Data folder accessible if "Satisfy Any" is set

[MichaIng]

Rewards are always welcome thou, but it is not me that fell above this: https://help.nextcloud.com/t/htaccess-warning-while-configuration-should-be-ok/20280/17?u=michaing

Steps to reproduce

1. Set up Nextcloud on Apache2 without pretty URLs and data directory inside nextcloud root.
2. Ensure .htaccess files are used as expected to prevent access to data folder.
3. Add Satisfy Any to nextcloud vhost/config file as mentioned in admin manual as necessary in some cases: https://docs.nextcloud.com/server/12/admin_manual/installation/source_installation.html#additional-apache-configurations
4. Try to access to some file inside data folder by using it's direct URL.

Expected behaviour

Access should be forbidden.

Actual behaviour

Access works very well.

• Pretty URLs lead to redirection of requests to nextcloud base URL. But e.g. access to /data/index.html is still possible.

Server configuration

Operating system: Raspbian/Debian Stretch

Web server: Apache/2.4.25

Database: MariaDB 10.1

PHP version: 7.0.19-1

Nextcloud version: 12.0.2

Updated from an older Nextcloud/ownCloud or fresh install: updated

Where did you install Nextcloud from: downloads.nextcloud.com

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - apporder: 0.4.0
  - calendar: 1.5.3
  - contacts: 1.5.3
  - dav: 1.3.0
  - federatedfilesharing: 1.2.0
  - files: 1.7.2
  - files_sharing: 1.4.0
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - gallery: 17.0.0
  - impersonate: 1.0.1
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - ownnote: 1.08
  - polls: 0.7.3
  - previewgenerator: 1.0.6
  - provisioning_api: 1.2.0
  - serverinfo: 1.2.0
  - sharerenamer: 1.3
  - tasks: 0.9.5
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - workflowengine: 1.2.0
Disabled:
  - admin_audit
  - comments
  - encryption
  - federation
  - files_external
  - files_pdfviewer
  - files_texteditor
  - files_videoplayer
  - firstrunwizard
  - imprint
  - password_policy
  - sharebymail
  - survey_client
  - systemtags
  - theming
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "my.domain.org"
        ],
        "datadirectory": "\/mnt\/sda\/ncdata", #Tested with manual created data directory + test files inside nextcloud root and with occ maintenance:update:htaccess to create correct .htaccess file inside.
        "dbtype": "mysql",
        "version": "12.0.2.0",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "filelocking.enabled": true,
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "\/var\/run\/redis\/redis.sock",
            "port": 0,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.5
        },
        "dbname": "nextcloud",
        "dbhost": "localhost",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "ocv2j0skx6hk",
        "loglevel": 3,
        "logtimezone": "Europe\/Berlin",
        "trashbin_retention_obligation": "disabled",
        "versions_retention_obligation": "disabled",
        "skeletondirectory": "",
        "defaultapp": "apporder",
        "maintenance": false,
        "overwrite.cli.url": "https:\/\/my.domain.org\/nextcloud",
        "htaccess.RewriteBase": "\/nextcloud", #Tested without pretty URLs, as they redirect access tries to all files besides at least index.html inside data directory.
        "mail_smtpmode": "smtp",
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpsecure": "tls",
        "mail_from_address": "my.mail",
        "mail_domain": "gmx.de",
        "mail_smtpauth": 1,
        "mail_smtphost": "mail.gmx.net",
        "mail_smtpport": "587",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***"
    },
    "apps": {
        "activity": {
            "enabled": "yes",
            "installed_version": "2.5.2",
            "notify_email_calendar": "0",
            "notify_email_calendar_event": "0",
            "notify_email_calendar_todo": "0",
            "notify_email_favorite": "0",
            "notify_email_file_changed": "0",
            "notify_email_file_created": "0",
            "notify_email_file_deleted": "0",
