New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
403 Forbidden error and .htaccess patch to resolve #10084
Comments
Today 01-08-2014 I did the same experiment on a different domain name at a completely different hosting company. |
Does your hoster web server have default settings that automatically limit these WebDAV methods ? Not sure why it only happens for shared folders in your case ? |
@PVince81 Both hosters should have thousands of clients and they offer Linux and Windows hosting. |
And sometimes hosters enable PHP modules that mess up with HTTP requests. @LukasReschke @bantu can you help ? |
@VincentvgNn What is your hoster? I find multiple ones called "web-ok". |
My hosters are web-oke dot nl and csv-networks dot nl (sorry for not writing "oke"). |
@LukasReschke @evert The same .htaccess solution has been mentioned on June 24th at: https://forum.owncloud.org/viewtopic.php?f=17&t=7536&start=10 |
@VincentvgNn please don't include me in your threads anymore. If there's a sabredav issue or question, go through the mailing list of sabredav issue tracker. This particular one seems more suited for stackoverflow though. |
Closing due to inactivity. I suspect that putting |
@Xenopathic Who understands the in an outs of these .htaccess directives and why do I need them only for OC? It would be great if you could pass this issue to a specialist who knows about the details. |
No. The forum rank is generated automatically depending on the numbers of posts. Unless you see somebody with a rank called "Developer" these persons are likely not to be involved with dcore development. @rakekniven Can we make this somewhat clearer? That said, the thing is that there are a ton of ways that webhosters can and actually do modify to save resources on their machines or apply some questionable security enhancements (that actually do not much). In this case your workaround is likely to break other instances and should be properly adjusted in the webserver settings. |
Perhaps it'd be a good idea to document this somewhere just so we can 👉 at it if other people have the same issue? cc @carlaschroder |
Here is my latest documentation: I could nowhere find a sufficient answer on my questions. Therefore I have been Googling around on this subject by using the key words "owncloud+.htaccess+limit+get+post+put+delete". More or less similar modifications in the .htaccess file can be found at a few places. Note that all the links below do not need to be red. The problem does not only occur at the 2 web-hosts that I'm using, but also at:
At the ownCloud forum this issue has been discussed at:
The Apache " Directive" can be found at: http://httpd.apache.org/docs/current/mod/core.html#limit
It is quite good possible that the allowed HTTP access methods are at some hosters by default restricted to GET and POST and that "less safe methods" are not allowed. The order and allow directives are described at: The result of the patch is that all users, that are allowed access to the ownCloud data, will be allowed to use the HTTP access methods GET POST PUT and DELETE. Anyway nothing more than just needed for ownCloud. Remaining open question: |
If the server uses Basic authentication, then these lines might cause the authentication to be skipped for all GET, POST, PUT and DELETE requests, which isn't a good thing. Could you clarify @LukasReschke |
I always get forbidden issue, after installing or updating owncloud (most recent versions, including 8.0.3), and:
Always fix it. Btw, I use CentOS Web Panel. |
@Xenopathic Yes, this issue is a good candidate for the doc Wiki https://github.com/owncloud/documentation/wiki, or the Issues and Troubleshooting doc https://github.com/owncloud/documentation/blob/stable8/admin_manual/issues/index.rst I'll have time to look at it in a couple of weeks, so anyone who wants to publish something on the Wiki now is welcome. |
Hi,
thats definitely not enough for ownCloud. At least PROPFIND, PATCH and some more WebDAV methods which i can't remember are needed. |
@RealRancor |
@VincentvgNn
|
I found a good survey and a tutorial for the 8 standard HTTP methods and for the 7 additional WebDAV methods at: |
So, let me see if I understand this issue: ownCloud admins on shared hosting may need elaborate workarounds involving deep knowledge of HTTP methods and .htaccess to workaround their host's configurations to get Webdav to work? |
@carlaschroder Adding that workaround, i.e. changing the .htaccess file, is not the most difficult thing to do. But understanding what you'r doing, what is needed and what the consequences may be, is very difficult to find. |
By bundling those changes with ownCloud we would be forcefully disabling any host-based access control to ownCloud, potentially with huge security implications. An idea came to me however - in the admin settings, we could do a check for the various DAV methods, and if they are not working then a configuration warning with a documentation link will be displayed. I don't know how feasible this would be to implement however |
There are a number of issues with running ownCloud on shared hosting. Perhaps some of you could help me collect them in the doc Wiki, https://github.com/owncloud/documentation/wiki/Running-ownCloud-on-shared-hosting Please reference Github issues if you can, and comments about your own experiences and workarounds. |
@carlaschroder @Xenopathic Your idea about detecting the enabled HTTP methods and giving a message referring to the documentation is a neat solution. Similar to #15044 where I also got a warning for something missing. |
@VincentvgNn The security implications are those of when an ownCloud installation is supposed to be locked down by host access restrictions, be that to a local subnet or whatever. With the proposed htaccess changes those restrictions would be disabled, in such a way that an admin might not notice until it is too late (given that ownCloud will happily overwrite the htaccess file, and the htaccess overrides any global settings at the web server level) |
Thanks @VincentvgNn, I saw your addition to the Wiki. Everything that goes there will help me sort out what needs to go into the manuals. |
So, the answer is to allow everything? |
I think yes, until some one is coming up with an official list of needed http verbs/methods. |
All except TRACE - yes. |
Ah yes, completely forgot about XST. |
Description
This is a continuation of the closed issue #8510.
The subject name has been changed because there is no correlation between the issue and the message ".... when an open_basedir is set, error 465".
Those messages are reported regurlary in the server log and the coincidence is just by chance.
The current issue is even not logged at all on the server!
Current issue:
Deleting a file in a folder that has been shared with you by someone else results in the messages:
The r/w rights that are set don't help.
I had a similar problem when using OC server 6.0.2.
By then deleting files and creating/deleting folders via the ownCloud r/w client did not work at all.
In OC server 6.0.3 the situation was somewhat better.
Deleting files was still not possible. Locally deleting at the client worked, but they were not deleted from the server and were downloaded again within shortest time.
Adding the following lines to the end of the .htaccess file solved the problems for all 3 server versions.
To me it's not clear whether this fix is a safe one and above I have to repeat it for each automatically installed new server version.
How can this be fixed in the next OC server version?
I can help testing.
Current issue
Deleting a file in a folder that has been shared with you by someone else results in the messages:
The r/w rights that are set don't help.
Steps to reproduce
Expected behavior
A client with r/w rights should be able to perform these r/w actions.
Server configuration
I have the OC server 7.0.0 (stable) installed at a Dutch webhost.
Control via DirectAdmin, an own (non-shared) IP, ownCloud using https and encryption.
I seem to be located on one of their newer servers, probably with more uptodate security settings.
The auto-installer Installatron works flawlessly.
Operating system: Linux Hosting Package
Web server: Apache
Database: MySQL
PHP version: native, 5.5.
ownCloud version: 7.0.0 (stable) updated flawlessly from 6.0.3 by Installatron.
List of activated apps: default apps + encryption app
External storage: no
Encryption: yes, incl. recovery key that works fine.
Client configuration
Browser: Google Chrome, Firefox or IE11
Operating system: Win XP, Win 7 or Win 8
ownCloud version: 1.6.2rc2
The text was updated successfully, but these errors were encountered: