updating strong permissions instructions

admin_manual/installation/installation_wizard.rst

@@ -68,9 +68,9 @@ Database Choice
     same username as you specified for the administrative user, plus an
     ``oc_`` prefix) and will use that for all subsequent database access.
 
-  * There are restrictions as to what characters a database name
-      may or may not contain, see the
-      `MySQL Schema Object Names documentation`_ for details);
+  * There are restrictions as to what characters a database name may or may 
+    not contain; see the
+    `MySQL Schema Object Names documentation`_ for details);
 
 Finish Installation
 ~~~~~~~~~~~~~~~~~~~
@@ -83,9 +83,80 @@ Finish Installation
 Setting Strong Directory Permissions
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-For improved server security, you should set strong permissions on your 
-ownCloud directories according to the **Setting Strong Directory Permissions** 
-section of :doc:`source_installation`.
+For hardened security we highly recommend setting the permissions on your 
+ownCloud directory as strictly as possible. These commands should be executed 
+immediately after the initial installation. Your HTTP user must own at least the 
+``config/``, ``data/`` and ``apps/`` directories in your ownCloud directory so 
+that you can configure ownCloud, create, modify and delete your data files, and 
+install apps via the ownCloud Web interface. 
+
+You can find your HTTP user in your HTTP server configuration files. Or you can 
+create a PHP page to find it for you. To do this, create a plain text file with 
+a single line in it:
+
+      ``<?php echo exec('whoami'); ?>``
+   
+Name it ``whoami.php`` and place it in your ``/var/www/html`` directory, and 
+then open it in a Web browser, for example ``http://localhost/whoami.php``. You 
+should see a single line in your browser page with the HTTP user name.
+
+* The HTTP user and group in Debian/Ubuntu is ``www-data``.
+* The HTTP user and group in Fedora/CentOS is ``apache``.
+* The HTTP user and group in Arch Linux is ``http``.
+* The HTTP user in openSUSE is ``wwwrun``, and the HTTP group is ``www``.
+
+.. note:: When using an NFS mount for the data directory, do not change its 
+   ownership from the default. The simple act of mounting the drive will set 
+   proper permissions for ownCloud to write to the directory. Changing 
+   ownership as above could result in some issues if the NFS mount is 
+   lost.
+
+The easy way to set the correct permissions is to copy and run this 
+script. Replace the ``ocpath`` variable with the path to your ownCloud 
+directory, and replace the ``htuser`` variable with your own HTTP user::
+
+ #!/bin/bash
+ ocpath='/var/www/owncloud'
+ htuser='www-data'
+
+ find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
+ find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750
+
+ chown -R root:${htuser} ${ocpath}/
+ chown -R ${htuser}:root ${ocpath}/apps/
+ chown -R ${htuser}:root ${ocpath}/config/
+ chown -R ${htuser}:root ${ocpath}/data/
+
+ chown ${htuser}:root ${ocpath}/.htaccess
+ chown root:${htuser} ${ocpath}/data/.htaccess
+ 
+If you have customized your ownCloud installation and your filepaths are 
+different than the standard installation, then modify this script accordingly. 
+
+This lists the recommended modes and ownership for your ownCloud directories 
+and files:
+
+* All files should be read-write for the file owner, read-only for the 
+  group owner, and zero for the world
+* All directories should be executable (because directories always need the 
+  executable bit set), read-write for the directory owner, and read-only for 
+  the group owner
+* The :file:`/` directory should be owned by ``root:[HTTP user]``
+* The :file:`apps/` directory should be owned by ``[HTTP user]:root``
+* The :file:`config/` directory should be owned by ``[HTTP user]:root``
+* The :file:`data/` directory should be owned by ``[HTTP user]:root``
+* The :file:`[ocpath]/.htaccess` file should be owned by ``[HTTP user]:root``
+* The :file:`data/.htaccess` file should be owned by ``root:[HTTP user]``
+
+For example, on Ubuntu Linux these commands set the ownership and permissions 
+on the :file:`data/` directory::
+ 
+ $ sudo chown -R www-data:root /var/www/owncloud/data
+ $ sudo chmod 0750 /var/www/owncloud/data
+ 
+All new files in the :file:`data/` directory automatically inherit the correct 
+permissions, 0640, 
+
 
 Trusted Domains
 ~~~~~~~~~~~~~~~

admin_manual/installation/linux_installation.rst

@@ -14,7 +14,9 @@ repository, download and install the repository signing key, and install
 ownCloud. Then run the Installation Wizard to complete your installation. (see 
 :doc:`installation_wizard`).
 
-If your distribution is not listed, your Linux distribution may maintain its own ownCloud packages, or you may prefer to install from source code (see :doc:`source_installation`).
+If your distribution is not listed, your Linux distribution may maintain its own 
+ownCloud packages, or you may prefer to install from source code (see 
+:doc:`source_installation`).
 
 .. _openSUSE Build Service: http://software.opensuse.org/download.html?project=isv:ownCloud:community&package=owncloud
 

admin_manual/installation/source_installation.rst

@@ -153,7 +153,9 @@ Installation Wizard
 Finish setting up your ownCloud server by following 
 the :doc:`installation_wizard`.
 