            "notify_email_file_downloaded": "0",
            "notify_email_file_restored": "0",
            "notify_email_public_links": "0",
            "notify_email_remote_share": "0",
            "notify_email_shared": "0",
            "notify_setting_batchtime": "604800",
            "notify_setting_self": "1",
            "notify_setting_selfemail": "0",
            "notify_stream_calendar": "1",
            "notify_stream_calendar_event": "1",
            "notify_stream_calendar_todo": "1",
            "notify_stream_favorite": "1",
            "notify_stream_file_changed": "1",
            "notify_stream_file_created": "1",
            "notify_stream_file_deleted": "1",
            "notify_stream_file_downloaded": "1",
            "notify_stream_file_favorite": "0",
            "notify_stream_file_restored": "1",
            "notify_stream_public_links": "1",
            "notify_stream_remote_share": "1",
            "notify_stream_shared": "1",
            "types": "filesystem"
        },
        "apporder": {
            "enabled": "yes",
            "installed_version": "0.4.0",
            "order": "[\"\/nextcloud\/index.php\/apps\/activity\/\",\"\/nextcloud\/index.php\/apps\/files\/\",\"\/nextcloud\/index.php\/apps\/gallery\/\",\"\/nextcloud\/index.php\/apps\/contacts\/\",\"\/nextcloud\/index.php\/apps\/calendar\/\",\"\/nextcloud\/index.php\/apps\/tasks\/\",\"\/nextcloud\/index.php\/apps\/ownnote\/\",\"\/nextcloud\/index.php\/apps\/polls\/\"]",
            "types": ""
        },
        "backgroundjob": {
            "lastjob": "20"
        },
        "calendar": {
            "enabled": "yes",
            "installed_version": "1.5.3",
            "types": ""
        },
        "comments": {
            "enabled": "no",
            "installed_version": "1.2.0",
            "types": "logging"
        },
        "contacts": {
            "enabled": "yes",
            "installed_version": "1.5.3",
            "types": ""
        },
        "core": {
            "backgroundjobs_mode": "cron",
            "installedat": "1496402497.1163",
            "lastcron": "1505128503",
            "lastupdateResult": "[]",
            "lastupdatedat": "1505127887",
            "moveavatarsdone": "yes",
            "oc.integritycheck.checker": "[]",
            "previewsCleanedUp": "1",
            "public_files": "files_sharing\/public.php",
            "public_webdav": "dav\/appinfo\/v1\/publicwebdav.php",
            "scss.variables": "d41d8cd98f00b204e9800998ecf8427e",
            "shareapi_allow_resharing": "no",
            "shareapi_enforce_links_password": "yes",
            "updater.secret.created": "1503506277",
            "vendor": "nextcloud"
        },
        "dav": {
            "enabled": "yes",
            "installed_version": "1.3.0",
            "types": "filesystem"
        },
        "federatedfilesharing": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "federation": {
            "enabled": "no",
            "installed_version": "1.2.0",
            "types": "authentication"
        },
        "files": {
            "cronjob_scan_files": "500",
            "enabled": "yes",
            "installed_version": "1.7.2",
            "types": "filesystem"
        },
        "files_downloadactivity": {
            "enabled": "no",
            "installed_version": "1.1.1",
            "types": "filesystem"
        },
        "files_pdfviewer": {
            "enabled": "no",
            "installed_version": "1.1.1",
            "ocsid": "166049",
            "types": ""
        },
        "files_sharing": {
            "enabled": "yes",
            "installed_version": "1.4.0",
            "lookupServerUploadEnabled": "no",
            "types": "filesystem"
        },
        "files_texteditor": {
            "enabled": "no",
            "installed_version": "2.4.1",
            "ocsid": "166051",
            "types": ""
        },
        "files_trashbin": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "files_versions": {
            "enabled": "yes",
            "installed_version": "1.5.0",
