Hello community,
As far as I understand, when adding a new folder or document (through whatever instrument), they are created with “chmod 0755” for the folder and “chmod 0644” for the file.
In our environment, I would like to further restrict the access by restricting both to “chmod 0700” (e.g. manipulatable ONLY by the “fileOwner” which in our case is sufficient.
I tested the consequences with the “web interface”, the “webdav connection” and the “sync application - for windows”, and all can perfectly access these restricted files.
So my question is: Is there any place where we could “set the default permissions to 0700” for newly created folders and files?
thanks for any guidance here…
I’m not sure we set it explicitly (@icewind ?)
However if you restrict your datafolder to 700 then already on the FS level only the owner could cd into it.
@rullzer: thanks for the reply.
As per the “datafolder” remark, I found this
(see garethTheRed 's answer:
If you create a file underneath /foo/bar/baz which is readable by others and then create a hard link to this file in an accessible path, they’ll be able to read it regardless of the permissions on /foo/bar/baz.
So setting the DATAROOT directory is not “fully” satisfactory in this respect…
@icewind:
If NextCloud (server) does not set the permissions, then proabably the PHP default will be taken. However, in that circumstances it might be a nice idea to let the ADMIN decide on this
(or I could simply add that code to our implementation, if you help me find the right spot(s))
Is here something planed? I mean setting the permissions more restrective to increase the security but not at cost of usability?
Atm the data folder will set to 770 but subfolders to 750.