When you think about It NextCloud is running as part of the web server so in
your case www-data. You are going to want NextCloud to be able to write to the
disk therefore www-data needs to write to the disk. If you have data other than
the stuff you are giving NextCloud access to I would have a separate
DocumentRoot for NextCloud. I might even have a separate instance of Apache
running in a container or a chroot environment, this would work best with a
second IP and most home users don't have the ability to do that. The other
alternative would be using an alternative port number making the NextCloud URL
more complex and requiring additional firewall rules.
Darryl Baker, GSEC (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL 60201-3715
darryl.ba...@northwestern.edu
(847) 467-6674
On 9/3/20, 8:46 AM, "James Smith" <j...@sanger.ac.uk> wrote:
Not sure what Nextcloud is - but this is often common amongst "black-box"
web apps that bootstrap themselves, and handle upgrades from the UI interface.
The webserver has to be able to re-write it's own files for the
upgrades.....
Scary and against all "normal" secure procedures if you manage your site
from the command line
-----Original Message-----
From: Lentes, Bernd <bernd.len...@helmholtz-muenchen.de>
Sent: 01 September 2020 12:06
To: users Maillingsliste Apache <users@httpd.apache.org>
Subject: [users@httpd] Apache and nextcloud - insecure ? [EXT]
Hi,
i'm planning to install Nextcloud on an Ubuntu 20.04 with Apache.
But the recommendations from Nextcloud to configure Apache don't appeal to
me.
1.
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23installation-2Dwizard&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=Oo_t57zunPNDliOFWIB-QmTHC2T-7ygMhTsO19qSeb4&e=
The recommendation is to change the owner of the DocumentRoot of the
Nextcloud installation to www-data, the user the apache2 process is running.
"chown -R www-data:www-data /var/www/nextcloud/"
This is weird, isn't it ? I remember
https://urldefense.proofpoint.com/v2/url?u=http-3A__httpd.apache.org_docs_2.4_misc_security-5Ftips.html&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=oDEvr6axTyJb5ld7ZCn7I_0V-qYDwwAwJ45xW9WxpbI&e=
"Permissions on ServerRoot Directories"
which is contradictory to that.
2. The second recommendation is even stranger:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.nextcloud.com_server_19_admin-5Fmanual_installation_source-5Finstallation.html-23pretty-2Durls&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=uERf1hmchKSgrvGzDAT1-YuznXpeu0pAC4OREfsVQQE&e=
"mod_env and mod_rewrite must be installed on your webserver and the
.htaccess must be writable by the HTTP user. Then you can set in the config.php
two variables:"
.htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get
pain in my stomach reading this.
What do you think ?
Has anyone experience in installing nextcloud ?
Would it be a good idea to install nextcloud via snap, which seems to be
more secure ?
Bernd
--
Bernd Lentes
Systemadministration
Institute for Metabolism and Cell Death (MCD) Building 25 - office 122
HelmholtzZentrum München bernd.len...@helmholtz-muenchen.de
phone: +49 89 3187 1241
phone: +49 89 3187 3827
fax: +49 89 3187 2294
https://urldefense.proofpoint.com/v2/url?u=http-3A__www.helmholtz-2Dmuenchen.de_mcd&d=DwIFaQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM7vQ&m=scfINAoiIAEVr_pmSSi-9oJanmkPIY1Oh8whk2cfk5w&s=iabTXmqNohJylEnKmHdtpzXJH_fmBLW-GdfneiIuAhg&e=
stay healthy
Helmholtz Zentrum München
Helmholtz Zentrum München
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
--
The Wellcome Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
