LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-25-2015, 07:31 AM   #1
Kropotkin
Member
 
Registered: Oct 2004
Location: /usr/home
Distribution: Linux Mint, FreeBSD, Android
Posts: 356

Rep: Reputation: 32
ownCloud: run occ only as webserver user


Hi all,

I'm running OwnCloud v8.2.1 on my FreeBSD server.

As those of you who use owncloud may know, the package includes a command-line utility to perform various maintance tasks that is quite useful.

For some reason, the script was changed awhile back so that it only runs as the apache user. I had quite a bit of difficulty getting the syntax correct but finally I figured out that this works:

Code:
$ sudo su -m www -c './occ status'
But some commands I still can't get working again:
Code:
$ sudo su -m www -c './occ files:scan --all'
Home storage for user root not writable
Make sure you're running the scan command only as the user the web server runs as
Aside from the specifics of this, which I should probably ask about on the owncloud forums, I am trying to understand the security benefits of forcing a script like this to be run as the apache user. As a server admin, I take security seriously, but the idea behind this strategy completely eludes me. I've never encountered it on a server before. Normally, one can run anything as root, no?

Can someone enlighten me?

Thanks
 
Old 11-26-2015, 03:07 AM   #2
sag47
Senior Member
 
Registered: Sep 2009
Location: Orange County, CA
Distribution: Kubuntu x64, Raspbian, CentOS
Posts: 1,856
Blog Entries: 36

Rep: Reputation: 456Reputation: 456Reputation: 456Reputation: 456Reputation: 456
Quote:
Originally Posted by Kropotkin View Post
Hi all,

I'm running OwnCloud v8.2.1 on my FreeBSD server.

As those of you who use owncloud may know, the package includes a command-line utility to perform various maintance tasks that is quite useful.

For some reason, the script was changed awhile back so that it only runs as the apache user. I had quite a bit of difficulty getting the syntax correct but finally I figured out that this works:

Code:
$ sudo su -m www -c './occ status'
But some commands I still can't get working again:
Code:
$ sudo su -m www -c './occ files:scan --all'
Home storage for user root not writable
Make sure you're running the scan command only as the user the web server runs as
Aside from the specifics of this, which I should probably ask about on the owncloud forums, I am trying to understand the security benefits of forcing a script like this to be run as the apache user. As a server admin, I take security seriously, but the idea behind this strategy completely eludes me. I've never encountered it on a server before. Normally, one can run anything as root, no?

Can someone enlighten me?

Thanks
The error "Home storage for user root not writable" is claiming that script can't access /root. It wouldn't be able to because only the root user should have access.

Normally one can run anything as root. However, nothing is stopping a program forcing you to run it as a non-root user. It's as simple as:

Code:
#!/bin/bash
if [ 'root' = "$USER" ]; then
  echo 'Must not be run as root.' 1>&2
  exit 1
fi
It seems odd that a script which requires you to run as a normal user would try to access the /root home. I would consider that a bug or malicious. Read the documentation, search for existing issues, or file a new bug if no issue exists. It sounds like the behavior is counter to what you describe.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: ownCloud Community Comes Up Big Delivering ownCloud 7 Community Edition LXer Syndicated Linux News 0 08-05-2014 07:30 PM
Move owncloud 4 to owncloud 5 to a different server the_bigbalu Linux - Server 2 05-28-2013 02:31 AM
Securing OwnCloud and granting my user permission to the files xmrkite Linux - Software 3 02-12-2013 06:54 PM
LXer: ownCloud Inc. and the ownCloud community LXer Syndicated Linux News 0 12-16-2011 12:50 PM
Best distro for webserver run from CD only? goony Linux - Software 2 12-07-2005 09:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration