Hacker News new | comments | show | ask | jobs | submit login
OwnCloud 6 (owncloud.org)
87 points by lelf on Jan 4, 2014 | hide | past | web | favorite | 39 comments

I installed ownCloud 5 on a "dedicated server" (a colocated Raspberry Pi running Raspbian) earlier today and I've just upgraded it to ownCloud version 6. It seems to work reasonably well after certain adjustments to the server's configuration.

If you're running ownCloud with nginx and php5-fpm on a low-performance host (not necessarily a Raspberry Pi but perhaps a cheap VPS) and keep getting "gateway timeout" errors when the desktop client uploads large files despite the relevant adjustments to php.ini [1] try to set

    fastcgi_read_timeout 600;
for ownCloud's php files' location in the nginx site configuration file (e.g., /etc/nginx/sites-enabled/default). That resolved the problem for me. The timeout errors notwithstanding, the files that I tried (up to approx. 600 MB in size each) still got uploaded to the server and their checksums matched when redownloaded.

Overall, it seems quite usable with the client; however, the web UI is painfully slow much of the time when hosted on the Pi.

Has anyone here used ownCloud "in production", which is to say, as a full-time replacement for Dropbox? Have you had any hiccups with synchronization?

[1] See, e.g., the first post at http://forum.owncloud.org/viewtopic.php?f=23&t=9440.

I use owncloud 6 - with all of it's imperfections - it still beats storing things for NSA on google cloud.

P.S. Although I wish they'd just use existing framework like ZF2 or Symfony2 instead of reinventing the wheel.

While I haven't looked at the source, it is indeed a shame that they're not using a mature, battle-proven framework. With frameworks we have today, why would you roll your own, especially for a project like OwnCloud?

Unfortunately OwnCloud is written in sloppy PHP, and is therefore roughly equivalent to storing things for the NSA.

> colocated Raspberry Pi

That is correct. In case you're wondering, I signed up for it when I saw this story on HN: https://news.ycombinator.com/item?id=5946940. The service is nice and stable, with an Internet connection seemingly as fast as the Pi can handle. However, I had to wait quite a long time (~4 months) for my Pi to come online and due to overwhelming demand they're no longer offering it for free.

Edit: "Shoebox" jokes aside, their setup looks fairly impressive: http://www.raspberrypi.org/archives/3685.

Coming soon to a shoebox datacenter near you.

I have this[1] extension installed, and this is the most ridiculous thread.



Hey mmanfrin, I wanna touch your cloud ;)

Do Owncloud 6 comes with block based syncing, so I can sync large files with minor modifications? What about support for inotify(Linux), FSEvents(OSX), kqueue(BSD) and ReadDirectoryChangesW(Windows)?

I think that's out of Owncloud's scope, you might want to take a look at Idera/R1soft.

You can give it a try using our Bitnami packages for OwnCloud. Free, ready-to-run native installers, virtual machines and cloud images (AWS/Azure) http://bitnami.com/stack/owncloud

Interesting link! Do you plan to offer a LAMP stack for ARM-based devices? I am running my home-server on a BeagleBone Black because electricity is expensive (2 € per Wattyear) and the BeagleBone only needs around 1 Watt of power (in addition to being dirt cheap).

By chance, setting up OwnCloud was my project for this afternoon and it is humming along nicely, but I always feel uneasy about exposing something to the interwebs that is only set up "sort-of" securely by some layman (me).

We have been discussing the idea on and off. We even had a proof of concept for one of the earlier ARM-based devices (SheevaPlug) but we have decided to concentrate on the most popular applications/platforms first (for example, we also supported Solaris at one point but stopped). We are a very small team so it is a matter of where to focus :-/

Is there a reason they chose to call it OwnButt? Seems a bit odd.

You seem to be using a Cloud-to-Butt extension. The product is actually called o.w.n.c.l.o.u.d.

