Block listing user folders

martijnk · April 7, 2021, 9:51am

Hi,

For some reason users can list all user folders with the rclone command.

As normal user, rclone lsd nextcloud:/files

Shows:

So you can see all the folders of the other users. You can’t access them though. Is there any way to block this listing?

I’m running Nextcloud 21 with nginx on Ubuntu 20.04.

Thanks!

martijnk · April 7, 2021, 10:23am

Seems I can list all system folders as well. Is it possible to disable this and only show my own folders?

      -1 1970-01-01 00:00:00        -1 addressbooks
      -1 1970-01-01 00:00:00        -1 avatars
      -1 1970-01-01 00:00:00        -1 calendars
      -1 1970-01-01 00:00:00        -1 comments
      -1 1970-01-01 00:00:00        -1 files
      -1 1970-01-01 00:00:00        -1 principals
      -1 1970-01-01 00:00:00        -1 provisioning
      -1 1970-01-01 00:00:00        -1 public-calendars
      -1 1970-01-01 00:00:00        -1 system-calendars
      -1 1970-01-01 00:00:00        -1 systemtags
      -1 1970-01-01 00:00:00        -1 systemtags-relations
      -1 1970-01-01 00:00:00        -1 trashbin
      -1 1970-01-01 00:00:00        -1 uploads
      -1 1970-01-01 00:00:00        -1 versions

devnull · April 7, 2021, 10:43am

@martijnk
rclone is not a nextcloud but a linux tool and therefore you must search for the solution on linux and not on nextcloud.

it is normal that user can see a lot of data of other user.
The rights normally set to 644 (rwxr–r–) for files and 755 (rwxr-xr-x) for directorys.
You can deny “all” with setting to 640 and 750 .
man chmod
With wrong rights you can destroy your nextcloud and/or linux installation.
Read manuals for setting the correct rights for files and directorys.

The problem is that your webserver is owner of all files and has set them for read for all users.
Normal user does not have an linux account on nextcloud servers and they use e.g. WebDAV and not rclone with shell access.

martijnk · April 7, 2021, 1:13pm

Hi thanks for your reply!

I understand but rclone uses webdav. There are more files/directories in the nextcloud data directory that I can’t see with rclone but I can see all username folders.

CFelix · April 7, 2021, 1:14pm

What OS are you running Rclone on?

martijnk · April 7, 2021, 1:14pm

Ubuntu 20.04.

martijnk · April 8, 2021, 11:00am

Hope somebody still has an idea how to fix this

martijnk · April 8, 2021, 11:08am

Also, when I go with my browser to /remote.php/dav/files as normal user I can see all directories as well.

Surely this is not how it should be?

CFelix · April 8, 2021, 12:03pm

That should not be possible…your browser should show you the following message, when you try to access /remote.php/dav/files in your browser:

This is the WebDAV interface. It can only be accessed by WebDAV clients
such as the Nextcloud desktop sync client.

Please can you check if you have the following in your Apache config for your Nextcloud VirtualHost:

RewriteEngine On
RewriteRule ^/\.well-known/carddav https://nextcloud.1io.com/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://nextcloud.1io.com/remote.php/dav/ [R=301,L]

Edit: Can you download the Nextcloud Client and see, if this is showing the same behaviour?

martijnk · April 8, 2021, 12:12pm

I do have this in NGINX (copied from the nextcloud docs):

# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
    # The following 6 rules are borrowed from `.htaccess`

    location = /.well-known/carddav     { return 301 /remote.php/dav/; }
    location = /.well-known/caldav      { return 301 /remote.php/dav/; }
    # Anything else is dynamically handled by Nextcloud
    location ^~ /.well-known            { return 301 /index.php$uri; }

    try_files $uri $uri/ =404;
}

I will try with the Nextcloud client and see what will happen.

CFelix · April 8, 2021, 12:21pm

Ah, didn’t know you were using NGINX But if you copied the content from the Nextcloud documentation, I don’t think this is the problem.

martijnk · April 8, 2021, 12:23pm

I don’t think so either, it could be since upgrading to NC21 but I’m not sure.

CFelix · April 8, 2021, 12:27pm

I had another look at the documentation and noticed one thing that is different, but I’m not sure if this is causing it.

You have something extra in your config, which is not part of the documentation:

# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known            { return 301 /index.php$uri; }

try_files $uri $uri/ =404;

Can you replace this with the following (please make sure to create a copy of the config first)

# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;

martijnk · April 8, 2021, 12:35pm

Yeah they must have updated it since I last copy/pasted it. I get the same behavior though changing those lines. I even fully copy/pasted that config again but same result.

CFelix · April 8, 2021, 12:52pm

That’s pretty weird and should never happen. Could you reproduce this with the Nextcloud client?

martijnk · April 12, 2021, 2:20pm

Well, no clue what the issue was but I’ve upgraded to NC 21.01 and now the problem is solved!

@CFelix thanks for your time and help!