.htaccess writeable for www-data?

bernd.lentes · November 9, 2020, 6:09pm

Hi community,

is it really necessary that the .htaccess file is writeable for the user www-data ?
I’m neither a security nor an apache guru, but this weird.
If an attacker finds a hole in Apache he is able to manipulate the .htaccess file !
What is about assigning the file to root:root and changing to www-data:www-data when changing the configuration and afterwards reassigning to root:root. That’s a bit complicated, but in my eyes much safer. Or does it have be to writeable for www-data the whole time ?

Bernd

lebernd · November 9, 2020, 6:52pm

I haven‘t done research if the hardening docs have changed since the start of nextcloud. Some years ago I found scripts that would change permissions on the nc-structure before and after upgrade. And actually I have .htaccess at chmod 644 and chown root:www-data.
That being said, nextcloud setting page will show all tests passed even if the permissions aren‘t hardened. (The script changes other files to be owned by root)
Best, Bernd

bernd.lentes · November 11, 2020, 9:47am

Hi Bernd,
thanks for your answer. Just to be clear: you have these permissions and owners and your nextcloud is still running without problems ?

Bernd

lebernd · November 11, 2020, 10:02am

Hi @bernd.lentes

yes - that’s right. (I just have to change the permissions before the update.)

Have you seen the discussion here? No hardened file permissions recommended anymore?
The pros and cons are laid out there.

Best, Bernd

bernd.lentes · November 11, 2020, 10:15am

Hi Bernd,

thanks for your answer. I didn’t know this discussion, i will check it.
Thanks again.

Bernd