[Pkg-owncloud-commits] [owncloud-doc] 57/110: updating strong permissions instructions
David Prévot
taffit at moszumanska.debian.org
Fri Feb 6 21:10:34 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository owncloud-doc.
commit 507026781f3fbe2fdcc2cfb9780ad14fad675204
Author: Carla Schroder <carla at owncloud.com>
Date: Tue Jan 6 13:05:45 2015 -0800
updating strong permissions instructions
---
admin_manual/installation/installation_wizard.rst | 83 +++++++++++++++++++++--
admin_manual/installation/linux_installation.rst | 4 +-
admin_manual/installation/source_installation.rst | 4 +-
admin_manual/maintenance/update.rst | 62 ++++++-----------
4 files changed, 103 insertions(+), 50 deletions(-)
diff --git a/admin_manual/installation/installation_wizard.rst b/admin_manual/installation/installation_wizard.rst
index 2fe8f07..25b9486 100644
--- a/admin_manual/installation/installation_wizard.rst
+++ b/admin_manual/installation/installation_wizard.rst
@@ -68,9 +68,9 @@ Database Choice
same username as you specified for the administrative user, plus an
``oc_`` prefix) and will use that for all subsequent database access.
- * There are restrictions as to what characters a database name
- may or may not contain, see the
- `MySQL Schema Object Names documentation`_ for details);
+ * There are restrictions as to what characters a database name may or may
+ not contain; see the
+ `MySQL Schema Object Names documentation`_ for details);
Finish Installation
~~~~~~~~~~~~~~~~~~~
@@ -83,9 +83,80 @@ Finish Installation
Setting Strong Directory Permissions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-For improved server security, you should set strong permissions on your
-ownCloud directories according to the **Setting Strong Directory Permissions**
-section of :doc:`source_installation`.
+For hardened security we highly recommend setting the permissions on your
+ownCloud directory as strictly as possible. These commands should be executed
+immediately after the initial installation. Your HTTP user must own at least the
+``config/``, ``data/`` and ``apps/`` directories in your ownCloud directory so
+that you can configure ownCloud, create, modify and delete your data files, and
+install apps via the ownCloud Web interface.
+
+You can find your HTTP user in your HTTP server configuration files. Or you can
+create a PHP page to find it for you. To do this, create a plain text file with
+a single line in it:
+
+ ``<?php echo exec('whoami'); ?>``
+
+Name it ``whoami.php`` and place it in your ``/var/www/html`` directory, and
+then open it in a Web browser, for example ``http://localhost/whoami.php``. You
+should see a single line in your browser page with the HTTP user name.
+
+* The HTTP user and group in Debian/Ubuntu is ``www-data``.
+* The HTTP user and group in Fedora/CentOS is ``apache``.
+* The HTTP user and group in Arch Linux is ``http``.
+* The HTTP user in openSUSE is ``wwwrun``, and the HTTP group is ``www``.
+
+.. note:: When using an NFS mount for the data directory, do not change its
+ ownership from the default. The simple act of mounting the drive will set
+ proper permissions for ownCloud to write to the directory. Changing
+ ownership as above could result in some issues if the NFS mount is
+ lost.
+
+The easy way to set the correct permissions is to copy and run this
+script. Replace the ``ocpath`` variable with the path to your ownCloud
+directory, and replace the ``htuser`` variable with your own HTTP user::
+
+ #!/bin/bash
+ ocpath='/var/www/owncloud'
+ htuser='www-data'
+
+ find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
+ find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
+
+ chown -R root:${htuser} ${ocpath}/
+ chown -R ${htuser}:root ${ocpath}/apps/
+ chown -R ${htuser}:root ${ocpath}/config/
+ chown -R ${htuser}:root ${ocpath}/data/
+
+ chown ${htuser}:root ${ocpath}/.htaccess
+ chown root:${htuser} ${ocpath}/data/.htaccess
+
+If you have customized your ownCloud installation and your filepaths are
+different than the standard installation, then modify this script accordingly.
+
+This lists the recommended modes and ownership for your ownCloud directories
+and files:
+
+* All files should be read-write for the file owner, read-only for the
+ group owner, and zero for the world
+* All directories should be executable (because directories always need the
+ executable bit set), read-write for the directory owner, and read-only for
+ the group owner
+* The :file:`/` directory should be owned by ``root:[HTTP user]``
+* The :file:`apps/` directory should be owned by ``[HTTP user]:root``
+* The :file:`config/` directory should be owned by ``[HTTP user]:root``
+* The :file:`data/` directory should be owned by ``[HTTP user]:root``
+* The :file:`[ocpath]/.htaccess` file should be owned by ``[HTTP user]:root``
+* The :file:`data/.htaccess` file should be owned by ``root:[HTTP user]``
+
+For example, on Ubuntu Linux these commands set the ownership and permissions
+on the :file:`data/` directory::
+
+ $ sudo chown -R www-data:root /var/www/owncloud/data
+ $ sudo chmod 0750 /var/www/owncloud/data
+
+All new files in the :file:`data/` directory automatically inherit the correct
+permissions, 0640,
+
Trusted Domains
~~~~~~~~~~~~~~~
diff --git a/admin_manual/installation/linux_installation.rst b/admin_manual/installation/linux_installation.rst
index ed6ede2..74e2ebd 100644
--- a/admin_manual/installation/linux_installation.rst
+++ b/admin_manual/installation/linux_installation.rst
@@ -14,7 +14,9 @@ repository, download and install the repository signing key, and install
ownCloud. Then run the Installation Wizard to complete your installation. (see
:doc:`installation_wizard`).
