[Owncloud] Documentation issue enables a Major Security Issue on Apache/Ubuntu. Fixes and checks included.

Roland van Laar roland at micite.net
Fri Feb 24 17:12:36 UTC 2012


On 02/24/2012 10:27 AM, Klaas Freitag wrote:
> On 24.02.2012 00:03, Roland van Laar wrote:
> Hi Roland,
>
>> I found a security issue with the default install of OwnCloud.
>> The default install leaves the data directory wide open.
>>
>> The default apache configuration specifies the following:
>> <Directory />
>> Options FollowSymLinks
>> AllowOverride None
>> </Directory>
>> <Directory /var/www/>
>> Options Indexes FollowSymLinks MultiViews
>> AllowOverride None
>> Order allow,deny
>> allow from all
>> </Directory>
> Confirmed for openSUSE where the default config is similar.
>
>> The second AllowOverride should be All instead of None.
>>
>> On the linux server page[1] the sixth step should be:
>> 6. To enable the use of the .htaccess files: Add
>> <Directory /var/www/owncloud/>
>> AllowOverride All
>> </Directory>
> Agreed.
>
Nice.

>> It would be nice it owncloud would check if the .htaccess files can be
>> loaded.
>> I saw the 'SetEnv htaccessWorking true' in the root .htaccess but this
>> didn't display
>> any messages.
>>
>> A fix. To be put in index.php after 'if($not_installed)' and before
>> 'if($_SERVER['REQUEST_METHOD'...
>>
>> // Check for a working .htaccess file.
>> if (strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') and
>> getenv('htaccessWorking') != true){
>> $errors[] = array('error' => 'Security Error: .htaccess file is not 
>> set',
>> 'hint' => 'You are using apache and the .htaccess isn\'t loaded. Set
>> AllowOverride to All.');
>> OC_Template::printGuestPage('', 'error', array('errors' => $errors));
>> exit();
>> }
>>
>> This checks if apache is used, and if so if the .htaccessWorking
>> parameter is set.
>> It will display an error when it's not set.
> This is a very good idea, but
> - people might decide against a .htaccess based configuration, but 
> create a secure config without .htaccess.
> - the htaccessWorking variable gets only set if the env_module is 
> loaded, at least for me. I am not sure if thats always there?
>
I'm not sure either.
I think that owncloud should offer security by default.
I'm working on a checkbox during the install with the advanced features.
When the checkbox is checked (by default) the installation will check 
for a working .htaccess.
The checkbox will obly be available when using apache.

> What are the really relevant directives in the .htaccess? Probably the 
> Options -Indexes, right? Wouldn't there be a possibility to rather 
> check if indexing of the data dir (and config dir probably) is 
> possible at all and than fire up an error?
>
>> I think privacy and security is a major sellingpoint for owncloud.
> Absolutely correct.
>
>> As such I would like to see a security policy page for owncloud.
>> Which documents a couple of security points, for example:
>> -information about how to enable ssl
>> -how to harden the owncloud installation with information about:
>> secure the different databases
>> -the owncloud policy about security, such as:
>> -the passwords are sha1 hashed with a salt.
>> -the security is done by .htaccess check for access by seeing if your
>> data directory is accessible.
> You are right, I also would love to see that. Even more, I think it 
> would really make sense to a kind of "Security Working Group" within 
> the ownCloud community which consists of a few people who
> - maintain documentation like the ones you mentioned above
> - check the ongoing code development with the special focus on security
> - are the responsible contact for security issues within ownCloud
> - do not have to be developers ;-) This is more a task for experienced 
> administrators who maintain large server installation. They often have 
> a sharper view on security requirements than devs do, at least from my 
> experience being a developer ;-)
> - probably more...
>
> Roland, is that something you could imagine to contribute to?

This is something I see myself contributing to although I don't know in
what way or manner yet.

>
> Thanks for your help,

Your welcome.

Roland
>
> Klaas
>
>> [1] http://owncloud.org/support/setup-and-installation/linux-server/
>
>
> _______________________________________________
> Owncloud mailing list
> Owncloud at kde.org
> https://mail.kde.org/mailman/listinfo/owncloud




More information about the Owncloud mailing list