403 Forbidden error and .htaccess patch to resolve

[VincentvgNn]

Description

This is a continuation of the closed issue #8510.
The subject name has been changed because there is no correlation between the issue and the message ".... when an open_basedir is set, error 465".
Those messages are reported regurlary in the server log and the coincidence is just by chance.
The current issue is even not logged at all on the server!

Current issue:
Deleting a file in a folder that has been shared with you by someone else results in the messages:

- 403 Forbidden
- The item is not synced because of previous errors: 403 Forbidden 

The r/w rights that are set don't help.

I had a similar problem when using OC server 6.0.2.
By then deleting files and creating/deleting folders via the ownCloud r/w client did not work at all.

In OC server 6.0.3 the situation was somewhat better.
Deleting files was still not possible. Locally deleting at the client worked, but they were not deleted from the server and were downloaded again within shortest time.

Adding the following lines to the end of the .htaccess file solved the problems for all 3 server versions.

<Limit GET POST>
order allow,deny
allow from all
</Limit>
<Limit PUT DELETE>
order allow,deny
allow from all
</Limit>

To me it's not clear whether this fix is a safe one and above I have to repeat it for each automatically installed new server version.

How can this be fixed in the next OC server version?

I can help testing.

Current issue

Deleting a file in a folder that has been shared with you by someone else results in the messages:

- 403 Forbidden
- The item is not synced because of previous errors: 403 Forbidden 

The r/w rights that are set don't help.

Steps to reproduce

1. Install the OC server at a webhost with similar security and permission settings like web-oke.
2. Try, using the client software, to delete a file in a folder that has been r/w shared with you.
3. Apply the fix for the .htaccess file and the errors will not happen.

Expected behavior

A client with r/w rights should be able to perform these r/w actions.

Server configuration

I have the OC server 7.0.0 (stable) installed at a Dutch webhost.
Control via DirectAdmin, an own (non-shared) IP, ownCloud using https and encryption.
I seem to be located on one of their newer servers, probably with more uptodate security settings.
The auto-installer Installatron works flawlessly.

Operating system: Linux Hosting Package
Web server: Apache
Database: MySQL
PHP version: native, 5.5.
ownCloud version: 7.0.0 (stable) updated flawlessly from 6.0.3 by Installatron.
List of activated apps: default apps + encryption app
External storage: no
Encryption: yes, incl. recovery key that works fine.

Client configuration

Browser: Google Chrome, Firefox or IE11
Operating system: Win XP, Win 7 or Win 8
ownCloud version: 1.6.2rc2

[VincentvgNn]

Today 01-08-2014 I did the same experiment on a different domain name at a completely different hosting company.
Similar server configuration. ownCloud 7.0.0 server completely new installed!
I can reproduce the 403 error and the workaround there as well !!

[PVince81]

Does your hoster web server have default settings that automatically limit these WebDAV methods ?

Not sure why it only happens for shared folders in your case ?

[VincentvgNn]

@PVince81
I have the same problem at 2 different Dutch hosters and it's there since I started using ownCloud in April 2014. Improvements on the OC server were made and the problems decreased from no up/download at all to "Deletion forbidden".

Both hosters should have thousands of clients and they offer Linux and Windows hosting.
I expect that they use common up to date security settings for their Linux servers.
Many customers will run a Joomla website on their systems. And a lot of other software can be installed as well.
Is there anyone who knows how these kind of companies organize the permissions according to the latest security standards?
What do I resolve with the .htaccess file patch?

[PVince81]

And sometimes hosters enable PHP modules that mess up with HTTP requests.

@LukasReschke @bantu can you help ?

[LukasReschke]

@VincentvgNn What is your hoster? I find multiple ones called "web-ok".

[VincentvgNn]

My hosters are web-oke dot nl and csv-networks dot nl (sorry for not writing "oke").
Both have DirectAdmin as the user control panel. You can log in as a demo_user or demo_reseller via web-oke dot nl/demonstratie and see some of the user options.

[VincentvgNn]

@LukasReschke
I'm now using OC server 7.0.2 or 7.0.0 and OC client 1.6.3.
I have 2 OC servers running at the hosters web-oke dot nl and csv-networks dot nl.
Even when I connect as an OC Admin, I cannot delete or upload files. Error: 403 Forbidden.
The .htaccess patch by adding the 8 above mentioned lines solves the problem without knowing what I'm exactly doing.

@evert
Can you judge how to solve this (WebDAV?) problem in OC?

The same .htaccess solution has been mentioned on June 24th at: https://forum.owncloud.org/viewtopic.php?f=17&t=7536&start=10

[evert]

@VincentvgNn please don't include me in your threads anymore. If there's a sabredav issue or question, go through the mailing list of sabredav issue tracker.

• http://groups.google.com/group/sabredav-discuss
• https://github.com/fruux/sabre-dav

This particular one seems more suited for stackoverflow though.