-If your distribution is not listed, your Linux distribution may maintain its own ownCloud packages, or you may prefer to install from source code (see :doc:`source_installation`).
+If your distribution is not listed, your Linux distribution may maintain its own
+ownCloud packages, or you may prefer to install from source code (see
+:doc:`source_installation`).
.. _openSUSE Build Service: http://software.opensuse.org/download.html?project=isv:ownCloud:community&package=owncloud
diff --git a/admin_manual/installation/source_installation.rst b/admin_manual/installation/source_installation.rst
index 32d1014..6899625 100644
--- a/admin_manual/installation/source_installation.rst
+++ b/admin_manual/installation/source_installation.rst
@@ -153,7 +153,9 @@ Installation Wizard
Finish setting up your ownCloud server by following
the :doc:`installation_wizard`.
-After running the Installation Wizard your ownCloud installation is complete. However, you should perform the following steps to improve your server's security.
+After running the Installation Wizard your ownCloud installation is complete.
+However, you should perform the following steps to improve your server's
+security.
Setting Strong Directory Permissions
------------------------------------
diff --git a/admin_manual/maintenance/update.rst b/admin_manual/maintenance/update.rst
index 2412e5c..18eb4c0 100644
--- a/admin_manual/maintenance/update.rst
+++ b/admin_manual/maintenance/update.rst
@@ -15,9 +15,10 @@ Major releases are indicated by the first and second digits. So 4.5.0, 5.0.0,
6.0.0, and 7.0.0 are major releases. The Updater app is not for upgrades;
please see :doc:`upgrade` for instructions on upgrading to a major release.
-If you installed ownCloud from your Linux distribution repositories using your
-package manager, then it is best to update/upgrade ownCloud using your package
-manager and staying in sync with your distro updates, rather than using the
+If you installed ownCloud from our `openSUSE Build Service repositories,`
+<https://software.opensuse.org/download/package?project=isv:ownCloud:community&
+package=owncloud>`_ or your own Linux distribution repositories, then it is best
+to update/upgrade ownCloud using your package manager rather than using the
Updater app or upgrading manually. You should still maintain regular backups
(see :doc:`backup`), and make a backup before every update/upgrade.
@@ -55,17 +56,7 @@ steps:
always have your own current backups (See :doc:`backup` for details.)
3. Verify that the HTTP user on your system can write to your whole ownCloud
- directory; on a stock Linux installation this is the ``www-data`` or
- ``apache`` user on systems that are running the Apache HTTP server. You can
- find your HTTP user in your HTTP server configuration files. Or you can
- create a PHP page to find it for you. To do this, create a plain text file
- with this single line in it:
-
- ``<?php echo exec('whoami'); ?>``
-
- Name it ``whoami.php`` and place it in your Web root directory, for example ``/var/www/html``, and then open it in a Web browser, for example
- ``http://servername/whoami.php``. You should see a single line in your
- browser page with the HTTP user name.
+ directory; see the
4. Navigate to your 'Admin' page and click the 'Update Center' button under
Updater:
@@ -77,11 +68,9 @@ steps:
.. figure:: ../images/updater-3.png
6. Click Update, and carefully read the messages. If there are any problems it
- will tell you. The most common issue is directory permissions; see :ref:`setting_strong_permissions`.
-
-
- otherwise you will see a message about checking your
- installation, making a backup, and moving files:
+will tell you. The most common issue is directory permissions; see
+:ref:`setting_strong_permissions`. Otherwise you will see a message about
+checking your installation, making a backup, and moving files:
.. figure:: ../images/updater-4.png
@@ -109,30 +98,19 @@ learn how to upgrade manually.
Setting Strong Permissions
--------------------------
-
-The generic command to change ownership of all files and subdirectories in a
-directory is::
+
+For hardened security we highly recommend setting the permissions on your
+ownCloud directory as strictly as possible. These commands should be executed
+immediately after the initial installation. Please follow the steps in the
+**Setting Strong Directory Permissions** section of
+:doc:`../installation/installation_wizard`.
+
+These strict permissions will prevent the Updater app from working, as it needs
+your whole ownCloud directory to be owned by the HTTP user. The generic command
+to change ownership of all files and subdirectories in a directory to the HTTP
+user is::
chown -R <http-user>:<http-user> /path/to/owncloud/
-
-For hardened security we highly recommend setting the permissions on your ownCloud directory as strictly
-as possible. These commands should be executed immediately after the initial installation::
-
- chown -R root:root /path/to/owncloud/
- chmod -R 755 /path/to/owncloud/
- chown <http-user>:<http-user> /path/to/owncloud/config/
- chmod 0750 /path/to/owncloud/config/
- chown <http-user>:<http-user> /path/to/owncloud/config/config.php
- chmod 750 /path/to/owncloud/config/config.php
- chown -R <http-user>:<http-user> /path/to/owncloud/data/
- chmod -R 750 /path/to/owncloud/data
- chown root:root /path/to/owncloud/data/.htaccess
- chmod 755 /path/to/owncloud/data/.htaccess
- chown <http-user>:<http-user> /path/to/owncloud/apps/
- chmod 750 /path/to/owncloud/apps/
-
-These strict permissions will prevent the Updater app from working, as it needs your whole
-ownCloud directory to be owned by the http-user, like these examples:
* This example is for Ubuntu 14.04 LTS server::
@@ -150,7 +128,7 @@ ownCloud directory to be owned by the http-user, like these examples:
chown -R wwwrun:www /path/to/owncloud/
-After the Updater app has run, you should re-apply the strict permissions.
+After the Updater app has run, you should re-apply the strict permissions.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud-doc.git
More information about the Pkg-owncloud-commits
mailing list