Dbpassword directly stored in config.php file without encryption

Nextcloud version 16.0.3:
Operating system and version Ubuntu 18:
Apache or nginx version 2.4.29:
PHP version 7.2:

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N):

Steps to replicate it:

  1. Installed nextcloud following this guide:https://www.techrepublic.com/article/how-to-install-nextcloud-16-on-ubuntu-18-04/
  2. use http://SERVER_IP/nextcloud to set up dbuser account
  3. The user account get set up and dbpassword is stored in /var/www/html/nextcloud/config/config.php file.

Question: the password is stored as plain text without any encryption. Theoretically anyone who can access this file will also be able to know my “strong password”. This seems not safe.

Am I missing something during installation that can make this safer? What is the best practice to store/encrypt my password?

the access to files is usually restricted by file permissions.
such config files are usually only accessible by the owner (webservice user and group) and superuser, except you allowed access to other users.

config file permission should be octal 640 or symbolic u=rw,g=r,o-rwx

1 Like

You have to always remember that once anyone gains physical access to your host, all bets are off regarding such passwords. If you do have an issue with that, you will have to physically secure your NC host in the first place.

Even if you encrypted the password inside the config.php, where would the decryption key be stored? The only way to make that work would be to hand that to the process at startup by hand - so no autostart…

The risk assessment is yours to make…

1 Like