httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Smith <...@sanger.ac.uk>
Subject RE: [users@httpd] Apache and nextcloud - insecure ? [EXT]
Date Thu, 03 Sep 2020 13:44:43 GMT
Not sure what Nextcloud is - but this is often common amongst "black-box" web apps that bootstrap
themselves, and handle upgrades from the UI interface.

The webserver has to be able to re-write it's own files for the upgrades.....

Scary and against all "normal" secure procedures if you manage your site from the command
line


-----Original Message-----
From: Lentes, Bernd <bernd.lentes@helmholtz-muenchen.de> 
Sent: 01 September 2020 12:06
To: users Maillingsliste Apache <users@httpd.apache.org>
Subject: [users@httpd] Apache and nextcloud - insecure ? [EXT]

Hi,

i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
But the recommendations from Nextcloud to configure Apache don't appeal to me.

1. https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23installation-2Dwizard&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=Oo_t57zunPNDliOFWIB-QmTHC2T-7ygMhTsO19qSeb4&e=
The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation
to www-data, the user the apache2 process is running.
"chown -R www-data:www-data /var/www/nextcloud/"
This is weird, isn't it ? I remember https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs_2.4_misc_security-5Ftips.html&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=oDEvr6axTyJb5ld7ZCn7I_0V-qYDwwAwJ45xW9WxpbI&e=
 "Permissions on ServerRoot Directories"
which is contradictory to that.

2. The second recommendation is even stranger:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23pretty-2Durls&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=uERf1hmchKSgrvGzDAT1-YuznXpeu0pAC4OREfsVQQE&e=
"mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable
by the HTTP user. Then you can set in the config.php two variables:"
.htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach
reading this.
What do you think ?
Has anyone experience in installing nextcloud ?
Would it be a good idea to install nextcloud via snap, which seems to be more secure ?

Bernd
-- 

Bernd Lentes
Systemadministration
Institute for Metabolism and Cell Death (MCD) Building 25 - office 122 HelmholtzZentrum München
bernd.lentes@helmholtz-muenchen.de
phone: +49 89 3187 1241
phone: +49 89 3187 3827
fax: +49 89 3187 2294
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de_mcd&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=iabTXmqNohJylEnKmHdtpzXJH_fmBLW-GdfneiIuAhg&e=
 

stay healthy
Helmholtz Zentrum München

Helmholtz Zentrum München


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Mime
View raw message