            "types": "filesystem"
        },
        "files_videoplayer": {
            "enabled": "no",
            "installed_version": "1.1.0",
            "types": ""
        },
        "firstrunwizard": {
            "enabled": "no",
            "installed_version": "2.1",
            "types": "logging"
        },
        "gallery": {
            "enabled": "yes",
            "installed_version": "17.0.0",
            "types": ""
        },
        "impersonate": {
            "enabled": "yes",
            "installed_version": "1.0.1",
            "types": ""
        },
        "imprint": {
            "content": "test test",
            "enabled": "no",
            "installed_version": "0.2.5",
            "position-guest": "header-right",
            "position-login": "header-right",
            "position-user": "header-right",
            "types": ""
        },
        "logreader": {
            "enabled": "yes",
            "installed_version": "2.0.0",
            "levels": "00011",
            "ocsid": "170871",
            "types": ""
        },
        "lookup_server_connector": {
            "enabled": "yes",
            "installed_version": "1.0.0",
            "types": "authentication"
        },
        "nextcloud_announcements": {
            "enabled": "yes",
            "installed_version": "1.1",
            "pub_date": "Sat, 10 Dec 2016 00:00:00 +0100",
            "types": "logging"
        },
        "notifications": {
            "enabled": "yes",
            "installed_version": "2.0.0",
            "types": "logging"
        },
        "oauth2": {
            "enabled": "yes",
            "installed_version": "1.0.5",
            "types": "authentication"
        },
        "ownbackup": {
            "enabled": "no",
            "installed_version": "17.5.0",
            "types": ""
        },
        "ownnote": {
            "enabled": "yes",
            "folder": "ownNotes",
            "installed_version": "1.08",
            "types": ""
        },
        "password_policy": {
            "enabled": "no",
            "installed_version": "1.2.2",
            "types": ""
        },
        "polls": {
            "enabled": "yes",
            "installed_version": "0.7.3",
            "types": ""
        },
        "previewgenerator": {
            "enabled": "yes",
            "installed_version": "1.0.6",
            "types": "filesystem"
        },
        "provisioning_api": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "prevent_group_restriction"
        },
        "rainloop": {
            "enabled": "no",
            "installed_version": "5.0.1",
            "rainloop-autologin": "1",
            "types": ""
        },
        "serverinfo": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": ""
        },
        "sharebymail": {
            "enabled": "no",
            "installed_version": "1.2.0",
            "types": "filesystem"
        },
        "sharerenamer": {
            "enabled": "yes",
            "installed_version": "1.3",
            "types": ""
        },
        "survey_client": {
            "enabled": "no",
            "installed_version": "1.0.0",
            "types": ""
        },
        "systemtags": {
            "enabled": "no",
            "installed_version": "1.2.0",
            "types": "logging"
        },
        "tasks": {
            "enabled": "yes",
            "installed_version": "0.9.5",
            "types": ""
        },
        "theming": {
            "enabled": "no",
            "installed_version": "1.3.0",
            "types": "logging"
        },
        "twofactor_backupcodes": {
            "enabled": "yes",
            "installed_version": "1.1.1",
            "types": ""
        },
        "updatenotification": {
            "core": "12.0.2.0",
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "",
            "update_check_errors": "0"
        },
        "workflowengine": {
            "enabled": "yes",
            "installed_version": "1.2.0",
            "types": "filesystem"
        }
    }
}

