Not sure what Nextcloud is - but this is often common amongst "black-box" web apps that bootstrap themselves, and handle upgrades from the UI interface. The webserver has to be able to re-write it's own files for the upgrades..... Scary and against all "normal" secure procedures if you manage your site from the command line -----Original Message----- From: Lentes, Bernd <bernd.lentes@xxxxxxxxxxxxxxxxxxxxx> Sent: 01 September 2020 12:06 To: users Maillingsliste Apache <users@xxxxxxxxxxxxxxxx> Subject: Apache and nextcloud - insecure ? [EXT] Hi, i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache. But the recommendations from Nextcloud to configure Apache don't appeal to me. 1. https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23installation-2Dwizard&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=Oo_t57zunPNDliOFWIB-QmTHC2T-7ygMhTsO19qSeb4&e= The recommendation is to change the owner of the DocumentRoot of the Nextcloud installation to www-data, the user the apache2 process is running. "chown -R www-data:www-data /var/www/nextcloud/" This is weird, isn't it ? I remember https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs_2.4_misc_security-5Ftips.html&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=oDEvr6axTyJb5ld7ZCn7I_0V-qYDwwAwJ45xW9WxpbI&e= "Permissions on ServerRoot Directories" which is contradictory to that. 2. The second recommendation is even stranger: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23pretty-2Durls&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=uERf1hmchKSgrvGzDAT1-YuznXpeu0pAC4OREfsVQQE&e= "mod_env and mod_rewrite must be installed on your webserver and the .htaccess must be writable by the HTTP user. Then you can set in the config.php two variables:" .htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get pain in my stomach reading this. What do you think ? Has anyone experience in installing nextcloud ? Would it be a good idea to install nextcloud via snap, which seems to be more secure ? Bernd -- Bernd Lentes Systemadministration Institute for Metabolism and Cell Death (MCD) Building 25 - office 122 HelmholtzZentrum München bernd.lentes@xxxxxxxxxxxxxxxxxxxxx phone: +49 89 3187 1241 phone: +49 89 3187 3827 fax: +49 89 3187 2294 https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de_mcd&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=iabTXmqNohJylEnKmHdtpzXJH_fmBLW-GdfneiIuAhg&e= stay healthy Helmholtz Zentrum München Helmholtz Zentrum München --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|