documentation icon indicating copy to clipboard operation
documentation copied to clipboard
verified publisher icon nextcloud

Hardening and security guidance - add information about strong directory permissions

Open j-ed opened this issue 6 years ago • 7 comments

Very often administrators want to know how the directory permissions of Nextcloud should be set best. I searched the Nextcloud documentation for information about it, but couldn't find a chapter covering it. The Hardening and security guidance doesn't cover this point either.

Nevertheless I had in mind that I read a chapter in the past, about how strong directory permissions should be set best. I searched the internet and found something in a Nextcloud pull request but its not mentioned or linked anywhere anymore.

Interestingly an older ownCloud documentation contained that information. A newer version of that documentation describes at least the installation wizard script.

I don't know why this information has been removed from the documentation but would like to get it added to it again.

j-ed avatar Apr 04 '19 18:04 j-ed

These directory permissions have been removed for various reasons - mainly because the updater does not work with permissions set as strong as previously recommended.

Find the according pull request here: #431

BernieO avatar Apr 07 '19 06:04 BernieO

@BernieO Thank you for pointing me to that issue. Independently if we're speaking about hardening or not, this information should be added to the documentation in some way. It should be possible to differentiate between "standard" and "hardened settings by mentioning the pros and cons, so that every administrator can decide which way he wants to go. I think, not mentioning this information opens the door for any kind of abuse by default.

j-ed avatar Apr 07 '19 12:04 j-ed

@kesselb Thanks for the fast feedback in nextcloud/server #19462.

Could you (or anyone who knows) please copy and paste my following current permission setting code and alter it to the currently recommended and secure way to do a complete permission set.

Thanks a lot.

# directories on archlinux
NEXTCLOUD_INSTALL_DIR="/usr/share/webapps/nextcloud"
NEXTCLOUD_CONFIG_DIR="/etc/webapps/nextcloud"
if [[ -f "$NEXTCLOUD_INSTALL_DIR"/config/config.php ]]
then
    NEXTCLOUD_DATA_DIR="$(grep 'datadir' "$NEXTCLOUD_INSTALL_DIR"/config/config.php | awk '{print $3}' | cut -d "'" -f2)"
    #echo "$NEXTCLOUD_DATA_DIR"
fi

# nextcloud data
find "$NEXTCLOUD_DATA_DIR"/ -type f -print0 | xargs --no-run-if-empty -0 chmod 0640
find "$NEXTCLOUD_DATA_DIR"/ -type d -print0 | xargs --no-run-if-empty -0 chmod 0750
chown -R http:http "$NEXTCLOUD_DATA_DIR"

# nextcloud install
find "$NEXTCLOUD_INSTALL_DIR"/ -type f -print0 | xargs --no-run-if-empty -0 chmod 0640
find "$NEXTCLOUD_INSTALL_DIR"/ -type d -print0 | xargs --no-run-if-empty -0 chmod 0750
chmod ug+x "$NEXTCLOUD_INSTALL_DIR"/occ
chown -R http:http "$NEXTCLOUD_INSTALL_DIR"
find "$NEXTCLOUD_INSTALL_DIR"/ -type f -print0 | xargs --no-run-if-empty -0 chown root:http

# nextcloud config
find "$NEXTCLOUD_CONFIG_DIR"/ -type f -print0 | xargs --no-run-if-empty -0 chmod 0640
find "$NEXTCLOUD_CONFIG_DIR"/ -type d -print0 | xargs --no-run-if-empty -0 chmod 0750
chown -R http:http "$NEXTCLOUD_CONFIG_DIR"

tiiiecherle avatar Feb 13 '20 21:02 tiiiecherle

@kesselb at https://github.com/nextcloud/server/issues/19462#issuecomment-585966109 you commented:

Nextcloud needs to be able to alter config.php (until you disable it), data directory, and the apps folder (until you add another one and set the default one to read only). Anything else should be fine to be read only.

What about the updater? I guess the updater also needs to be able to alter the nextcloud directory. The reason why the stronger directory permissions have been removed, was that the updater did not work with stronger directory permissions. Is that still the case? For details see #431

BernieO avatar Feb 23 '20 15:02 BernieO

I guess the updater also needs to be able to alter the nextcloud directory. Is that still the case?

Yes

nextcloud/server#19462

I assumed that pacman is used (because of /usr/share/webapps/nextcloud and /etc/webapps/nextcloud) to update those installation and the updater is not relevant.

kesselb avatar Feb 23 '20 15:02 kesselb

Any progress on this?

bcutter avatar Dec 09 '22 16:12 bcutter

I think the most secure way to handle this would be to remove write access for the web server user (e.g. www-data) from everything except the data directory, disable the web updater and adapt the cli updater to be able to run as root or another user that is allowed to write to the Nextcloud directory. Obviously this could be made optional, so for users that do not demand maximum security, the web updater should still be available as long as the Nextcloud directories are writable for the web server user.

tobx avatar Mar 15 '24 12:03 tobx