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Opera 49 + Edge 40.15 were tested.

Operating system:

Logs

Web server error log

none

Nextcloud log (data/nextcloud.log)

none

Browser log

nene

[biva]

Thank you @MichaIng! Initial issue were posted here: #6281

[MichaIng]

Sorry for double post then. At least the malicious setting has been identified here, which is also present on #6281 .

As first fast reaction I think an adjustment of the related admin manual part would be good, as many users seem to use Satisfy Any, even they don't need it.

But of course it would be great, if e.g. .htaccess could be modified to block access, even if Satisfy Any is set in nextcloud vhost/config. Wouldn't Satisfy All in every case inside .htaccess overwrite it? I will test this later.

€: As there is a certain use case (apache folder authentication) for Satisfy Any, it should be indeed testet if it works in that case as expected without opening the data directory. I have to find out first how to configure this folder authentication 😆 , maybe someone is faster.

[MorrisJobke]

cc @nextcloud/security

[MichaIng]

Just played around a bit:

• My webserver root is /var/www/ and nextcloud root is /var/www/nextcloud/.
• I adjusted my apache2.conf to add folder authentication to the webserver root and created a password for this by htpasswd -c /mnt/sda/apachepasswords root:

<Directory /var/www/>
        DirectoryIndex index.php index.html
        Options Indexes FollowSymLinks
        AllowOverride None
        #Require all granted //need to be commented out, because it destroys the following authentication attempt :)

#folder authentication start
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider file
AuthUserFile /mnt/sda/apachepasswords
Require user root
#folder authentication end

</Directory>

• After apache restart nextcloud web access, desktop clients and carddav + caldav asked for authentication/user passwords, as is was expected.
• Now I added Satisfy Any to nextcloud.conf and access to nextcloud worked well again, BUT also direct access to my data worked well, as described above.
• I now adjusted the .htaccess by adding Satisfy All to the Apache 2.4 part:

# Generated by Nextcloud on 2017-06-02 11:21:34
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
Satisfy All
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

• ...and indeed access to data folder got denied again. But by the way nextcloud web ui/folder app etc. worked well, so no full block to the data or something 😉.

So as conclusion: Require all granted/denied and Satisfy Any/All seem to work independently beside each other, granting/denying access. If each one of these directives is set to allow access to the parent folder/globally, each need to be overwritten in the subdirectory to definitely block access.

So as far as I could test it, fix would be to adjust /data/.htaccess to meet the example above and keep the Satisfy Any hint in admin manual, but explain it a bid more to make clear, that people should NOT add it, in case they do not know exactly that they need it and what they are doing.

[MichaIng]

Any news about this? I still see here and there users with this settings, that definitely don't need it and might expose their data with it. @

[penCsharpener]

I upgraded from 13.0.6.1 to 14.0.0 and suddenly NC warned me that .htaccess didn't work and my data would be exposed which indeed it was. Removing Satisfy Any from the apache virt. host file fixed it as well.
Before the upgrade this wasn't an issue. Regression?

[mgartin]

I see the same: When I upgrade nextcloud, it replaces my .htaccess file in the data folder with the following:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

However, this makes the data folder world readable, probably because of some setting in apache that I did in order for caldav/carddav to work (using the guide).

1. I would expect that nextcloud would make a very clear warning about this, much more than the red flag in the admin panel.

The .htaccess file that works for me is the following:

#<ifModule mod_authz_core.c>
Require all denied
#</ifModule>

# line below if for Apache 2.2
#<ifModule !mod_authz_core.c>
deny from all
Satisfy All
#</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

i.e. with the if statements commented out.

System:

# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.1 LTS"

# php --version
PHP 7.2.10-0ubuntu0.18.04.1 (cli) (built: Sep 13 2018 13:45:02) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.2.10-0ubuntu0.18.04.1, Copyright (c) 1999-2018, by Zend Technologies

# a2query -m
authn_core (enabled by maintainer script)
auth_basic (enabled by maintainer script)
deflate (enabled by maintainer script)
setenvif (enabled by maintainer script)
alias (enabled by maintainer script)
rewrite (enabled by site administrator)
mpm_prefork (enabled by site administrator)
authz_user (enabled by maintainer script)
ssl (enabled by site administrator)
proxy (enabled by site administrator)
socache_shmcb (enabled by site administrator)
proxy_http (enabled by site administrator)
negotiation (enabled by maintainer script)
php7.2 (enabled by site administrator)
access_compat (enabled by maintainer script)
filter (enabled by maintainer script)
autoindex (enabled by maintainer script)
reqtimeout (enabled by maintainer script)
dir (enabled by maintainer script)
authz_core (enabled by maintainer script)
env (enabled by maintainer script)
headers (enabled by site administrator)
status (enabled by maintainer script)
authn_file (enabled by maintainer script)
mime (enabled by maintainer script)
authz_host (enabled by maintainer script)

I have my installation at /var/www/html/mycustomname/ and as per https://docs.nextcloud.com/server/13/admin_manual/installation/source_installation.html#ubuntu-installation-label I have "Satisfy Any" in my site config.

The main problem is that I had this security issue solved, but the upgrade just threw me back, and I only noticed it by chance.
I happened yesterday when I upgraded to 14.0.3.

[MichaIng]

@mgartin

#<ifModule mod_authz_core.c>
Require all denied
#</ifModule>

# line below if for Apache 2.2
#<ifModule !mod_authz_core.c>
deny from all
Satisfy All
#</ifModule>

Strange, this is not 100% the same. The .htaccess at first looks quite reasonable to me:

• In case mod_authz_core is available, use the access permission directive it brings.
• If it is not available, use the old fashioned way to restrict access.

However, it seems that Require all denied does not override Satisfy Any, while Satisfy All does.

• Require all directive is brought by mod_authz_core, which is only available since Apache2.4, so the ifModule statement make sense here: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
• deny from all is more complicated. To simply assume it is always available if mod_authz_core is not, is of course wrong, also to assume it is only required, if mod_authz_core is not available, is even more wrong. For my impression it should be simply always set, if the directive is available.
  • The problem is on 2.4 it's marked as deprecated and only available via mod_access_compat.
  • But on 2.2 it's available via mod_authz_host, which also exist on 2.4 but provides new fashioned directives there.
  • So not sure how to do this best, but for my impression deny from all should be always set, if the deny directive is available, regardless of Require all, since we cannot be sure it's overridden.
• Satisfy All should be as well always set, to override any other Satisfy (most importantly Satisfy Any) directives, possibly set in Apache confs.
  • On 2.2 it is a core directive: https://httpd.apache.org/docs/2.2/de/mod/core.html#satisfy
  • On 2.4 it's again part of mod_access_compat: https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html#satisfy

What definitely need to be changed:

• Remove Satisfy Any from any example setup in documentation. Instead change the section with a clear warning, that this directive should never be added. This should be addressed to the docs repo then.
• Add deny from all and Satisfy All directives to data/.htaccess whenever they are available, to override other values set, which seem to not be overridden by Require. Although it would need somehow an Apache version check.
  • Further research: https://stackoverflow.com/questions/10707186/detect-apache-version-in-apache-config
  • So it seems not natively possible to check for Apache version inside config files.
  • But via nested module checks, a similar result can be achieved, which guarantees max security without any compatibility issues:

# line below if for Apache 2.4
<ifModule mod_authz_core.c>
  Require all denied
</ifModule>
<ifModule mod_access_compat.c>
  deny from all
  Satisfy All
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
  <ifModule !mod_access_compat.c>
    <ifModule mod_authz_host.c>
      deny from all
    </ifModule>
    Satisfy All
  </ifModule>
</ifModule>

• Last issue I see is, if on Apache 2.4 mod_authz_core + mod_access_compat is disabled, but mod_authz_host enabled. I didn't (yet) test, but I think it's impossible, since mod_authz_host should depend on mod_authz_core (EDIT: It does!).

[skjnldsv]

@MichaIng what is the status here?
I'm not too well with mod_authz and such, but is your last post a working solution? If so, do you think it should be nice to have it on the docs? :)

[MichaIng]

@skjnldsv
So far nothing has changed with the .htaccess files that would cover this issue. My example worked well with Apache 2.4 at least, I did not test with Apache 2.2 but read the docs very carefully about it to be sure if works.

As long as you did not setup any web authentication outside of Nextcloud, that is you have to enter credentials to access e.g. the webroot itself, simply never add Satisfy Any to your config, then you are safe.