I would like to use something like ownCloud but my sysadmin skills are certainly poorer than guys hired by Google or Dropbox. I worry that I might end up deleting my own data or mess up my installation. For example, I use Google apps and I worry that a messed up MX entry would send me to radio silence.

I've always been interested and supportive of services like these, but man I wish they changed that wall-of-text website of theirs. Their homepage is fairly similar.

I love it. What we usually get here on HN is some buzzwords and promises to solve all your very loosely defined problems coupled with stock photos and a signup page.

Is there any protocol specs out there or one has to dig through the source code and/or communication dumps to figure things out?

From what I understand, owncloud is basically webdav on the backend. (or at least has a webdav interface)

I refuse to run PHP applications for security and maintenance reasons, does anyone know of fair or similar alternatives in Python or Java?

FLOSS Weekly had one of the lead OwnCloud devs on recently. Of course, he was asked ‘why PHP’. Answer: to make it possible for as many people to deploy it as possible, on commodity shared hosting (or anything better they might have).

There's basically nothing that can achieve that level of deployability besides PHP.

Hearing that reasoning helped me with some of the concerns I had about its implementation language. It sounds like they know what they are doing, and are very careful (including careful code review), they just want the software to be as widely usable as possible.

OwnCloud has pretty regular discoveries of SQL injection and RCE vulnerabilities.


I'll say to their credit that at least they're serious enough to publish security advisories.

Some of these errors just shouldn't be possible in a well written code base, though. I would never run OwnCloud on my own servers, or use it to store anything remotely sensitive.

Jesus, these people look like security rookies. I guess I'm not gonna be trusting this to be a secure alternative to Dropbox.

There's nothing inherently wrong with PHP security. You can write crap and insecure applications in any language.

Yes, however, chmodding folders to 777 and placing sqlite databases in unprotected folders accessable for the entire interwebs does tend to give me little hope that these guys can actually produce secure PHP code. sadly, as the software is pretty awesome featurewise.

There's never an excuse for chmod'ing something 777. That's just being too lazy to figure out the proper permissions.

If the parent's folder limit access to a certain user or group there aren't security problems and may be exactly what you need.

for example, if you work with other people and you have a command to generate thumbnails from the shell, you may have a layout like this one

    chmod  user      group  path
    2770   www-data  devs   /srv/www
    2777   foo       devs   /srv/www/site/thumbnails/
/srv/www/site/thumbnails may be accessed only by people in the 'devs' or 'www-data' group ('foo' can read it only if he's in the group 'devs'). The obvious alternative would be to set that directory as owned by 'www-data', but you need root access to do that (unless you put everybody in group 'www-data', but then everyone can access every site). This way every user in the group 'devs' can make directories usable by both his teammates and the webserver, without having root power or being in group www-data. Have more than one team? Use different groups for each team.

0777 (or more like 02777) is a perfectly valid permission for world-writeable directories. Except that the case "anyone may do anything here, this is a free and unrestricted file sharing area" is quite rare. And almost certainly not for anything under /var/www served by httpd with PHP support.

> There's never an excuse for chmod'ing something 777

Agreed. Biblical implications aside, chmod 666 and chmod 777 are rarely a good idea.


The installation doesn't tell you to do that.

That's not true. There are many thinks inherently wrong with PHP security. And while you can write crap and insecure applications in any language, PHP actively encourages it.

> PHP actively encourages it.

How so?

Browse through the OwnCloud release notes. Almost every version has fixes for XSS and remote code execution. Fixes are great but the developers seem to be making the same mistakes over and over again. It is just too easy to do that in PHP.

XSS has nothing to do with PHP at all.

PHP gets a bad rep as a programming language. It may not be the most mature language, but don't generalize it as bad with security when that has just as much to do with the developer and the way they built it.

Unless you've used this service and have specific php security and maintenance concerns relating to this specific site?

Ive installed and run ownCloud before, cant point to specifics right now but I had to remove it and do with ssh and simplest nginx/ssl/htaccess style sharing for now.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact