John Galea's Blog

My blog on Gadgets and the like

Owncloud VM template

From time to time I need to exchange sensitive files with people like lawyers that themselves don’t have secure file drop faculties. At this point I am uncomfortable dropping anything even remotely sensitive on pretty much any of the clouds. Call it paranoia, call it informed, you choose, but ever since the US passed the CLOUD act back in 2018 which made it easier for governments to get access to your data irrelevant of data residency, I’m more and more concerned about my data. Now personally, I don’t think anything I am doing warrants (pun intended) attention, that’s not really the point. So I decided I would look at self hosted cloud space. Somewhere I can put files and have others easily grab them.

I looked at Owncloud first. It is available as an appliance in many formats, for me I chose VMware. The VM is configured with 1 CPU and 2G of memory so pretty light. Upon first boot, your guided on the console of the OS through setup which makes it pretty easy. The system is updated upon first boot.

The VM consists of Debian based OS build with Univention portal which manages users (among other things), and docker installed. Owncloud is installed as a docker container. Apache is installed in the base OS, so any work with Apache, such as SSL is done in the VM, not the container. Initial logon at the web root brings you to Uninvention interface.

Logging into Uninvention allows you to setup users. You can setup users within the Owncloud as well, but it easier and complete to set them up within Uninvention. From here you can configure the users, quotas etc.

File systems are setup as volume groups so they can be expanded as your needs grow. Out of the box there is 41G free, more than enough for my needs. The VM is set as a thin disk so will take min amounts of space.

Within the Uninvention interface you can also check for updates to the OS, and the container. There is also a console access complete with SSH to the host OS.

The mount point for the container has not been nicely mapped so your in for a long path to get to the containers data space. Logon to the container itself is done using the traditional docker interface should it be needed, which isn’t likely. This same interface is not hardened (you can even logon with root) and so provides a point of attack.

Users will never use the Uninvention portal, they will logon to the OwnCloud interface which is at url http://machinename/owncloud/ Out of the box port 80 and 443 are both enabled, and it creates a self signed cert, both of which you will not want to leave, we will address this shortly. Unfortunately the admin console for Uninvention is available externally as well as the cloud interface, wouldn’t be my choice, I’d prefer administration was done ONLY over the local network. Additional applications can be loaded onto the Uninvention portal. All in all it got me up quickly but I was unimpressed with the large attack threshold and abandoned this approach, but not Owncloud itself. See next posts for what’s next!

December 14, 2020 - Posted by | Uncategorized

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: