Apache and nextcloud - insecure ?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache and nextcloud - insecure ?

Lentes, Bernd-2
Hi,

i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
But the recommendations from Nextcloud to configure Apache don't appeal to me.

1. https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#installation-wizard
The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation to www-data, the user the apache2 process is running.
"chown -R www-data:www-data /var/www/nextcloud/"
This is weird, isn't it ? I remember http://httpd.apache.org/docs/2.4/misc/security_tips.html "Permissions on ServerRoot Directories"
which is contradictory to that.

2. The second recommendation is even stranger:
https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#pretty-urls
"mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable by the HTTP user. Then you can set in the config.php two variables:"
.htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach reading this.
What do you think ?
Has anyone experience in installing nextcloud ?
Would it be a good idea to install nextcloud via snap, which seems to be more secure ?

Bernd
--

Bernd Lentes
Systemadministration
Institute for Metabolism and Cell Death (MCD)
Building 25 - office 122
HelmholtzZentrum München
[hidden email]
phone: +49 89 3187 1241
phone: +49 89 3187 3827
fax: +49 89 3187 2294
http://www.helmholtz-muenchen.de/mcd 

stay healthy
Helmholtz Zentrum München

Helmholtz Zentrum München


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache and nextcloud - insecure ?

Martin Drescher-2
Hi Bernd,

very short answer to 1.:
Yes, you want to write data there. Hence you need rite privileges. Make sure, privileges of www-data are restricted to that directory, you will be fine.

Off topic about 2.:
Consider using ownCloud, because it has .deb repo, you can get updates if you want to. Nectcloud does not have this (to my limited knowledge).


signature.asc (201 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Apache and nextcloud - insecure ?

Lentes, Bernd-2




----- On Sep 1, 2020, at 1:32 PM, Martin Drescher [hidden email] wrote:

> Hi Bernd,
>
> very short answer to 1.:
> Yes, you want to write data there. Hence you need rite privileges. Make sure,
> privileges of www-data are restricted to that directory, you will be fine.
>
> Off topic about 2.:
> Consider using ownCloud, because it has .deb repo, you can get updates if you
> want to. Nectcloud does not have this (to my limited knowledge).

Hi Martin,

thanks for your answer.
Concerning 2: I'm afraid you are right. I didn't find a repository for Ubuntu,
and this webpage seems to confirm that: https://help.nextcloud.com/t/linux-packages-status/10216
I'd prefer Nextcloud because it has more additional tools, like OnlyOffice which i plan to install.

I'm thinking about installing it as a snap, but i have no experience with snap.

Bernd
Helmholtz Zentrum München

Helmholtz Zentrum München


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache and nextcloud - insecure ?

Bjoern Voigt
In reply to this post by Lentes, Bernd-2
Bernd Lentes wrote:

> 1. https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#installation-wizard
> The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation to www-data, the user the apache2 process is running.
> "chown -R www-data:www-data /var/www/nextcloud/"
> This is weird, isn't it ? I remember http://httpd.apache.org/docs/2.4/misc/security_tips.html "Permissions on ServerRoot Directories"
> which is contradictory to that.
>
> 2. The second recommendation is even stranger:
> https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#pretty-urls
> "mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable by the HTTP user. Then you can set in the config.php two variables:"
> .htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach reading this.
> What do you think ?
> Has anyone experience in installing nextcloud ?
> Would it be a good idea to install nextcloud via snap, which seems to be more secure ?
I agree, that the recommendations are insecure. I made some tests with
different permissions. Not all files and directories have to be owned by
"www-data".

The following files/directories should be owned by www-data. There are
some checks in the Nextcloud codebase which otherwise complain about
missing permissions. Other files can be owned e.g. by root.

nextcloud/apps/
nextcloud/config/
nextcloud/data/

The location for Nextcloud data (default: nextcloud/data/) can be
changed. Changing the permissions of nextcloud/apps/ and
nextcloud/config/ is not trivial because of the checks in the code. Also
some functionality will be lost, of the permissions are changed, e.g.
updating apps from the GUI will not work, if /nextcloud/apps/ is read-only.

Greetings,
Björn

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Apache and nextcloud - insecure ? [EXT]

James Smith
In reply to this post by Lentes, Bernd-2
Not sure what Nextcloud is - but this is often common amongst "black-box" web apps that bootstrap themselves, and handle upgrades from the UI interface.

The webserver has to be able to re-write it's own files for the upgrades.....

Scary and against all "normal" secure procedures if you manage your site from the command line


-----Original Message-----
From: Lentes, Bernd <[hidden email]>
Sent: 01 September 2020 12:06
To: users Maillingsliste Apache <[hidden email]>
Subject: [users@httpd] Apache and nextcloud - insecure ? [EXT]

Hi,

i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
But the recommendations from Nextcloud to configure Apache don't appeal to me.

1. https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23installation-2Dwizard&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=Oo_t57zunPNDliOFWIB-QmTHC2T-7ygMhTsO19qSeb4&e=
The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation to www-data, the user the apache2 process is running.
"chown -R www-data:www-data /var/www/nextcloud/"
This is weird, isn't it ? I remember https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs_2.4_misc_security-5Ftips.html&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=oDEvr6axTyJb5ld7ZCn7I_0V-qYDwwAwJ45xW9WxpbI&e=  "Permissions on ServerRoot Directories"
which is contradictory to that.

2. The second recommendation is even stranger:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23pretty-2Durls&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=uERf1hmchKSgrvGzDAT1-YuznXpeu0pAC4OREfsVQQE&e=
"mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable by the HTTP user. Then you can set in the config.php two variables:"
.htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach reading this.
What do you think ?
Has anyone experience in installing nextcloud ?
Would it be a good idea to install nextcloud via snap, which seems to be more secure ?

Bernd
--

Bernd Lentes
Systemadministration
Institute for Metabolism and Cell Death (MCD) Building 25 - office 122 HelmholtzZentrum München [hidden email]
phone: +49 89 3187 1241
phone: +49 89 3187 3827
fax: +49 89 3187 2294
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de_mcd&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=iabTXmqNohJylEnKmHdtpzXJH_fmBLW-GdfneiIuAhg&e= 

stay healthy
Helmholtz Zentrum München

Helmholtz Zentrum München


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]




--
 The Wellcome Sanger Institute is operated by Genome Research
 Limited, a charity registered in England with number 1021457 and a
 company registered in England with number 2742969, whose registered
 office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Apache and nextcloud - insecure ? [EXT]

Darryl Philip Baker
When you think about It NextCloud is running as part of the web server so in your case www-data. You are going to want NextCloud to be able to write to the disk therefore www-data needs to write to the disk. If you have data other than the stuff you are giving NextCloud access to I would have a separate DocumentRoot for NextCloud. I might even have a separate instance of Apache running in a container or a chroot environment, this would work best with a second IP and most home users don't have the ability to do that. The other alternative would be using an alternative port number making the NextCloud URL more complex and requiring additional firewall rules.

Darryl Baker, GSEC  (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
[hidden email]
(847) 467-6674
 

On 9/3/20, 8:46 AM, "James Smith" <[hidden email]> wrote:

    Not sure what Nextcloud is - but this is often common amongst "black-box" web apps that bootstrap themselves, and handle upgrades from the UI interface.

    The webserver has to be able to re-write it's own files for the upgrades.....

    Scary and against all "normal" secure procedures if you manage your site from the command line


    -----Original Message-----
    From: Lentes, Bernd <[hidden email]>
    Sent: 01 September 2020 12:06
    To: users Maillingsliste Apache <[hidden email]>
    Subject: [users@httpd] Apache and nextcloud - insecure ? [EXT]

    Hi,

    i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
    But the recommendations from Nextcloud to configure Apache don't appeal to me.

    1. https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23installation-2Dwizard&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=Oo_t57zunPNDliOFWIB-QmTHC2T-7ygMhTsO19qSeb4&e=
    The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation to www-data, the user the apache2 process is running.
    "chown -R www-data:www-data /var/www/nextcloud/"
    This is weird, isn't it ? I remember https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs_2.4_misc_security-5Ftips.html&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=oDEvr6axTyJb5ld7ZCn7I_0V-qYDwwAwJ45xW9WxpbI&e=  "Permissions on ServerRoot Directories"
    which is contradictory to that.

    2. The second recommendation is even stranger:
    https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23pretty-2Durls&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=uERf1hmchKSgrvGzDAT1-YuznXpeu0pAC4OREfsVQQE&e=
    "mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable by the HTTP user. Then you can set in the config.php two variables:"
    .htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach reading this.
    What do you think ?
    Has anyone experience in installing nextcloud ?
    Would it be a good idea to install nextcloud via snap, which seems to be more secure ?

    Bernd
    --

    Bernd Lentes
    Systemadministration
    Institute for Metabolism and Cell Death (MCD) Building 25 - office 122 HelmholtzZentrum München [hidden email]
    phone: +49 89 3187 1241
    phone: +49 89 3187 3827
    fax: +49 89 3187 2294
    https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de_mcd&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=iabTXmqNohJylEnKmHdtpzXJH_fmBLW-GdfneiIuAhg&e= 

    stay healthy
    Helmholtz Zentrum München

    Helmholtz Zentrum München


    ---------------------------------------------------------------------
    To unsubscribe, e-mail: [hidden email]
    For additional commands, e-mail: [hidden email]




    --
     The Wellcome Sanger Institute is operated by Genome Research
     Limited, a charity registered in England with number 1021457 and a
     company registered in England with number 2742969, whose registered
     office is 215 Euston Road, London, NW1 2BE.
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: [hidden email]
    For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]