If you have an authentication setup, that includes the Nextcloud dir, so you would need to enter the webserver credentials once, the Nextcloud credentials again, to login (which breaks clients then), for now I would add Satisfy All for the Nextcloud data dir to the webserver config. The .htaccess file itself cannot really be used, since it is updated by Nextcloud as well, at least when running occ maintenance:update:htaccess, I guess through regular updates as well by times.

Rather then adding some workaround for this security issue to the docs, I would like to see the .htaccess I posted above the fixed default for Nextcloud data dir. Besides explaining the Satisfy directive (in which rare cases it is required) a bid more, this would render any workaround obsolete.

This is still a major security issue, since I found many users adding Satisfy Any to their Nextcloud vhost config, opening direct access to to their private data to the world. That the admin panel shows a warning (data world readable) then, does not really help, instead confuse, since inexperienced users will not identify Satisfy Any as reason.

Ah but note that all of this is only an issue if your data dir is inside the webserver webroot, so e.g. /var/www/nextcloud/data. It is anyway recommended for many other reasons to move it outside the webroot, e.g. onto some external drive 😉.

---

Just checked the docs, Satisfy Any is still there without any warning: https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#additional-apache-configurations
data dir .htaccess is still the same, only reverting this directive on Apache 2.2 and being regularly updated:

2019-08-15 14:41:32 root@micha:/var/log# cat /mnt/sda/ncdata/.htaccess
# Generated by Nextcloud on 2019-08-09 23:58:59
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>

# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>

# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>

[skjnldsv]

Thanks! :)
But is this really an issue with nextcloud? Or just a config issue? 🤔

[mgartin]

Thanks! :)
But is this really an issue with nextcloud? Or just a config issue? thinking

As long as Nextcloud does rewrite a functioning .htaccess file to one that leaves the full installation world readable, I think it is fair to say that it is a Nextcloud issue. Or what do you mean by "just a config issue"? What is nextcloud without a proper config?

This might only affect a few of us, maybe with a particular distro or whatnot, but I think the severity of the issue requires some extra things to be checked during update.

[MichaIng]

@mgartin

This might only affect a few of us, maybe with a particular distro or whatnot

It affects everyone with an Apache webserver (regardless of distro), .htaccess enabled (default+recommended), Satisfy Any set for Nextcloud home dir (whether required or not) and data dir inside the Nextcloud home dir, e.g. default nextcloud/data.

some extra things to be checked during update

Nope nothing needs to be checked, the .htaccess I provided here (bottom) solves the issue and applies all block rules available from Apache 2.2 til 2.5 (current state, as far as I can see). It even includes checks to apply settings failsafe in any case where the related modules are available.

I will open a PR when I find this .htaccess in code. So far I didn't, only the one for the Nextcloud install dir is present as dedicated file 🤔.

[skjnldsv]

Data htaccess:

server/lib/private/Setup.php

Lines 541 to 558 in 3a0e4a1

	public static function protectDataDirectory() {
	//Require all denied
	$now = date('Y-m-d H:i:s');
	$content = "# Generated by Nextcloud on $now\n";
	$content.= "# line below if for Apache 2.4\n";
	$content.= "<ifModule mod_authz_core.c>\n";
	$content.= "Require all denied\n";
	$content.= "</ifModule>\n\n";
	$content.= "# line below if for Apache 2.2\n";
	$content.= "<ifModule !mod_authz_core.c>\n";
	$content.= "deny from all\n";
	$content.= "Satisfy All\n";
	$content.= "</ifModule>\n\n";
	$content.= "# section for Apache 2.2 and 2.4\n";
	$content.= "<ifModule mod_autoindex.c>\n";
	$content.= "IndexIgnore *\n";
	$content.= "</ifModule>\n";

Root htaccess ?

server/config/.htaccess

Lines 1 to 14 in 2e36069

	# line below if for Apache 2.4
	<ifModule mod_authz_core.c>
	Require all denied
	</ifModule>
	# line below if for Apache 2.2
	<ifModule !mod_authz_core.c>
	deny from all
	</ifModule>
	# section for Apache 2.2 and 2.4
	<ifModule mod_autoindex.c>
	IndexIgnore *
	</ifModule>

[MichaIng]

@skjnldsv
Thanks for finding them. The second is to restrict config dir access, good to know since this then needs to be updated to same. Satisfy All is completely missing there, even for Apache 2.2.

Root access is this one: https://github.com/nextcloud/server/blob/master/.htaccess
Of course nothing should be blocked there 😉.

---

PR up: #16792

[MichaIng]

Just to confirm, the new .htaccess files are present since Nextcloud 18 Beta 4:

2019-12-28 14:00:52 root@micha:/var/log# cat /var/www/nextcloud/config/.htaccess
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    </IfModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>
2019-12-28 14:00:58 root@micha:/var/log# cat /mnt/sda/ncdata/.htaccess
# Generated by Nextcloud on 2019-12-28 12:32:29
# Section for Apache 2.4 to 2.6
<IfModule mod_authz_core.c>
  Require all denied
</IfModule>
<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

# Section for Apache 2.2
<IfModule !mod_authz_core.c>
  <IfModule !mod_access_compat.c>
    <IfModule mod_authz_host.c>
      Order Allow,Deny
      Deny from all
    <IifModule>
    Satisfy All
  </IfModule>
</IfModule>

# Section for Apache 2.2 to 2.6
<IfModule mod_autoindex.c>
  IndexIgnore *
</IfModule>

[DJCrashdummy]

sorry for bumping this old issue, but i came across it via a random search and found an error in the syntax!

@MichaIng in the 9th last line of the last message the <IifModule> should be a closing IfModule... so is this just a typo on your side or in the code?!? - i have no nextcloud running at the moment to confirm it, so i decided to at least point it out here, as there also seems no follow up mentioning this issue.

[MichaIng]

Yes there was this typo indeed which has been fixed here: a98f8b5

[michelleDeko]

Hi, I know this post is kinda old, but I really need help, I cant get the error message to disappear.

My apache2 config of the directory with the nextcloud installation looks like this:
https://pastebin.com/viBf59W0

And my .htaccess file in /nextcloud/data looks like this:
https://pastebin.com/RAR1Rikf

How can I fix this?

[MichaIng]

First of all there are some issues with your configs:
Move the following into the the 443 vhost. I wonder if you were every able to connect via HTTPS currently?

SSLEngine on
SSLCertificateFile /root/cloudflare/domain.yt.pem
SSLCertificateKeyFile /root/cloudflare/domain.yt.key

Remove the following, doesn't and probably didn't ever had any effect and has been removed from the Nextcloud docs as well in the meantime: nextcloud/documentation#1800

SetEnv HOME /var/www/cloud.domain.yt
SetEnv HTTP_HOME /var/www/cloud.domain.yt

And since you do not actually use different vhosts with different names, it makes sense to move ServerName cloud.domain.yt into the parent server configuration as global server name (and remove it hence from both vhosts), ServerAlias cloud.domain.yt can be removed and ServerAdmin emailadresse@email.org as well if you do not set it to a real email address that you want to share with visitors.

But that alone doesn't explain that your data can be accessed directly. Where is it located? Just in /var/www/cloud.domain.yt/data?

Which OS and Apache version do you use (apachectl -v)?

Is there a AccessFileName .htaccess directive in /etc/apache2/apache2.conf or another included config file?

[michelleDeko]

Hello,

AccessFileName .htaccess is existing in the config.

I use Ubuntu 21.10 and Apache/2.4.48 (Ubuntu)

And yes its located in /var/www/cloud.domain.yt/data

[MichaIng]

And this URL works in browser access works/does not redirect you to the login/default page?

https://cloud.domain.yt/data/index.html

or

http://cloud.domain.yt/data/index.html

[michelleDeko]

Nope it just shows a blank page

[MichaIng]

Strange, so it is accessible while /var/www/cloud.domain.yt/data/.htaccess should prevent it, leading to a 403 which redirects you to the entry page.

