Block listing user folders


For some reason users can list all user folders with the rclone command.

As normal user, rclone lsd nextcloud:/files



So you can see all the folders of the other users. You can’t access them though. Is there any way to block this listing?

I’m running Nextcloud 21 with nginx on Ubuntu 20.04.


Seems I can list all system folders as well. Is it possible to disable this and only show my own folders?

      -1 1970-01-01 00:00:00        -1 addressbooks
      -1 1970-01-01 00:00:00        -1 avatars
      -1 1970-01-01 00:00:00        -1 calendars
      -1 1970-01-01 00:00:00        -1 comments
      -1 1970-01-01 00:00:00        -1 files
      -1 1970-01-01 00:00:00        -1 principals
      -1 1970-01-01 00:00:00        -1 provisioning
      -1 1970-01-01 00:00:00        -1 public-calendars
      -1 1970-01-01 00:00:00        -1 system-calendars
      -1 1970-01-01 00:00:00        -1 systemtags
      -1 1970-01-01 00:00:00        -1 systemtags-relations
      -1 1970-01-01 00:00:00        -1 trashbin
      -1 1970-01-01 00:00:00        -1 uploads
      -1 1970-01-01 00:00:00        -1 versions

rclone is not a nextcloud but a linux tool and therefore you must search for the solution on linux and not on nextcloud.

it is normal that user can see a lot of data of other user.
The rights normally set to 644 (rwxr–r–) for files and 755 (rwxr-xr-x) for directorys.
You can deny “all” with setting to 640 and 750 .
man chmod
With wrong rights you can destroy your nextcloud and/or linux installation.
Read manuals for setting the correct rights for files and directorys.

The problem is that your webserver is owner of all files and has set them for read for all users.
Normal user does not have an linux account on nextcloud servers and they use e.g. WebDAV and not rclone with shell access.

Hi thanks for your reply!

I understand but rclone uses webdav. There are more files/directories in the nextcloud data directory that I can’t see with rclone but I can see all username folders.

What OS are you running Rclone on?

Ubuntu 20.04.

Hope somebody still has an idea how to fix this :slight_smile:

Also, when I go with my browser to /remote.php/dav/files as normal user I can see all directories as well.

Surely this is not how it should be?

That should not be possible…your browser should show you the following message, when you try to access /remote.php/dav/files in your browser:

This is the WebDAV interface. It can only be accessed by WebDAV clients
such as the Nextcloud desktop sync client.

Please can you check if you have the following in your Apache config for your Nextcloud VirtualHost:

RewriteEngine On
RewriteRule ^/\.well-known/carddav [R=301,L]
RewriteRule ^/\.well-known/caldav [R=301,L]

Edit: Can you download the Nextcloud Client and see, if this is showing the same behaviour?

I do have this in NGINX (copied from the nextcloud docs):

# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
    # The following 6 rules are borrowed from `.htaccess`

    location = /.well-known/carddav     { return 301 /remote.php/dav/; }
    location = /.well-known/caldav      { return 301 /remote.php/dav/; }
    # Anything else is dynamically handled by Nextcloud
    location ^~ /.well-known            { return 301 /index.php$uri; }

    try_files $uri $uri/ =404;

I will try with the Nextcloud client and see what will happen.

Ah, didn’t know you were using NGINX :sweat_smile: But if you copied the content from the Nextcloud documentation, I don’t think this is the problem.

I don’t think so either, it could be since upgrading to NC21 but I’m not sure.

I had another look at the documentation and noticed one thing that is different, but I’m not sure if this is causing it.

You have something extra in your config, which is not part of the documentation:

# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known            { return 301 /index.php$uri; }

try_files $uri $uri/ =404;

Can you replace this with the following (please make sure to create a copy of the config first)

# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;

Yeah they must have updated it since I last copy/pasted it. I get the same behavior though changing those lines. I even fully copy/pasted that config again but same result.

That’s pretty weird and should never happen. Could you reproduce this with the Nextcloud client?

Well, no clue what the issue was but I’ve upgraded to NC 21.01 and now the problem is solved!

@CFelix thanks for your time and help!

1 Like