All users can see all other users data

Have nextcloud up and running and today I noticed that any uses can go in and see the entire list of all other users even though they are not given admin permissions. Can anyone point me in the right direction so I can resolve this issue. If there is specific information you need plase ask and I will get it for you

Thanks for any help you can provide.

hey @Youcan2 and @youcantoo (apparently the same user :wink: )

that sounds like a permission-problem.
who is owner of your data-directory and whats it’s permission settings?

apart from that there was a issue template when you filed your thread here under support. usually that’s not given to cause more problems to the user but to make it easier for the forum to identify problems and being able to help…

so the more infos you could give about your instance the better.

good luck
jimmy

the server is running under “apache” this is what I see

drwxrwx— 356 apache apache 12288 Oct 17 00:37 data/

all the user folders are also UID/GID apache with the folder permissions of 755

is apache your standard web-user? or does apache own nextcloud as well?

it is both

I think this is the information you were wanting in an above post.

Nextcloud version (eg, 12.0.2):17.0.0.9
Operating system and version (eg, Ubuntu 17.04): PCLinuxOS 2019
Apache or nginx version (eg, Apache 2.4.25): Apache/2.4.38
PHP version (eg, 7.1): 7.3.10

The issue you are facing:

All users have access to all users -creating, deleting, the whole thing.

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

creating a new user.

The output of your Nextcloud log in Admin > Logging:

Error	PHP	You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at /var/www/html/nextcloud/3rdparty/patchwork/utf8/src/Patchwork/Utf8/Bootup/intl.php#18	
2019-10-17T02:30:16-0700
Error	PHP	You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at /var/www/html/nextcloud/3rdparty/patchwork/utf8/src/Patchwork/Utf8/Bootup/intl.php#18	
2019-10-17T02:30:16-0700
Error	PHP	You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at /var/www/html/nextcloud/3rdparty/patchwork/utf8/src/Patchwork/Utf8/Bootup/intl.php#18	
2019-10-17T02:30:15-0700
Error	PHP	You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at /var/www/html/nextcloud/3rdparty/patchwork/utf8/src/Patchwork/Utf8/Bootup/intl.php#18	
2019-10-17T02:30:15-0700
Error	PHP	You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at /var/www/html/nextcloud/3rdparty/patchwork/utf8/src/Patchwork/Utf8/Bootup/intl.php#18	
2019-10-17T02:30:15-0700
Error	PHP	You are using a fallback implementation of the intl extension. Installing the native one is highly recommended instead. at /var/www/html/nextcloud/3rdparty/patchwork/utf8/src/Patchwork/Utf8/Bootup/intl.php#18	
2019-10-17T02:30:15-0700


The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'ocrslcgqqku6',
  'passwordsalt' => '************************',
  'secret' => '****************************************',
  'trusted_domains' =>
  array (
    0 => 'pcloscloud.com',
  ),
  'datadirectory' => '/******/data',
  'dbtype' => 'mysql',
  'version' => '17.0.0.9',
  'overwrite.cli.url' => 'https://pcloscloud.com',
  'dbname' => '****cloud',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_dwm',
  'dbpassword' => '******************************',
  'installed' => true,
  'maintenance' => false,
  'mail_smtpmode' => 'smtp',
  'mail_smtphost' => '****.*********.***',
  'mail_sendmailmode' => 'smtp',
  'mail_smtpport' => '25',
  'mail_domain' => '*********.***',
  'mail_from_address' => 'donotreply',
);


The output of your Apache/nginx/system log in /var/log/____:

[17/Oct/2019:02:24:09 -0700] 134.29.8.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/Arzach/ HTTP/1.1" 229
[17/Oct/2019:02:24:10 -0700] 72.206.69.173 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/cw987/ HTTP/1.1" 229
[17/Oct/2019:02:24:10 -0700] 73.117.62.200 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/lfever/ HTTP/1.1" 229
[17/Oct/2019:02:24:10 -0700] 146.199.78.87 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/mrfill/ HTTP/1.1" 229
[17/Oct/2019:02:24:11 -0700] 24.72.186.74 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/ms_meme/ HTTP/1.1" 229
[17/Oct/2019:02:24:11 -0700] 134.29.8.211 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /status.php HTTP/1.1" 169
[17/Oct/2019:02:24:11 -0700] 134.29.8.211 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/webdav/ HTTP/1.1" 229
[17/Oct/2019:02:24:12 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/dianne/ HTTP/1.1" 229
[17/Oct/2019:02:24:13 -0700] 198.209.251.109 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/fizziojoe/ HTTP/1.1" 229
[17/Oct/2019:02:24:13 -0700] 69.40.4.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/joannabanana/ HTTP/1.1" 229
[17/Oct/2019:02:24:13 -0700] 74.190.143.120 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/HD-WildBill/ HTTP/1.1" 229
[17/Oct/2019:02:24:14 -0700] 66.115.169.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/david1959/ HTTP/1.1" 229
[17/Oct/2019:02:24:14 -0700] 134.29.8.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/Arzach/ HTTP/1.1" 229
[17/Oct/2019:02:24:15 -0700] 73.117.62.200 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/lfever/ HTTP/1.1" 229
[17/Oct/2019:02:24:15 -0700] 146.199.78.87 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/mrfill/ HTTP/1.1" 229
[17/Oct/2019:02:24:15 -0700] 72.206.69.173 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/cw987/ HTTP/1.1" 229
[17/Oct/2019:02:24:16 -0700] 24.72.186.74 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/ms_meme/ HTTP/1.1" 229
[17/Oct/2019:02:24:17 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/dianne/ HTTP/1.1" 229
[17/Oct/2019:02:24:18 -0700] 198.209.251.109 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/fizziojoe/ HTTP/1.1" 229
[17/Oct/2019:02:24:18 -0700] 69.40.4.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/joannabanana/ HTTP/1.1" 229
[17/Oct/2019:02:24:18 -0700] 74.190.143.120 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/HD-WildBill/ HTTP/1.1" 229
[17/Oct/2019:02:24:19 -0700] 66.115.169.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/david1959/ HTTP/1.1" 229
[17/Oct/2019:02:24:19 -0700] 134.29.8.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/Arzach/ HTTP/1.1" 229
[17/Oct/2019:02:24:19 -0700] 91.123.18.163 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /status.php HTTP/1.1" 169
[17/Oct/2019:02:24:20 -0700] 91.123.18.163 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/webdav/ HTTP/1.1" 229
[17/Oct/2019:02:24:20 -0700] 72.206.69.173 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/cw987/ HTTP/1.1" 229
[17/Oct/2019:02:24:20 -0700] 146.199.78.87 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/mrfill/ HTTP/1.1" 229
[17/Oct/2019:02:24:20 -0700] 73.117.62.200 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/lfever/ HTTP/1.1" 229
[17/Oct/2019:02:24:21 -0700] 24.72.186.74 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/ms_meme/ HTTP/1.1" 229
[17/Oct/2019:02:24:22 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/dianne/ HTTP/1.1" 229
[17/Oct/2019:02:24:23 -0700] 198.209.251.109 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/fizziojoe/ HTTP/1.1" 229
[17/Oct/2019:02:24:23 -0700] 69.40.4.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/joannabanana/ HTTP/1.1" 229
[17/Oct/2019:02:24:23 -0700] 74.190.143.120 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/HD-WildBill/ HTTP/1.1" 229
[17/Oct/2019:02:24:24 -0700] 66.115.169.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/david1959/ HTTP/1.1" 229
[17/Oct/2019:02:24:24 -0700] 134.29.8.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/Arzach/ HTTP/1.1" 229
[17/Oct/2019:02:24:25 -0700] 72.206.69.173 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/cw987/ HTTP/1.1" 229
[17/Oct/2019:02:24:25 -0700] 146.199.78.87 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/mrfill/ HTTP/1.1" 229
[17/Oct/2019:02:24:25 -0700] 73.117.62.200 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/lfever/ HTTP/1.1" 229
[17/Oct/2019:02:24:26 -0700] 24.72.186.74 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/ms_meme/ HTTP/1.1" 229
[17/Oct/2019:02:24:27 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/dianne/ HTTP/1.1" 229
[17/Oct/2019:02:24:28 -0700] 198.209.251.109 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/fizziojoe/ HTTP/1.1" 229
[17/Oct/2019:02:24:28 -0700] 69.40.4.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/joannabanana/ HTTP/1.1" 229
[17/Oct/2019:02:24:29 -0700] 66.115.169.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/david1959/ HTTP/1.1" 229
[17/Oct/2019:02:24:28 -0700] 74.190.143.120 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/HD-WildBill/ HTTP/1.1" 229
[17/Oct/2019:02:24:29 -0700] 134.29.8.140 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/Arzach/ HTTP/1.1" 229
[17/Oct/2019:02:24:30 -0700] 72.206.69.173 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/cw987/ HTTP/1.1" 229
[17/Oct/2019:02:24:30 -0700] 146.199.78.87 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/mrfill/ HTTP/1.1" 229
[17/Oct/2019:02:24:30 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "GET /status.php HTTP/1.1" 169
[17/Oct/2019:02:24:30 -0700] 73.117.62.200 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/lfever/ HTTP/1.1" 229
[17/Oct/2019:02:24:30 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/dianne/ HTTP/1.1" 229
[17/Oct/2019:02:24:31 -0700] 24.72.186.74 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/ms_meme/ HTTP/1.1" 229
[17/Oct/2019:02:24:32 -0700] 74.206.43.213 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/dianne/ HTTP/1.1" 229
[17/Oct/2019:02:24:33 -0700] 198.209.251.109 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/fizziojoe/ HTTP/1.1" 229
[17/Oct/2019:02:24:33 -0700] 69.40.4.241 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384 "PROPFIND /remote.php/dav/files/joannabanana/ HTTP/1.1" 229

Hi,

Could you please provide the following information?

  • path to nextcloud installation directory
  • path to NC data directory
  • output of ls -al <nc data dir> ( with usernames blanked out “USER1”, “USER2”, …)
  • maybe a screenshot from the WebGUI or any graphical description (text) showing, what exactly a user can see in the browser

Hi @Youcan2

Make sure when you add users to the nextcloud instance, that you do not add them to the same user group. People in the same group(s) can see eachother.

This is a picture taken from the users panel. People in the same groups can list other group members in the same group.

Check this first, before you check system permissions.

1 Like

I founf the issue…I feel so stupid. I had the group admin set for each user

1 Like

I am glad I could help, I had a feeling this could be the issue. I once encountered the same issue when my test user could see some of my users listed, and it arised questions for me. Turned out that group memberships was the issue.

:+1:

Thanks to each and every one of you for your help.