[RobinMcCorkell]

Closing due to inactivity. I suspect that putting <Limit> directives in .htaccess will break some people's workflows - it is expected that the admin knows what restrictions are in place on their webserver and what needs to be modified, especially with WebDAV HTTP methods.

[VincentvgNn]

@Xenopathic
I'm sorry, but I'm quite frustrated that I never got an answer on this issue.
I still have this problem at 2 independant webhosting companies. I have a Joomla website running at both, I had Pydio (quite similar to ownCloud) recently installed and I never needed to adapt the .htaccess file in this way.
On the OC forum this solution was suggested by srfreeman (ownCloud professional, member of the OC development team?). See: https://forum.owncloud.org/viewtopic.php?f=26&t=19168
I contacted one of the webhosting companies and they didn't recognize this problem as having it with one of their other thousands of customers. Maybe not many are using ownCloud there.

Who understands the in an outs of these .htaccess directives and why do I need them only for OC?
Do these hosting companies follow a more strict security policy such that the standard OC setup cannot work without adapting the .htaccess file? Is it related to newer PHP-versions and default settings (I have PHP Version 5.5.21)?

It would be great if you could pass this issue to a specialist who knows about the details.

[LukasReschke]

On the OC forum this solution was suggested by srfreeman (ownCloud professional, member of the OC development team?).

No. The forum rank is generated automatically depending on the numbers of posts. Unless you see somebody with a rank called "Developer" these persons are likely not to be involved with dcore development.

@rakekniven Can we make this somewhat clearer?

That said, the thing is that there are a ton of ways that webhosters can and actually do modify to save resources on their machines or apply some questionable security enhancements (that actually do not much). In this case your workaround is likely to break other instances and should be properly adjusted in the webserver settings.

[RobinMcCorkell]

Perhaps it'd be a good idea to document this somewhere just so we can 👉 at it if other people have the same issue? cc @carlaschroder

[VincentvgNn]

Here is my latest documentation:

I could nowhere find a sufficient answer on my questions. Therefore I have been Googling around on this subject by using the key words "owncloud+.htaccess+limit+get+post+put+delete". More or less similar modifications in the .htaccess file can be found at a few places.

Note that all the links below do not need to be red.

The problem does not only occur at the 2 web-hosts that I'm using, but also at:

• http://www.winfuture-forum.de/index.php?showtopic=207601 (hosting at one.com, the .htaccess fix has not been delivered by OC)
• http://stephanvaningen.net/node/13 (DirectAdmin and Installatron, at a webhost, slightly different code to fix)
• https://www.ermis.nl/helpdesk/knowledgebase.php?article=75 (webhost)
• http://ton.zimt.at/2014/09/13/hoststar-owncloud-problem-mit-sync-client-webdav-caldav-etc/ (own Raspberry Pi setup)

At the ownCloud forum this issue has been discussed at:

• https://forum.owncloud.org/viewtopic.php?f=3&t=2071 (403 on *Dav services)
• https://forum.owncloud.org/viewtopic.php?f=14&t=15521 (Unable to upload file through client (problem: Forbidden))
• https://forum.owncloud.org/viewtopic.php?f=17&t=7536 (How to fix CalDAV|CardDAV|WebDAV problems)
• https://forum.owncloud.org/viewtopic.php?f=26&t=21065 (403 forbidden when trying to sync)
• https://forum.owncloud.org/viewtopic.php?f=26&t=19168 (The item is not synced because of previous errors: Forbidden)
• https://forum.owncloud.org/viewtopic.php?f=26&t=20244 (Re: Patch fix open_basedir enabled for 6.0.2)

The Apache " Directive" can be found at: http://httpd.apache.org/docs/current/mod/core.html#limit
From that I learned that the 8 lines for the patch can be reduced to 4:

<Limit GET POST PUT DELETE>
order allow,deny
allow from all
</Limit>

It is quite good possible that the allowed HTTP access methods are at some hosters by default restricted to GET and POST and that "less safe methods" are not allowed.
This is mentioned at: http://stackoverflow.com/questions/5081747/htaccess-order-allow-deny-deny-from-all-confused
And also at: http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

The order and allow directives are described at:
http://httpd.apache.org/docs/current/mod/mod_access_compat.html#order
http://httpd.apache.org/docs/current/mod/mod_access_compat.html#allow
http://www.maxi-pedia.com/order+allow+deny

The result of the patch is that all users, that are allowed access to the ownCloud data, will be allowed to use the HTTP access methods GET POST PUT and DELETE. Anyway nothing more than just needed for ownCloud.
So I consider this patch as safe. Please correct me if I'm wrong.

Remaining open question:
Pydio is very similar to OwnCloud. For evaluation I have it installed on the same server and there I do not need to modify the settings for these Apache HTTP methods. And in the Pydio .htaccess file or in some other config file I cannot find anything about modifying these settings. So there I find no indication that my server doesn't allow the required HTTP methods.
Why do I need the .htaccess fix for ownCloud only?

