[Owncloud] Documentation issue enables a Major Security Issue on Apache/Ubuntu. Fixes and checks included.

Roland van Laar roland at micite.net
Fri Feb 24 23:26:25 UTC 2012 

On 02/24/2012 06:12 PM, Roland van Laar wrote:
> On 02/24/2012 10:27 AM, Klaas Freitag wrote:
>> On 24.02.2012 00:03, Roland van Laar wrote:
>> Hi Roland,
>>
>>> I found a security issue with the default install of OwnCloud.
>>> The default install leaves the data directory wide open.
>>>
>>> The default apache configuration specifies the following:
>>> <Directory />
>>> Options FollowSymLinks
>>> AllowOverride None
>>> </Directory>
>>> <Directory /var/www/>
>>> Options Indexes FollowSymLinks MultiViews
>>> AllowOverride None
>>> Order allow,deny
>>> allow from all
>>> </Directory>
>> Confirmed for openSUSE where the default config is similar.
>>
>>> The second AllowOverride should be All instead of None.
>>>
>>> On the linux server page[1] the sixth step should be:
>>> 6. To enable the use of the .htaccess files: Add
>>> <Directory /var/www/owncloud/>
>>> AllowOverride All
>>> </Directory>
>> Agreed.
>>
> Nice.
>
>>> It would be nice it owncloud would check if the .htaccess files can be
>>> loaded.
>>> I saw the 'SetEnv htaccessWorking true' in the root .htaccess but this
>>> didn't display
>>> any messages.
>>>
>>> A fix. To be put in index.php after 'if($not_installed)' and before
>>> 'if($_SERVER['REQUEST_METHOD'...
>>>
>>> // Check for a working .htaccess file.
>>> if (strstr($_SERVER['SERVER_SOFTWARE'], 'Apache') and
>>> getenv('htaccessWorking') != true){
>>> $errors[] = array('error' => 'Security Error: .htaccess file is not 
>>> set',
>>> 'hint' => 'You are using apache and the .htaccess isn\'t loaded. Set
>>> AllowOverride to All.');
>>> OC_Template::printGuestPage('', 'error', array('errors' => $errors));
>>> exit();
>>> }
>>>
>>> This checks if apache is used, and if so if the .htaccessWorking
>>> parameter is set.
>>> It will display an error when it's not set.
>> This is a very good idea, but
>> - people might decide against a .htaccess based configuration, but 
>> create a secure config without .htaccess.
>> - the htaccessWorking variable gets only set if the env_module is 
>> loaded, at least for me. I am not sure if thats always there?
>>
> I'm not sure either.
> I think that owncloud should offer security by default.
> I'm working on a checkbox during the install with the advanced features.
> When the checkbox is checked (by default) the installation will check 
> for a working .htaccess.
> The checkbox will obly be available when using apache.

I made a merge request with my changes: 
https://gitorious.org/owncloud/owncloud/merge_requests/93
It now has a checkbox during the install on the advanced part that is 
checked.
When it's checked the installation process will check for a working 
.htaccess file.
If it doesn't work an error message is shown and the installation 
process is aborted.

It's possible to uncheck the check box in the advanced part of the 
installation.

>> What are the really relevant directives in the .htaccess? Probably 
>> the Options -Indexes, right? Wouldn't there be a possibility to 
>> rather check if indexing of the data dir (and config dir probably) is 
>> possible at all and than fire up an error?

Well Options -Indexes is a start, also access should be denied for the 
data directory.
>>
>>> I think privacy and security is a major sellingpoint for owncloud.
>> Absolutely correct.
>>
>>> As such I would like to see a security policy page for owncloud.
>>> Which documents a couple of security points, for example:
>>> -information about how to enable ssl
>>> -how to harden the owncloud installation with information about:
>>> secure the different databases
>>> -the owncloud policy about security, such as:
>>> -the passwords are sha1 hashed with a salt.
>>> -the security is done by .htaccess check for access by seeing if your
>>> data directory is accessible.
>> You are right, I also would love to see that. Even more, I think it 
>> would really make sense to a kind of "Security Working Group" within 
>> the ownCloud community which consists of a few people who
>> - maintain documentation like the ones you mentioned above
>> - check the ongoing code development with the special focus on security
>> - are the responsible contact for security issues within ownCloud
>> - do not have to be developers ;-) This is more a task for 
>> experienced administrators who maintain large server installation. 
>> They often have a sharper view on security requirements than devs do, 
>> at least from my experience being a developer ;-)
>> - probably more...
>>
>> Roland, is that something you could imagine to contribute to?
>
> This is something I see myself contributing to although I don't know in
> what way or manner yet.
>
>>
>> Thanks for your help,
>
> Your welcome.
>
> Roland
>>
>> Klaas
>>
>>> [1] http://owncloud.org/support/setup-and-installation/linux-server/
>>

More information about the Owncloud mailing list