https://bugzilla.novell.com/show_bug.cgi?id=736764 https://bugzilla.novell.com/show_bug.cgi?id=736764#c0 Summary: owncloud package permissions root open. Classification: openSUSE Product: openSUSE.org Version: unspecified Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: 3rd party software AssignedTo: asemen@suse.com ReportedBy: mrueckert@suse.com QAContact: opensuse-communityscreening@forge.provo.novell.com CC: wstephenson@suse.com, jnelson-suse@jamponi.net, freitag@suse.com Found By: --- Blocker: --- the app code should *never* be writable by the web server. i would propose the following changes: 1. change default ownership to root:www change default permissions to u+rwX,g+rX (I would recommend doing this in %install it is a bit pita in the files list) set owner of data and config dir to wwwrun:www so the webapp can write to it, but mark config as no verify for permissions. config can be chown-ed to root:www after the initial DB config is done. for the average user it might be a nice thing to provide owncloud-secure.sh/opencloud-reconfig.sh, which handle the needed chown calls. 2. It might be a good idea to have owncloud outside of the normal documentroot and use an alias to make it available. A /etc/apache2/conf.d/owncloud.conf might be a good idea for this. a nice place might be /srv/www/owncloud or /srv/www/apps/owncloud. 3. additionally you might want to disable php support in the data dir. This could be done within the /etc/apache2/conf.d/owncloud.conf [[[ RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off </Directory> ]]] that way users cant upload custom php files and execute them in the context off the webserver. 4. the README.SUSE should mostlikely be in /usr/share/doc/packages/owncloud, together with the rest of the documentation. 5. last but not least providing a snippet for apparmor as /etc/apparmor.d/abstractions/owncloud which sets the proper permissions for it would be a good idea the file could look like: [[[ /srv/www/apps/owncloud/ r, /srv/www/apps/owncloud/** r, /srv/www/apps/owncloud/data/ rw, ## only needed in install phase ## can be commented out afterwards /srv/www/apps/owncloud/config/ rw, ]]] then admins could just use #include in their profiles for php/apache to set the proper permissions. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.