FLOSS Weekly had one of the lead OwnCloud devs on recently. Of course, he was asked ‘why PHP’. Answer: to make it possible for as many people to deploy it as possible, on commodity shared hosting (or anything better they might have).
There's basically nothing that can achieve that level of deployability besides PHP.
Hearing that reasoning helped me with some of the concerns I had about its implementation language. It sounds like they know what they are doing, and are very careful (including careful code review), they just want the software to be as widely usable as possible.
I'll say to their credit that at least they're serious enough to publish security advisories.
Some of these errors just shouldn't be possible in a well written code base, though. I would never run OwnCloud on my own servers, or use it to store anything remotely sensitive.
Yes, however, chmodding folders to 777 and placing sqlite databases in unprotected folders accessable for the entire interwebs does tend to give me little hope that these guys can actually produce secure PHP code. sadly, as the software is pretty awesome featurewise.
If the parent's folder limit access to a certain user or group there aren't security problems and may be exactly what you need.
for example, if you work with other people and you have a command to generate thumbnails from the shell, you may have a layout like this one
chmod user group path
2770 www-data devs /srv/www
2777 foo devs /srv/www/site/thumbnails/
/srv/www/site/thumbnails may be accessed only by people in the 'devs' or 'www-data' group ('foo' can read it only if he's in the group 'devs'). The obvious alternative would be to set that directory as owned by 'www-data', but you need root access to do that (unless you put everybody in group 'www-data', but then everyone can access every site). This way every user in the group 'devs' can make directories usable by both his teammates and the webserver, without having root power or being in group www-data. Have more than one team? Use different groups for each team.
0777 (or more like 02777) is a perfectly valid permission for world-writeable directories. Except that the case "anyone may do anything here, this is a free and unrestricted file sharing area" is quite rare. And almost certainly not for anything under /var/www served by httpd with PHP support.
That's not true. There are many thinks inherently wrong with PHP security. And while you can write crap and insecure applications in any language, PHP actively encourages it.
Browse through the OwnCloud release notes. Almost every version has fixes for XSS and remote code execution. Fixes are great but the developers seem to be making the same mistakes over and over again. It is just too easy to do that in PHP.
PHP gets a bad rep as a programming language. It may not be the most mature language, but don't generalize it as bad with security when that has just as much to do with the developer and the way they built it.
Unless you've used this service and have specific php security and maintenance concerns relating to this specific site?
Ive installed and run ownCloud before, cant point to specifics right now but I had to remove it and do with ssh and simplest nginx/ssl/htaccess style sharing for now.
