Securely installing ownCloud
Tags: howtos, security, projects
In my quest for alternatives to Google Contacts and Google Calendar, I finally encountered ownCloud. Briefly put, this awesome software allows me to store my personal data (calendars, contacts, files, and much more) on my own server, while providing access through a number of well-defined protocols such as CalDAV. ownCloud is written in PHP, which I do not consider to be a very secure platform. To ensure that my server is not too vulnerable, I decided to secure my ownCloud installation.
Disabling some PHP features
I you have not already done so, you should disable the following PHP features
globally, for example using
register_globals = Off magic_quotes_gpc = Off magic_quotes_runtime = Off magic_quotes_sybase = Off
In my setup, ownCloud is hosted as its own Apache virtual host. In the virtual
host configuration file, I disabled arbitrary directory operations by issuing
php_admin_value open_basedir /path/to/vhost. This limits ownCloud’s PHP file
accesses to the specified directory tree.
By default, Apache uses a
www-data user and group to interact with the content
it serves. I wanted to have unique users for every virtual host as this
severely decreases the impact of a break-in. To this end, I installed the
apache2-mpm-itk package under Debian. This a version of Apache that allows
you to run every vhost with a separate UID and GID. Files used by one vhost
thus need not be accessible or even readable by the other vhosts!
After the installation, I added a section for the new module in each vhost
configuration file. For the ownCloud vhost, for example, I created a user and a
owncloud, set the user shell to
/usr/sbin/nologin, and added the
following to the configuration file:
<IfModule mpm_itk_module> AssignUserId owncloud owncloud </IfModule>
This requires the proper permissions for all files in the ownCloud data directory.
I do not claim that my server can withstand a full-fledged attack, but I like to believe that my ownCloud installation now at least has a fighting chance to survive the onslaught brought on by automated “hacker” tools (quotes for the obvious reason that I do not believe that these tools are part of the real hacker philosophy). Have fun playing with ownCloud.
Some additional resources: