ownCloud: run occ only as webserver user

Kropotkin · 11-25-2015, 06:31 AM

Hi all,

I'm running OwnCloud v8.2.1 on my FreeBSD server.

As those of you who use owncloud may know, the package includes a command-line utility to perform various maintance tasks that is quite useful.

For some reason, the script was changed awhile back so that it only runs as the apache user. I had quite a bit of difficulty getting the syntax correct but finally I figured out that this works:

Code:

$ sudo su -m www -c './occ status'

But some commands I still can't get working again:

Code:

$ sudo su -m www -c './occ files:scan --all'
Home storage for user root not writable
Make sure you're running the scan command only as the user the web server runs as

Aside from the specifics of this, which I should probably ask about on the owncloud forums, I am trying to understand the security benefits of forcing a script like this to be run as the apache user. As a server admin, I take security seriously, but the idea behind this strategy completely eludes me. I've never encountered it on a server before. Normally, one can run anything as root, no?

Can someone enlighten me?

Thanks

sag47 · 11-26-2015, 02:07 AM

Quote:

Originally Posted by Kropotkin

Hi all,

I'm running OwnCloud v8.2.1 on my FreeBSD server.

As those of you who use owncloud may know, the package includes a command-line utility to perform various maintance tasks that is quite useful.

For some reason, the script was changed awhile back so that it only runs as the apache user. I had quite a bit of difficulty getting the syntax correct but finally I figured out that this works:

Code:

$ sudo su -m www -c './occ status'

But some commands I still can't get working again:

Code:

$ sudo su -m www -c './occ files:scan --all'
Home storage for user root not writable
Make sure you're running the scan command only as the user the web server runs as

Aside from the specifics of this, which I should probably ask about on the owncloud forums, I am trying to understand the security benefits of forcing a script like this to be run as the apache user. As a server admin, I take security seriously, but the idea behind this strategy completely eludes me. I've never encountered it on a server before. Normally, one can run anything as root, no?

Can someone enlighten me?

Thanks

The error "Home storage for user root not writable" is claiming that script can't access /root. It wouldn't be able to because only the root user should have access.

Normally one can run anything as root. However, nothing is stopping a program forcing you to run it as a non-root user. It's as simple as:

Code:

#!/bin/bash
if [ 'root' = "$USER" ]; then
  echo 'Must not be run as root.' 1>&2
  exit 1
fi

It seems odd that a script which requires you to run as a normal user would try to access the /root home. I would consider that a bug or malicious. Read the documentation, search for existing issues, or file a new bug if no issue exists. It sounds like the behavior is counter to what you describe.