-After running the Installation Wizard your ownCloud installation is complete. However, you should perform the following steps to improve your server's security.
+After running the Installation Wizard your ownCloud installation is complete. 
+However, you should perform the following steps to improve your server's 
+security.
 
 Setting Strong Directory Permissions
 ------------------------------------

admin_manual/maintenance/update.rst

@@ -15,9 +15,10 @@ Major releases are indicated by the first and second digits. So 4.5.0, 5.0.0,
 6.0.0, and 7.0.0 are major releases. The Updater app is not for upgrades; 
 please see :doc:`upgrade` for instructions on upgrading to a major release.
 
-If you installed ownCloud from your Linux distribution repositories using your 
-package manager, then it is best to update/upgrade ownCloud using your package 
-manager and staying in sync with your distro updates, rather than using the 
+If you installed ownCloud from our `openSUSE Build Service repositories,` 
+<https://software.opensuse.org/download/package?project=isv:ownCloud:community& 
+package=owncloud>`_ or your own Linux distribution repositories, then it is best 
+to update/upgrade ownCloud using your package manager rather than using the 
 Updater app or upgrading manually. You should still maintain regular backups 
 (see :doc:`backup`), and make a backup before every update/upgrade. 
 
@@ -55,17 +56,7 @@ steps:
    always have your own current backups (See :doc:`backup` for details.)
    
 3. Verify that the HTTP user on your system can write to your whole ownCloud 
-   directory; on a stock Linux installation this is the ``www-data`` or 
-   ``apache`` user on systems that are running the Apache HTTP server. You can 
-   find your HTTP user in your HTTP server configuration files. Or you can 
-   create a PHP page to find it for you. To do this, create a plain text file 
-   with this single line in it:
-
-      ``<?php echo exec('whoami'); ?>``
-   
-   Name it ``whoami.php`` and place it in your Web root directory, for example ``/var/www/html``, and then open it in a Web browser, for example 
-   ``http://servername/whoami.php``. You should see a single line in your 
-   browser page with the HTTP user name.
+   directory; see the 
    
 4. Navigate to your 'Admin' page and click the 'Update Center' button under 
    Updater:
@@ -77,11 +68,9 @@ steps:
 .. figure:: ../images/updater-3.png
 
 6. Click Update, and carefully read the messages. If there are any problems it 
-   will tell you. The most common issue is directory permissions; see :ref:`setting_strong_permissions`.
-   
-   
-   otherwise you will see a message about checking your 
-   installation, making a backup, and moving files:
+will tell you. The most common issue is directory permissions; see 
+:ref:`setting_strong_permissions`. Otherwise you will see a message about 
+checking your installation, making a backup, and moving files:
 
 .. figure:: ../images/updater-4.png
 
@@ -109,30 +98,19 @@ learn how to upgrade manually.
 
 Setting Strong Permissions
 --------------------------
-
-The generic command to change ownership of all files and subdirectories in a 
-directory is::
+   
+For hardened security we  highly recommend setting the permissions on your 
+ownCloud directory as strictly as possible. These commands should be executed 
+immediately after the initial installation. Please follow the steps in the 
+**Setting Strong Directory Permissions** section of 
+:doc:`../installation/installation_wizard`.
+    
+These strict permissions will prevent the Updater app from working, as it needs 
+your whole ownCloud directory to be owned by the HTTP user. The generic command 
+to change ownership of all files and subdirectories in a directory to the HTTP 
+user is::
 
     chown -R <http-user>:<http-user> /path/to/owncloud/
-    
-For hardened security we  highly recommend setting the permissions on your ownCloud directory as strictly 
-as possible. These commands should be executed immediately after the initial installation::
-  
-    chown -R root:root /path/to/owncloud/
-    chmod -R 755 /path/to/owncloud/
-    chown <http-user>:<http-user> /path/to/owncloud/config/
-    chmod 0750 /path/to/owncloud/config/
-    chown <http-user>:<http-user> /path/to/owncloud/config/config.php
-    chmod 750 /path/to/owncloud/config/config.php
-    chown -R <http-user>:<http-user> /path/to/owncloud/data/
-    chmod -R 750 /path/to/owncloud/data
-    chown root:root /path/to/owncloud/data/.htaccess
-    chmod 755 /path/to/owncloud/data/.htaccess
-    chown <http-user>:<http-user> /path/to/owncloud/apps/
-    chmod 750 /path/to/owncloud/apps/
-    
-These strict permissions will prevent the Updater app from working, as it needs your whole
-ownCloud directory to be owned by the http-user, like these examples:
 
 * This example is for Ubuntu 14.04 LTS server::
    
@@ -150,7 +128,7 @@ ownCloud directory to be owned by the http-user, like these examples:
 
     chown -R wwwrun:www /path/to/owncloud/
     
-After the Updater app has run, you should re-apply the strict permissions.    
+After the Updater app has run, you should re-apply the strict permissions.