On 24.02.2012 00:03, Roland van Laar wrote:
Hi Roland,
I found a security issue with the default install of OwnCloud.
The default install leaves the data directory wide open.
The default apache configuration specifies the following:
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
Confirmed for openSUSE where the default config is similar.
The second AllowOverride should be All instead of None.
On the linux server page[1] the sixth step should be:
6. To enable the use of the .htaccess files: Add
<Directory /var/www/owncloud/>
AllowOverride All
</Directory>
Agreed.
It would be nice it owncloud would check if the .htaccess files can be
loaded.
I saw the 'SetEnv htaccessWorking true' in the root .htaccess but this
didn't display
any messages.
A fix. To be put in index.php after 'if($not_installed)' and before
'if($_SERVER['REQUEST_METHOD'...
// Check for a working .htaccess file.
if (strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') and
getenv('htaccessWorking') != true){
$errors[] = array('error' => 'Security Error: .htaccess file is not set',
'hint' => 'You are using apache and the .htaccess isn\'t loaded. Set
AllowOverride to All.');
OC_Template::printGuestPage('', 'error', array('errors' => $errors));
exit();
}
This checks if apache is used, and if so if the .htaccessWorking
parameter is set.
It will display an error when it's not set.
This is a very good idea, but
- people might decide against a .htaccess based configuration, but
create a secure config without .htaccess.
- the htaccessWorking variable gets only set if the env_module is
loaded, at least for me. I am not sure if thats always there?
What are the really relevant directives in the .htaccess? Probably the
Options -Indexes, right? Wouldn't there be a possibility to rather check
if indexing of the data dir (and config dir probably) is possible at all
and than fire up an error?
I think privacy and security is a major sellingpoint for owncloud.
Absolutely correct.
As such I would like to see a security policy page for owncloud.
Which documents a couple of security points, for example:
-information about how to enable ssl
-how to harden the owncloud installation with information about:
secure the different databases
-the owncloud policy about security, such as:
-the passwords are sha1 hashed with a salt.
-the security is done by .htaccess check for access by seeing if your
data directory is accessible.
You are right, I also would love to see that. Even more, I think it
would really make sense to a kind of "Security Working Group" within the
ownCloud community which consists of a few people who
- maintain documentation like the ones you mentioned above
- check the ongoing code development with the special focus on security
- are the responsible contact for security issues within ownCloud
- do not have to be developers ;-) This is more a task for experienced
administrators who maintain large server installation. They often have a
sharper view on security requirements than devs do, at least from my
experience being a developer ;-)
- probably more...
Roland, is that something you could imagine to contribute to?
Thanks for your help,
Klaas
[1] http://owncloud.org/support/setup-and-installation/linux-server/
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
