[Pkg-owncloud-commits] [owncloud-doc] 85/110: Add section on how owncloud manages external mount passwords
David Prévot
taffit at moszumanska.debian.org
Fri Feb 6 21:10:38 UTC 2015
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch master
in repository owncloud-doc.
commit 9884a34c6cf1435d73d2318b5874695471a04320
Author: Carla Schroder <carla at owncloud.com>
Date: Wed Jan 21 16:53:00 2015 -0800
Add section on how owncloud manages external mount passwords
---
.../external_storage_configuration.rst | 59 +++++++++++++++++++++-
.../external_storage_configuration_gui.rst | 4 ++
2 files changed, 62 insertions(+), 1 deletion(-)
diff --git a/admin_manual/configuration/external_storage_configuration.rst b/admin_manual/configuration/external_storage_configuration.rst
index af08a1a..d0ada6e 100644
--- a/admin_manual/configuration/external_storage_configuration.rst
+++ b/admin_manual/configuration/external_storage_configuration.rst
@@ -1,3 +1,4 @@
+=================================================
Configuring External Storage (Configuration File)
=================================================
@@ -383,7 +384,63 @@ Example
"priority":100
}
-
+External Storage Password Management
+------------------------------------
+
+ownCloud handles passwords for external mounts differently than regular
+ownCloud user passwords.
+
+The regular user and file share passwords (when you use the default ownCloud
+user backend) are stored using a strong cryptographically secure hashing
+mechanism in the database. On a new user account with a new password, the
+password is hashed and stored in the ownCloud database. The plain-text password
+is never stored. When the user logs in, the hash of the password they enter is
+compared with the hash in the database. When the hashes match the user is
+allowed access. These are not recoverable, so when a user loses a password the
+only option is to create a new password.
+
+Passwords which are used to connect against external storage (e.g.
+SMB or FTP), there we have to differentiate again between different
+implementations:
+
+1. **Login with ownCloud credentials**
+
+When a mountpoint has this option, for example ``SMB / CIFS using OC login``,
+the password will be intercepted when a user logs in and written to the PHP
+session (which is a file on the filesystem), and written encrypted into the
+session with a key from the configuration file. Every time that password is
+required ownCloud reads it from the PHP session file.
+
+When you use this option, features such as sharing will not work properly from
+that mountpoint when the user is not logged-in.
+
+Depending on the implementation of the application, this means that the password
+could get leaked in the ``ps`` output, as we use ``smbclient`` for SMB storage
+access in the community version. There is a `bug report on this
+<https://github.com/owncloud/core/issues/6092>`_. Consequently, we're currently
+evaluating an alternative approach accessing the library directly, and thus not
+leaking the password anymore. This is already implemented in the Enterprise
+Edition in our Windows Network Drive application, and it will get into the
+community version once we have streamlined the code of the ``files_external``
+application a little bit more.
+
+2. **Stored credentials**
+
+When you enter credentials into the ``files_external`` dialog those are stored
+on the filesystem and encrypted with a key stored in ``config.php``. This is
+required since ownCloud needs access to those files and shares even when the
+user is not logged-in to have sharing and other key features properly working.
+
+To sum up:
+
+The "login with ownCloud credentials" SMB function in the community edition
+exposes the password in the system's process list. If you want to get around
+this limitation without waiting for it to be addressed in CE you can get
+the Enterprise Edition. However, even then the password is stored in the PHP
+session and a malicious admin could access it. You can protect your PHP session
+files using protections available in your filesystem. Stored credentials are
+always accessible to the ownCloud instance.
+
.. _Amazon S3: http://aws.amazon.com/de/s3/
.. _Dropbox: https://www.dropbox.com/
.. _Google Drive: https://drive.google.com/start
diff --git a/admin_manual/configuration/external_storage_configuration_gui.rst b/admin_manual/configuration/external_storage_configuration_gui.rst
index 0bca95b..9df448c 100644
--- a/admin_manual/configuration/external_storage_configuration_gui.rst
+++ b/admin_manual/configuration/external_storage_configuration_gui.rst
@@ -28,6 +28,10 @@ ownCloud admins may mount these external storage services and devices:
ownCloud users can be given permission to mount any of these, except local
storage.
+To understand how ownCloud manages passwords for external mounts, and the
+security implications, see the **External Storage Password Management** section
+of :doc:`external_storage_configuration`.
+
Enabling External Storage Support
---------------------------------
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/owncloud-doc.git
More information about the Pkg-owncloud-commits
mailing list