From 9f8bbc2bf39476799bff90f51c294d72b351f7a7 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Tue, 28 Oct 2014 18:22:34 +0100
Subject: [PATCH 1/3] Add hardened permission example

---
 .../installation/installation_source.rst         | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/admin_manual/installation/installation_source.rst b/admin_manual/installation/installation_source.rst
index 5402451d0..1fd481b06 100644
--- a/admin_manual/installation/installation_source.rst
+++ b/admin_manual/installation/installation_source.rst
@@ -159,6 +159,9 @@ via the ownCloud Web interface. If you are planning to use the automatic
 updater app for updating ownCloud, the whole ``owncloud/`` directory must be 
 writable by the HTTP user.
 
+If you do not plan to use the updater application we recommend setting the directory 
+permissions as strict as possible, an example can be found below.
+
 You can find your HTTP user in your HTTP server configuration files. Or you can 
 create a PHP page to find it for you. To do this, create a plain text file with 
 a single line in it:
@@ -179,6 +182,17 @@ should see a single line in your browser page with the HTTP user name.
   directory is::
 
     chown -R <http-user>:<http-user> /path/to/owncloud/
+    
+* For hardenend security we  highly recommend setting the following permissions as strict as possible, 
+  however some feature such as the integrated updater application will not work anymore. Please 
+  note, that this commands should be executed after the initial installation::
+  
+    chown -R root:root /path/to/owncloud/
+    chown <http-user>:<http-user> /path/to/owncloud/config/config.php
+    chown -R <http-user>:<http-user> /path/to/owncloud/data/
+    chown root:root /path/to/owncloud/data/.htaccess
+    chown <http-user>:<http-user> /path/to/owncloud/apps/
+    
 
 * This example is for Ubuntu 14.04 LTS server::
    
@@ -401,4 +415,4 @@ See :doc:`configuration_yaws`
 
 **Hiawatha Configuration**
 
-See :doc:`configuration_hiawatha`
\ No newline at end of file
+See :doc:`configuration_hiawatha`

From d9cfbda8717c7b6efa91d3ffb418f43cfc6bfbfe Mon Sep 17 00:00:00 2001
From: Carla Schroder <carla@owncloud.com>
Date: Tue, 28 Oct 2014 21:11:24 -0700
Subject: [PATCH 2/3] Update installation_source.rst

---
 .../installation/installation_source.rst      | 29 +++++++++----------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/admin_manual/installation/installation_source.rst b/admin_manual/installation/installation_source.rst
index 1fd481b06..78fe03006 100644
--- a/admin_manual/installation/installation_source.rst
+++ b/admin_manual/installation/installation_source.rst
@@ -147,20 +147,16 @@ Now download the archive of the latest ownCloud version:
   document root of your Web server. Typically, on Ubuntu systems this 
   ``/var/www/owncloud``, so your copying command is::
     
-    cp -r owncloud /var/www/`
+    cp -r owncloud /var/www/
 
-Set the Directory Permissions
------------------------------
+Setting Secure Directory Permissions
+------------------------------------
 
 Your HTTP user must own at least the ``config/``, ``data/`` 
 and ``apps/`` directories in your ownCloud directory so that you can 
 configure ownCloud, create, modify and delete your data files, and install apps 
-via the ownCloud Web interface. If you are planning to use the automatic 
-updater app for updating ownCloud, the whole ``owncloud/`` directory must be 
-writable by the HTTP user.
-
-If you do not plan to use the updater application we recommend setting the directory 
-permissions as strict as possible, an example can be found below.
+via the ownCloud Web interface. We recommend setting the directory 
+permissions as strictly as possible for stronger security.
 
 You can find your HTTP user in your HTTP server configuration files. Or you can 
 create a PHP page to find it for you. To do this, create a plain text file with 
@@ -169,7 +165,7 @@ a single line in it:
       ``<?php echo exec('whoami'); ?>``
    
 Name it ``whoami.php`` and place it in your ``/var/www/html`` directory, and 
-then open it in a Web browser, for example ``http://servername/whoami.php``. You 
+then open it in a Web browser, for example ``http://localhost/whoami.php``. You 
 should see a single line in your browser page with the HTTP user name.
 
 .. note:: When using an NFS mount for the data directory, do not change 
@@ -178,14 +174,13 @@ should see a single line in your browser page with the HTTP user name.
    ownership as above could result in some issues if the NFS mount is 
    lost.
 
-* The generic command to change ownership of all files and subdirectories in a 
-  directory is::
+The generic command to change ownership of all files and subdirectories in a 
+directory is::
 
     chown -R <http-user>:<http-user> /path/to/owncloud/
     
-* For hardenend security we  highly recommend setting the following permissions as strict as possible, 
-  however some feature such as the integrated updater application will not work anymore. Please 
-  note, that this commands should be executed after the initial installation::
+  For hardened security we  highly recommend setting the permissions on your ownCloud directory as strictly 
+  as possible. These commands should be executed immediately after the initial installation::
   
     chown -R root:root /path/to/owncloud/
     chown <http-user>:<http-user> /path/to/owncloud/config/config.php
@@ -193,6 +188,8 @@ should see a single line in your browser page with the HTTP user name.
     chown root:root /path/to/owncloud/data/.htaccess
     chown <http-user>:<http-user> /path/to/owncloud/apps/
     
+These strict permissions will prevent the Updater app from working. If you use the Updater app, it needs your whole
+ownCloud directory to be owned by the http-user, like these examples:
 
 * This example is for Ubuntu 14.04 LTS server::
    
@@ -209,6 +206,8 @@ should see a single line in your browser page with the HTTP user name.
 * openSUSE::
 
     chown -R wwwrun:www /path/to/owncloud/
+    
+After the Update app has run, you should re-apply the strict permissions.    
 
 Apache is the recommended Web server.
 

From 91c83c9fb7701f85feaeeebb78a11c32d4d3db29 Mon Sep 17 00:00:00 2001
From: Carla Schroder <carla@owncloud.com>
Date: Tue, 28 Oct 2014 21:13:22 -0700
Subject: [PATCH 3/3] Update installation_source.rst

---
 admin_manual/installation/installation_source.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/admin_manual/installation/installation_source.rst b/admin_manual/installation/installation_source.rst
index 78fe03006..c68635a04 100644
--- a/admin_manual/installation/installation_source.rst
+++ b/admin_manual/installation/installation_source.rst
@@ -179,8 +179,8 @@ directory is::
 
     chown -R <http-user>:<http-user> /path/to/owncloud/
     
-  For hardened security we  highly recommend setting the permissions on your ownCloud directory as strictly 
-  as possible. These commands should be executed immediately after the initial installation::
+For hardened security we  highly recommend setting the permissions on your ownCloud directory as strictly 
+as possible. These commands should be executed immediately after the initial installation::
   
     chown -R root:root /path/to/owncloud/
     chown <http-user>:<http-user> /path/to/owncloud/config/config.php