Prevent root access local storage


#1

Hello, I'm running Owncloud 10.0.7. I'm considering enabeling local storage, it would make my life a lot easier. BUT.. I'm worried that if I enable this feature and get hacked for some reason?

I've got owncloud installed in /var/www/owncloud/

If I wanna share /mounta/blablabla/ and get hacked. What is to stop the person that would get access to my admin account from giving themselves access to / and then get 100% access to my server..

Keep in mind I am rather new to linux and learning as I go.. I'm using https mind you and just using the server for personal use so threatlevel is rarther small for this happeing. Still, I am just curious if there is a way to prevent what is allowed to be sharerd by local share in my version of Owncloud.

Thanks!


#2

Hi,

If the hacker doesn't know your password - how should he gain root privileges?

Also - what is your goal? Why do you want to share a mount/folder?


#3

That is a really valid point. He won't be able to do anything to my system without the root password but it still scares me exposing my server like that. I would prefer it if I set a second level of root share in the configfile instead of being able to implement such a deep access to the server through web interface. Does that make sense?

The goal is to be able to access some of my locally stored files where ever I am in a smooth graphically appealing way that I find oc to be..


#4

I think your concerns are the reason why there is an config.php option "files_external_allow_create_new_local" listed here:

https://doc.owncloud.org/server/latest/admin_manual/configuration/files/external_storage/local.html

which you need to setup before you can mount local storages.


#5

Yea. I had to add that code to my configfile to allow the local storage in the first place.. However it addresses none of the security issues.. Or am I wrong. Is there a way to add a share to an account purly via code and then disable the gui storage share method?


#6

If there are no additional configuration option available at the mentioned documentation then i think those doesn't exist.

Maybe you need to take measures outside of ownCloud to avoid the scenario you're fearing? e.g. it could be possible that PHP or your webserver is providing additional security mechanisms which prevents PHP software like ownCloud to access the root directory of your drive.


#7

The attack vector in question here is really the ownCloud admin. We do prevent by default that the ownCloud admin puts non approved, non marketplace code into the system which the system administrator might not want. As it sounds like you have both roles by yourself there is no challenge for you.