Bug#729762: marked as done (owncloud data directory not protected due to bad htaccess)

Sat, 16 Nov 2013 20:09:38 -0800 

Your message dated Sat, 16 Nov 2013 23:16:02 -0400
with message-id <[email protected]>
and subject line Re: Bug#729762: owncloud data directory not protected due to 
bad htaccess
has caused the Debian Bug report #729762,
regarding owncloud data directory not protected due to bad htaccess
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
729762: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729762
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: owncloud
Version: 5.0.13+dfsg-1
Severity: important

The default installation for owncloud makes the data directory insecure.
The problem is the htaccess file in /var/lin/owncloud/data is for the
"old style" authorization.

The owncloud admin screen nags you with this:
  "Your data directory and your files are probably accessible from the
  internet. The .htaccess file that ownCloud provides is not working. We
  strongly suggest that you configure your webserver in a way that the
  data directory is no longer accessible or you move the data directory
  outside the webserver document root."

The file contents should be:
  Require all denied
  IndexIgnore *

Or even better, the version aware variety of this that is found in 
/etc/owncloud/htaccess

I raised the level of Severity because it provides remote access to
files users might think are protected, depending on how your other
settings are setup.

 - Craig


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-1-amd64 (SMP w/6 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages owncloud depends on:
ii  apache2                    2.4.6-3
ii  apache2-bin [httpd]        2.4.6-3
ii  fonts-font-awesome         4.0.0~dfsg-1
ii  libjs-chosen               0.9.11-1
ii  libjs-jquery               1.7.2+dfsg-3
ii  libjs-jquery-fancybox      8-2
ii  libjs-jquery-jplayer       2.3.4+dfsg-1
ii  libjs-jquery-minicolors    1.2.1-1
ii  libjs-jquery-mousewheel    8-2
ii  libjs-jquery-timepicker    1.2-1
ii  libjs-pdf                  0.8.37+dfsg-1
ii  libphp-phpmailer           5.1-1
ii  mediawiki                  1:1.19.8+dfsg-2.1
ii  owncloud-doc               0~20131024-1
ii  owncloud-mysql             5.0.13+dfsg-1
ii  php-aws-sdk                1.5.6.2-1
ii  php-crypt-blowfish         1.1.0~RC2-1
ii  php-getid3                 1.9.7-1
ii  php-google-api-php-client  0.6.2-1
ii  php-irods-prods            3.3.0~beta1-1
ii  php-mdb2                   2.5.0b5-1
ii  php-mdb2-schema            0.8.5-1
ii  php-patchwork-utf8         1.1.7-1
ii  php-pear                   5.5.5+dfsg-1
ii  php-sabre-dav              1.7.6+dfsg-2
ii  php-sabre-vobject          2.0.7-1
ii  php-seclib                 0.3.5-2
ii  php-symfony-routing        2.0.19-1
ii  php-xml-parser             1.3.4-6
ii  php5                       5.5.5+dfsg-1
ii  php5-curl                  5.5.5+dfsg-1
ii  php5-gd                    5.5.5+dfsg-1
ii  php5-json                  1.3.2-2

Versions of packages owncloud recommends:
ii  clamav                          0.97.8+dfsg-1
ii  curl                            7.33.0-1
ii  liboauth-php                    0~svn1262-1
ii  php-services-json               1.0.3-1
ii  php5-cli                        5.5.5+dfsg-1
ii  php5-intl                       5.5.5+dfsg-1
ii  php5-ldap                       5.5.5+dfsg-1
ii  postfix [mail-transport-agent]  2.10.2-1
ii  smbclient                       2:4.0.10+dfsg-4
ii  zendframework                   1.12.3-1

Versions of packages owncloud suggests:
pn  libapache2-mod-xsendfile  <none>

-- Configuration Files:
/etc/owncloud/htaccess [Errno 13] Permission denied: u'/etc/owncloud/htaccess'

-- no debconf information

--- End Message ---
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Version: 6.0.0~beta4+dfsg
Control: tags -1 upstream
Control: forwarded -1 https://github.com/owncloud/core/issues/5757

Le 16/11/2013 20:14, Craig Small a écrit :

> The default installation for owncloud makes the data directory insecure.
> The problem is the htaccess file in /var/lin/owncloud/data is for the
> "old style" authorization.

Indeed, that has just been fixed upstream, and it’s already part of the
Debian package currently in experimental. Unfortunately, the .htaccess
file does not seem updated on upgrade yet.

Regards

David


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJSiDTyAAoJEAWMHPlE9r08RL4H/0xqzEct1vbXkQXVhjhAquuW
XucoV1UbSurHyJJ5Xx4bOCYatuK5zgjBuUrK9/qbrXVc06yi4JtP6uCcWvpneQrO
GIAh+a2AYXliantSjaK7Xo4nVrP4i7KTzTUPnXgzXRnJ6z5dDlsmAk1au10Pe6lz
h/fCwuRMSZ4+ehvHBKd2uETCRnoEq803BPOTcm/8ce+veAM/mkMl/kyazR7bQn3r
OaKaFk0EK8yaSZ/2/WmsMt+CyX0JQ8MQGZWBysnph0swW4sU5SszLaTBkJ2WJXsh
cYkastDAxu8+XlqV+ag91v5tGO55lhJuBEJM3vn6hvJEkfOoz3aYVXQlK3obXAQ=
=FzMR
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to