oC Users files visible to system admin

user_management
help

#1

Steps to reproduce
1. access the file system via FTP or Network explorer. (i.e windows explorer or winscp)
2.browse to owncloud folders and find users data
3. data can be seen/copied immediately violating users privacy

Expected behaviour
The folders containing the data shouldn't be accessible or should be encrypted.

Actual behaviour
data is of easy access

Server configuration
Operating system: Netgear Readynas 6.6.0
Web server:
Database:
PHP version:
ownCloud version (see ownCloud admin page): 9,1,3-rnx2
Updated from an older ownCloud or fresh install:
Special configuration (external storage, external authentication, reverse proxy, server-side-encryption):

Owncloud is installed on a Netgear readyNAS. configure to worked only locally.


#2

Yes, indeed the System Admin can see the User Datas even when Encryption is turned on.
This isn't a bug. You can find more in the ownCloud Manual:

"Encryption keys are stored only on the ownCloud server, eliminating exposure of your data to third-party storage providers. The encryption app does not protect your data if your ownCloud server is compromised, and it does not prevent ownCloud administrators from reading user’s files. This would require client-side encryption, which this app does not provide. If your ownCloud server is not connected to any external storage services then it is better to use other encryption tools, such as file-level or whole-disk encryption.
Note also that SSL terminates at or before Apache on the ownCloud server, and all files will exist in an unencrypted state between the SSL connection termination and the ownCloud code that encrypts and decrypts files. This is also potentially exploitable by anyone with administrator access to your server. Read How ownCloud uses encryption to protect your data for more information.". (https://doc.owncloud.org/server/9.1/admin_manual/configuration_files/encryption_configuration.html?highlight=encryption)


#3

Thanks, yes i got it.
i was missing the part of logging outand in again to create keys. it was working. fine. I understod the risks of having the encryption on.