[Owncloud] Documentation issue enables a Major Security Issue on Apache/Ubuntu. Fixes and checks included.

Klaas Freitag freitag at owncloud.com
Fri Feb 24 09:27:14 UTC 2012


On 24.02.2012 00:03, Roland van Laar wrote:
Hi Roland,

> I found a security issue with the default install of OwnCloud.
> The default install leaves the data directory wide open.
>
> The default apache configuration specifies the following:
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> </Directory>
> <Directory /var/www/>
> Options Indexes FollowSymLinks MultiViews
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
Confirmed for openSUSE where the default config is similar.

> The second AllowOverride should be All instead of None.
>
> On the linux server page[1] the sixth step should be:
> 6. To enable the use of the .htaccess files: Add
> <Directory /var/www/owncloud/>
> AllowOverride All
> </Directory>
Agreed.

> It would be nice it owncloud would check if the .htaccess files can be
> loaded.
> I saw the 'SetEnv htaccessWorking true' in the root .htaccess but this
> didn't display
> any messages.
>
> A fix. To be put in index.php after 'if($not_installed)' and before
> 'if($_SERVER['REQUEST_METHOD'...
>
> // Check for a working .htaccess file.
> if (strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') and
> getenv('htaccessWorking') != true){
> $errors[] = array('error' => 'Security Error: .htaccess file is not set',
> 'hint' => 'You are using apache and the .htaccess isn\'t loaded. Set
> AllowOverride to All.');
> OC_Template::printGuestPage('', 'error', array('errors' => $errors));
> exit();
> }
>
> This checks if apache is used, and if so if the .htaccessWorking
> parameter is set.
> It will display an error when it's not set.
This is a very good idea, but
- people might decide against a .htaccess based configuration, but 
create a secure config without .htaccess.
- the htaccessWorking variable gets only set if the env_module is 
loaded, at least for me. I am not sure if thats always there?

What are the really relevant directives in the .htaccess? Probably the 
Options -Indexes, right? Wouldn't there be a possibility to rather check 
if indexing of the data dir (and config dir probably) is possible at all 
and than fire up an error?

> I think privacy and security is a major sellingpoint for owncloud.
Absolutely correct.

> As such I would like to see a security policy page for owncloud.
> Which documents a couple of security points, for example:
> -information about how to enable ssl
> -how to harden the owncloud installation with information about:
> secure the different databases
> -the owncloud policy about security, such as:
> -the passwords are sha1 hashed with a salt.
> -the security is done by .htaccess check for access by seeing if your
> data directory is accessible.
You are right, I also would love to see that. Even more, I think it 
would really make sense to a kind of "Security Working Group" within the 
ownCloud community which consists of a few people who
- maintain documentation like the ones you mentioned above
- check the ongoing code development with the special focus on security
- are the responsible contact for security issues within ownCloud
- do not have to be developers ;-) This is more a task for experienced 
administrators who maintain large server installation. They often have a 
sharper view on security requirements than devs do, at least from my 
experience being a developer ;-)
- probably more...

Roland, is that something you could imagine to contribute to?

Thanks for your help,

Klaas

> [1] http://owncloud.org/support/setup-and-installation/linux-server/





More information about the Owncloud mailing list