#### Warning! RainLoop data folder is accessible

willhelm · June 16, 2018, 2:52pm

Fresh install of NC.
Added Rainloop
Get this warning

Warning!

RainLoop data folder is accessible. Please configure your web server to hide the data folder from external access. Read more here

Added .htaccess in /…data/rainloop-storage/
restarted Apache.
No luck, still same error

How to get rid of the Warning and secure the files

Cheers

[Contents of .htaccess]

Generated by Nextcloud on 2018-05-28 16:45:06

line below if for Apache 2.4

Require all denied

line below if for Apache 2.2

<ifModule !mod_authz_core.c>
deny from all
Satisfy All

section for Apache 2.2 and 2.4

IndexIgnore *

DecaTec · June 17, 2018, 4:19pm

You simply have to deny access for the folder /apps/rainloop/app/data inside your Nextcloud installation.
I only use nginx, but here you have to define a location block inside your Nextcloud vHost:

        location ^~ /apps/rainloop/app/data {
                deny all;
        }

You’ll need something similar for Apache.

willhelm · June 18, 2018, 8:08pm

Added in /etc/apache2/sites-enabled/nextcloud.conf

<Directory /var/www/nextcloud/apps/rainloop/app/data/>
Require all denied

<Directory /media/USBdrive/data/rainloop-storage/>
Require all denied

Sudo service apache2 restart

Also tried
…
AllowOverride All
…

and added .htaccess with
Require all denied
in the subsequent directories

Sudo service apache2 restart

No results.
Still get the warning… Any clues ?

h3rb3rt · July 3, 2018, 8:27am

Would be interested in a solution as well.
I have setup Rainloop yesterday and struggeling getting rid of the error.
My “data storage” is located outside the WWW directory on a mounted NFS share, this is also the location of rainloop_storage. rights are assigned to www-data but still. I have no idea how to get rid of the error.

What I tried

apache2.conf
<Directory /media/nfs-share/rainloop_storage/data>
   Options -Indexes
   Deny from all
</Directory>
<Directory /var/www/html/nextcloud/apps/rainloop/app/data>
   Options -Indexes
   Deny from all
</Directory>

and .htaccess in media/nfs-share/rainloop_storage/data and /var/www/html/nextcloud/apps/rainloop/app/data

Deny from all

With www-data:www-data as owner

Still the same error, I I try to access the data directory somehow from the browser, I get redirected to Nextcloud file view

alfred · July 3, 2018, 10:20am

I cannot access the Rainloop storage folder from any browser. Ubuntu 16.04, Apache 2.4. There is the .htaccess file from the /data/rainloop-storage folder actually:

/data/rainloop-storage# cat .htaccess 
Deny from all
<IfModule mod_autoindex.c>
Options -Indexes

It should put these files into the data directory too to prevent access from outside:

/data/rainloop-storage# ls
_data_  index.html  index.php  INSTALLED  SALT.php  VERSION

If this is not the case then something with your installation went wrong. The files are generated here:

github.com

pierre-alain-b/rainloop-nextcloud/blob/fb2949ce9548944ff9f69c93e0fc3a1d701f4388/rainloop/app/rainloop/v/1.12.0/include.php#L148


			define('APP_SALT', md5($sSalt.APP_PRIVATE_DATA_NAME.$sSalt));

			define('APP_PRIVATE_DATA', APP_DATA_FOLDER_PATH.'_data_'.($sData ? md5($sData) : '').'/'.APP_PRIVATE_DATA_NAME.'/');



			define('APP_PLUGINS_PATH', APP_PRIVATE_DATA.'plugins/');



			if (APP_VERSION !== $sInstalled || (APP_MULTIPLY && !@is_dir(APP_PRIVATE_DATA)))

			{

				define('APP_INSTALLED_START', true);

				define('APP_INSTALLED_VERSION', $sInstalled);



				@file_put_contents(APP_DATA_FOLDER_PATH.'INSTALLED', APP_VERSION);

				@file_put_contents(APP_DATA_FOLDER_PATH.'VERSION', APP_VERSION);

				@file_put_contents(APP_DATA_FOLDER_PATH.'index.html', 'Forbidden');

				@file_put_contents(APP_DATA_FOLDER_PATH.'index.php', 'Forbidden');



				if (!@file_exists(APP_DATA_FOLDER_PATH.'.htaccess') && @file_exists(APP_VERSION_ROOT_PATH.'app/.htaccess'))

				{

					@file_put_contents(APP_DATA_FOLDER_PATH.'.htaccess', @file_get_contents(APP_VERSION_ROOT_PATH.'app/.htaccess'));

				}



				if (!@is_dir(APP_PRIVATE_DATA))

h3rb3rt · July 3, 2018, 10:40am

None of these files were created.
Not sure if I can do anything wrong when activating an app from nextcloud directly, but ok.

Is there a log of things going wrong?
Do I need to place the .htaccess now into
/media/nextcloud-data/rainloop-storage/_data_
or
/media/nextcloud-data/rainloop-storage/
or/and
/var/www/html/nextcloud/apps
or
/var/www/html/nextcloud/apps/rainloop/app

This is all not really documented, nor do I understand completely how and what is parsed when.
Perhaps it is even a bug, because all files are there accept this ones, seems strange.

alfred · July 4, 2018, 11:34am

It should in the data folder like /var/www/nextcloud/data/rainloop-storage/.

Could be, maybe you should report a bug if the files are not created. Did you check the permissions on that folder?

h3rb3rt · July 5, 2018, 6:11am

Thanks, I filed a bug because I am out of ideas

pab · July 5, 2018, 6:19am

Hello, this issue is mentioned in this ticket: https://github.com/pierre-alain-b/rainloop-nextcloud/issues/62.

Our analysis so far is that:

the data folder is not accessible
it is a false positive triggered by the fact that Rainloop checks the status code of the request to one file in the data folder but as Nextcloud redirects the request with a 3xx status code then Rainloop does interprete this as an insecured folder

I should push a change in the Rainloop base code to differentiate a “true” access and a redirect by Nextcloud.

Unless I miss something, there is no security risk for now even with the error message popping up.