File sharing vs encryption


#1

Steps to reproduce

  1. Share a directory with a group.
  2. Pick one - user from group has a password reset, new user appeared in group.
  3. User from group can dig through shared directory, but can't access the files.

Expected behaviour

Normal downloading of files from shared directory.

Actual behaviour

User receives Error 503 Service Unavailable.

Server configuration

Operating system: CentOS 7

Web server: Apache 2.4

Database: MariaDB 10.1

PHP version: 7.0

ownCloud version: 10.0.3.3

Updated from an older ownCloud or fresh install: doesn't matter, problem is already very long.

Where did you install ownCloud from: owncloud.org package repository

Signing status (ownCloud 9.0 and above): No errors have been found.

The content of config/config.php:

{
    "system": {
        "instanceid": "ocq8k0f5genj",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "xxx",
            "xxx",
            "xxx"
        ],
        "datadirectory": "\/owncloud\/data",
        "dbtype": "mysql",
        "version": "10.0.3.3",
        "dbname": "owncloud",
        "dbhost": "xxx",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "overwrite.cli.url": "https:\/\/xxx\/owncloud",
        "memcache.local": "\\OC\\Memcache\\APCu",
		"memcache.distributed": "\\OC\\Memcache\\Redis",
        "filelocking.enabled": "true",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "xxx",
            "port": 6379
        },
        "mail_from_address": "owncloud",
        "mail_smtpmode": "smtp",
        "mail_domain": "xxx",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "xxx",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "mail_smtpauthtype": "LOGIN",
        "theme": "",
        "maintenance": false,
        "loglevel": 2,
        "updatechecker": false,
        "htaccess.RewriteBase": "\/owncloud",
        "logtimezone": "Europe\/Warsaw",
        "lost_password_link": "disabled"
    }
}

List of activated apps:

Enabled:
  - activity: 2.3.6
  - comments: 0.3.0
  - configreport: 0.1.1
  - dav: 0.3.0
  - encryption: 1.3.0
  - federatedfilesharing: 0.3.1
  - federation: 0.1.0
  - files: 1.5.1
  - files_external: 0.7.1
  - files_pdfviewer: 0.8.2
  - files_sharing: 0.10.1
  - files_texteditor: 2.2.1
  - files_trashbin: 0.9.1
  - files_versions: 1.3.0
  - files_videoplayer: 0.9.8
  - firstrunwizard: 1.1
  - gallery: 16.0.2
  - market: 0.2.2
  - notifications: 0.3.1
  - provisioning_api: 0.5.0
  - systemtags: 0.3.0
  - templateeditor: 0.1
  - updatenotification: 0.2.1
Disabled:
  - external
  - files_antivirus
  - theme-example
- user_external

Are you using external storage, if yes which one: No

Are you using encryption: Yes

Are you using an external user-backend, if yes which one: No

Client configuration

Browser: Doesn't matter

Operating system: Doesn't matter

Logs

Web server error log

Nothing interesting

ownCloud log (data/owncloud.log)

{"reqId":"WedC9mxXr6fVs3Hli3A8jgAAAAM","level":4,"time":"2017-10-18T14:03:03+02:00","remoteAddr":"195.80.131.38","user":"joanna.sobotka","app":"webdav","method":"GET","url":"\/remote.php\/webdav\/export-szkola.tar.gz","message":"Exception: {\"Message\":\"HTTP\\\/1.1 503 Encryption not ready: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error\",\"Exception\":\"Sabre\\\\DAV\\\\Exception\\\\ServiceUnavailable\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/html\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/CorePlugin.php(85): OCA\\\\DAV\\\\Connector\\\\Sabre\\\\File->get()\\n#1 [internal function]: Sabre\\\\DAV\\\\CorePlugin->httpGet(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#2 \\\/var\\\/www\\\/html\\\/lib\\\/composer\\\/sabre\\\/event\\\/lib\\\/EventEmitterTrait.php(105): call_user_func_array(Array, Array)\\n#3 \\\/var\\\/www\\\/html\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(479): Sabre\\\\Event\\\\EventEmitter->emit('method:GET', Array)\\n#4 \\\/var\\\/www\\\/html\\\/lib\\\/composer\\\/sabre\\\/dav\\\/lib\\\/DAV\\\/Server.php(254): Sabre\\\\DAV\\\\Server->invokeMethod(Object(Sabre\\\\HTTP\\\\Request), Object(Sabre\\\\HTTP\\\\Response))\\n#5 \\\/var\\\/www\\\/html\\\/apps\\\/dav\\\/appinfo\\\/v1\\\/webdav.php(63): Sabre\\\\DAV\\\\Server->exec()\\n#6 \\\/var\\\/www\\\/html\\\/remote.php(165): require_once('\\\/var\\\/www\\\/html\\\/a...')\\n#7 {main}\",\"File\":\"\\\/var\\\/www\\\/html\\\/apps\\\/dav\\\/lib\\\/Connector\\\/Sabre\\\/File.php\",\"Line\":344,\"User\":\"joanna.sobotka\"}"}

Browser log

Nothing interesting


#2

Both scenarios are very well known side effects of the basic encryption: https://doc.owncloud.org/server/latest/admin_manual/configuration/files/encryption_configuration.html
Both have workarounds, but if they don't work for you we recommend master key encryption or the implementation of a different PKI based encryption module.