You need to go though all loaded Apache2 configurations, there must be something which block Apache2 from using it. E.g. to check for all cases of the AccessFileName directive:

grep -r 'AccessFileName' /etc/apache2

And to check for read permissions of that file:

ls -l /var/www/cloud.domain.yt/data/.htaccess

And to check for Apache2 error messages:

journalctl -u apache2
cat /var/log/apache2/error.log

[michelleDeko]

root@v3179:~# grep -r 'AccessFileName' /etc/apache2
/etc/apache2/apache2.conf:# AccessFileName: The name of the file to look for in each directory
/etc/apache2/apache2.conf:AccessFileName .htaccess

-rw-r--r-- 1 www-data www-data 542 Nov 8 19:38 /var/www/cloud.domain.yt/data/.htaccess

journalctl and cat: https://paste.deko.yt/view/d5add159

[MichaIng]

[so:warn] [pid 520557] AH01574: module heade>

Can you show the whole line of this log?

Looks like the richdocumentscode app requires an update or different configuration according to the logs it produces. However, I don't see something which would .htaccess from being used. You could try to add some random invalid line to /var/www/cloud.domain.yt/data/.htaccess, then access http://cloud.domain.yt/data/index.html and check back whether this produces any error in /var/log/apache2/error.log, just to verify that it is indeed not parsed at all.

[michelleDeko]

When I add random invalid lines, this error comes in data/index.html

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at my.name@domain.yt to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Apache/2.4.48 (Ubuntu) Server at cloud.domain.yt Port 80

No new errors in the error.log https://paste.deko.yt/view/9589e71a

Also something I recognized. Since some days, nextcloud also says phpimagick is missing, but its literally installed and enabled. It just came from one to the other night.

[MichaIng]

php-imagick cannot be related to this, it is not required an whether being a good recommendation at all or not still matter of discussion: #13099

So the .htaccess file is read. Last idea I have is that the related Apache2 module is not enabled, but that's actually hard to achieve (at least on Debian/Ubuntu variants you get an interactive warning). Try that:

a2enmod authz_core

[michelleDeko]

root@v3179:# a2enmod authz_core
Module authz_core already enabled
root@v3179:#

[MichaIng]

Okay, then I'm basically out of ideas. The config file is parsed and this module is enabled, then access should be blocked:

<IfModule mod_authz_core.c>
  Require all denied
</IfModule>

Even if Satisfy Any is set, with your Apache2 version this would mean that mod_access_compat is enabled which would in turn override Satisfy Any as a result of this very issue and fix:

<IfModule mod_access_compat.c>
  Order Allow,Deny
  Deny from all
  Satisfy All
</IfModule>

While it would be interesting to have this debugged, probably on a more specialised Apache or webserver forum, StackExchange or so where more experts are attracted, an alternative for you now would be to move your Nextcloud userdata to a different location outside of the webroot: https://help.nextcloud.com/t/howto-change-move-data-directory-after-installation/17170
(Older HowTo, but I keep it updated)

[michelleDeko]

I just hope a Nextcloud Dev sees my problem and can help me here. If not, I probably need to find an alternative to nextcloud (tho I cant really find one except owncloud)

[MichaIng]

Likely not on a closed issue which has been addressed already. And furthermore it's not a Nextcloud issue but one with the webserver or its configuration.

[michelleDeko]

So I can do pretty much nothing else then have this security issue? Because I already did everything, that should make the .htaccess file working.

[MichaIng]

At least I am out of ideas, as long as you leave the data directory inside the webroot. Moving it away is to too hard, following the linked HowTo, and solves all related security issues most reliable. And else, as said, at best you ask for help on a more specialised forum related to webservers and/or Apache2 in particular.