Consider Satisfy all in data/.htaccess

[LukasReschke]

Should we add Satisfy all in data/.htaccess to prevent potential mistakes where somebody protected their ownCloud instance with a Basic Auth login and forgot to properly configure the data dir manually again?

As per https://wiki.apache.org/httpd/BypassAuthenticationOrAuthorizationRequirements:

Satisfy All Allows the request only if both requirements are met (authentication AND access).

From my PoV this wouldn't really hurt and it seems to work locally.

Opinions?

[LukasReschke]

Related #14280 and #13731

[LukasReschke]

Proposal at #14359

[LukasReschke]

That said I don't have any strong feelings towards or against this…

[LukasReschke]

@jnweiger This was reported by somebody to our security ML who had basically the following additional config to what we have in our Debian 7 packages for 8.0:

<Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
  AuthUserFile /var/www/.htpasswd
  AuthType Basic
  AuthName "Authenticated users only"
  Require valid-user
</Directory>
<Directory /var/www/owncloud/>
  Satisfy any
</Directory>

The Satisfy Any here obviously caused the problems and in my opinion this is a misconfiguration and not a direct security problem of ownCloud.

However, to make the life of future users easier and make the risk of misconfiguration as low as possible I proposed this change here.

What do you think? Makes this sense?

[jnweiger]

@LukasReschke where did the 'Satisfy Any' come from? I don't see it Linux packages.
I agree, 'Satisfy All' is definitly better. Aka much more robust.

[LukasReschke]

That's the user's own setting in addition with the packages.

[RobinMcCorkell]

Only question is, what if someone puts their auth code in the server configs, not in the .htaccess, and installs ownCloud expecting it to honour that? A .htaccess always overwrites the server configuration (unless disabled ofc), and it might catch some people out. Or are we expecting people to edit the .htaccess if they want to implement Basic auth or something?

[LukasReschke]

Well.. It's kinda the purpose that /data/ is never accessible even if you configure it like that by mistake in your server config ;)

[LukasReschke]

See #14359 for the actual change.

[RobinMcCorkell]

Wait, data/.htaccess, not just .htaccess. Doh!

[LukasReschke]

😄

[jnweiger]

For best security I'd recommend to configure the data folder somewhere outside of any webserver tree.
It is never directly accessed by the webserver.