diff --git a/admin_manual/installation/installation_source.rst b/admin_manual/installation/installation_source.rst index 5402451d0..c68635a04 100644 --- a/admin_manual/installation/installation_source.rst +++ b/admin_manual/installation/installation_source.rst @@ -147,17 +147,16 @@ Now download the archive of the latest ownCloud version: document root of your Web server. Typically, on Ubuntu systems this ``/var/www/owncloud``, so your copying command is:: - cp -r owncloud /var/www/` + cp -r owncloud /var/www/ -Set the Directory Permissions ------------------------------ +Setting Secure Directory Permissions +------------------------------------ Your HTTP user must own at least the ``config/``, ``data/`` and ``apps/`` directories in your ownCloud directory so that you can configure ownCloud, create, modify and delete your data files, and install apps -via the ownCloud Web interface. If you are planning to use the automatic -updater app for updating ownCloud, the whole ``owncloud/`` directory must be -writable by the HTTP user. +via the ownCloud Web interface. We recommend setting the directory +permissions as strictly as possible for stronger security. You can find your HTTP user in your HTTP server configuration files. Or you can create a PHP page to find it for you. To do this, create a plain text file with @@ -166,7 +165,7 @@ a single line in it: ```` Name it ``whoami.php`` and place it in your ``/var/www/html`` directory, and -then open it in a Web browser, for example ``http://servername/whoami.php``. You +then open it in a Web browser, for example ``http://localhost/whoami.php``. You should see a single line in your browser page with the HTTP user name. .. note:: When using an NFS mount for the data directory, do not change @@ -175,10 +174,22 @@ should see a single line in your browser page with the HTTP user name. ownership as above could result in some issues if the NFS mount is lost. -* The generic command to change ownership of all files and subdirectories in a - directory is:: +The generic command to change ownership of all files and subdirectories in a +directory is:: chown -R : /path/to/owncloud/ + +For hardened security we highly recommend setting the permissions on your ownCloud directory as strictly +as possible. These commands should be executed immediately after the initial installation:: + + chown -R root:root /path/to/owncloud/ + chown : /path/to/owncloud/config/config.php + chown -R : /path/to/owncloud/data/ + chown root:root /path/to/owncloud/data/.htaccess + chown : /path/to/owncloud/apps/ + +These strict permissions will prevent the Updater app from working. If you use the Updater app, it needs your whole +ownCloud directory to be owned by the http-user, like these examples: * This example is for Ubuntu 14.04 LTS server:: @@ -195,6 +206,8 @@ should see a single line in your browser page with the HTTP user name. * openSUSE:: chown -R wwwrun:www /path/to/owncloud/ + +After the Update app has run, you should re-apply the strict permissions. Apache is the recommended Web server. @@ -401,4 +414,4 @@ See :doc:`configuration_yaws` **Hiawatha Configuration** -See :doc:`configuration_hiawatha` \ No newline at end of file +See :doc:`configuration_hiawatha`