[Pkg-owncloud-maintainers] File size issue (Admin section)

Diederik de Haas didi.debian at cknow.org
Mon Jun 4 14:56:15 UTC 2012

On Monday 04 June 2012 14:51:26 Diederik de Haas wrote:
> > We shall report this upstream- can you please take care of that?
> > thx
> I'll make a vm with 'upstream oc' first to check/verify whether it is an
> upstream  issue. If so, I'll report it.

On Monday 04 June 2012 11:10:46 Thomas Müller wrote:
> Wouldn't it be a potential security risk to grant www-data write access to
> .htaccess ?

I've just created an oc-upstream vm and installed apache2, php5, php5-gd and 
php5-sqlite in there and followed instructions from 
http://owncloud.org/support/install/ to install OC-4.0.1.

What strikes me as odd is that /var/www/ isn't owned by www-data by default and 
extracting the http://download.owncloud.org/releases/owncloud-4.0.1.tar.bz2 file 
into /var/www/ will create a bunch of files/direcotories with nobody:nogroup as 
it's default permissions, which (afaik) only lets apache read it because all the 
files/directories are world-readable ?!!

Also noticed that the install instructions are incorrect, since in step 2.2 
you're supposed to set config and data to www-data:www-data, while the data 
directory isn't created (yet).
When running the installation from http://oc-upstream/owncloud/ the data 
direcotry gets created with www-data:www-data ownership; the .htaccess file is 
still nobody:nogroup though.

When trying to change the maximum upload size, I see the same behaviour as 
reported earlier.

However, in an earlier attempt/vm I changed ownership of /var/www to www-
data:www-data before extracting/configuring owncloud and then all permissions 
were www-data:www-data (including .htaccess) and then the feature does work, by 
writing the changed value to the .htaccess file.
So that means that www-data needs write access to .htaccess in order for the 
feature to work.

I'm not (yet) going to report this upstream, since I find the out-of-the-box 
behaviour of apache2 rather weird: nobody:nogroup ownership in /var/www and 
below looks like an error in apache2, but maybe it's expected for a Debian admin 
to set it up properly, whatever that entails.
So I'm not sure the issue is with apache2 or the admin of the machine/vm (=me).


More information about the Pkg-owncloud-maintainers mailing list