hardening, I set the
apache2.system unit in systemd too zealously, making my folders read-only.
I unhardened apache2.system, and it's working now.

So the bug is to go against systemd (what else is new).

That means thatÿGreg was closest to identifying the problem, with?
?Michel a very close second. Congratulations to both of you!

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)