[RobinMcCorkell]

If the server uses Basic authentication, then these lines might cause the authentication to be skipped for all GET, POST, PUT and DELETE requests, which isn't a good thing. Could you clarify @LukasReschke

[arturluizbr]

I always get forbidden issue, after installing or updating owncloud (most recent versions, including 8.0.3), and:

<Limit GET POST>
order allow,deny
allow from all
</Limit>
<Limit PUT DELETE>
order allow,deny
allow from all
</Limit>

Always fix it.

Btw, I use CentOS Web Panel.

[carlaschroder]

@Xenopathic Yes, this issue is a good candidate for the doc Wiki https://github.com/owncloud/documentation/wiki, or the Issues and Troubleshooting doc https://github.com/owncloud/documentation/blob/stable8/admin_manual/issues/index.rst I'll have time to look at it in a couple of weeks, so anyone who wants to publish something on the Wiki now is welcome.

[ghost]

Hi,

The result of the patch is that all users, that are allowed access to the ownCloud data, will be allowed to use the HTTP access methods GET POST PUT and DELETE. Anyway nothing more than just needed for ownCloud.
So I consider this patch as safe. Please correct me if I'm wrong.

thats definitely not enough for ownCloud. At least PROPFIND, PATCH and some more WebDAV methods which i can't remember are needed.

[VincentvgNn]

@RealRancor
Thanks for the addition.
I also was wondering why I don't need to redefine additional HTTP methods as allowed as well.
Up to now I didn't notice any problems related to that.
I currently use the 4 line patch as I wrote on May 18th. It works, I trust it and it's unclear to me why I just need the patch for GET, POST, PUT and DELETE only. It may be true that I'm not using the other methods in my situation because I'm not using WebDAV access. As soon as I get error messages related to PROPFIND, PROPPATCH and so on, I'll try to redefine them in the same way.

[ghost]

@VincentvgNn
Yes, those are mostly used for WebDAV/CalDAV and CardDAV. A full list could be:

DELETE PROPFIND PUT GET HEAD POST OPTIONS REPORT MKCOL MOVE PROPPATCH COPY

[VincentvgNn]

I found a good survey and a tutorial for the 8 standard HTTP methods and for the 7 additional WebDAV methods at:
http://www.tutorialspoint.com/http/http_methods.htm
http://en.wikipedia.org/wiki/WebDAV

[carlaschroder]

So, let me see if I understand this issue: ownCloud admins on shared hosting may need elaborate workarounds involving deep knowledge of HTTP methods and .htaccess to workaround their host's configurations to get Webdav to work?

[VincentvgNn]

@carlaschroder
Yes, you are 100% right.

Adding that workaround, i.e. changing the .htaccess file, is not the most difficult thing to do. But understanding what you'r doing, what is needed and what the consequences may be, is very difficult to find.

[RobinMcCorkell]

By bundling those changes with ownCloud we would be forcefully disabling any host-based access control to ownCloud, potentially with huge security implications.

An idea came to me however - in the admin settings, we could do a check for the various DAV methods, and if they are not working then a configuration warning with a documentation link will be displayed. I don't know how feasible this would be to implement however

[carlaschroder]

There are a number of issues with running ownCloud on shared hosting. Perhaps some of you could help me collect them in the doc Wiki, https://github.com/owncloud/documentation/wiki/Running-ownCloud-on-shared-hosting Please reference Github issues if you can, and comments about your own experiences and workarounds.

[VincentvgNn]

@carlaschroder
Great that you setup the collection in the doc Wiki.
I added core issue #15044 there. I expected that it would have been solved in the current server 8.0.3. But somehow this might have been delayed to server 8.0.4 or later.

@Xenopathic
I had 3 versions of OC running at the same time and for each I had to modify the .htaccess file. So enabling more HTTP access methods than by default set by the web-host for running a website seems to be valid only for the folder tree where the .htaccess file is placed in. Therefore I cannot see security implications when bundling these .htaccess modifications with ownCloud. Am I right in that?

Your idea about detecting the enabled HTTP methods and giving a message referring to the documentation is a neat solution. Similar to #15044 where I also got a warning for something missing.

[RobinMcCorkell]

@VincentvgNn The security implications are those of when an ownCloud installation is supposed to be locked down by host access restrictions, be that to a local subnet or whatever. With the proposed htaccess changes those restrictions would be disabled, in such a way that an admin might not notice until it is too late (given that ownCloud will happily overwrite the htaccess file, and the htaccess overrides any global settings at the web server level)

[carlaschroder]

Thanks @VincentvgNn, I saw your addition to the Wiki. Everything that goes there will help me sort out what needs to go into the manuals.

[carlaschroder]

So, the answer is to allow everything?

[ghost]

I think yes, until some one is coming up with an official list of needed http verbs/methods.

[LukasReschke]

All except TRACE - yes.

[ghost]

Ah yes, completely forgot about XST.