External storage by sftp on the same system

ℹ️ Support
, , ,
1

The Basics

  • Nextcloud Server version:
  • Operating system and version:
    • Debian Linux 6.1.0-28-amd64 x86_64
  • Web server and version :
    • Server version: Apache/2.4.62 (Debian)
  • PHP version :
    • 8.2.26
  • Installation method :
    • archive on a dedicated server (OVH)
  • Are you using CloudfIare, mod_security, or similar?
    • no

Summary of the issue you are facing:

Is it possible to access files created on the hard drive hosting the OS where I have installed the apache server and nextcloud ? The main user is me.

Steps to replicate it :

  1. I activated files_external with SFTP backend.
  2. I choose RSA public key for Authentication type and copy the RSA key to me@myserver://home/me/.ssh/authorized_keys
  3. save parameters

Log entries

Nextcloud

occ files_external:verify 1
  - status: error
  - code: 1
  - message: Exception: Login failed

Configuration

Nextcloud

The output of occ config:list system or similar is best, but, if not possible, the contents of your config.php file from /path/to/nextcloud is fine (make sure to remove any identifiable information!):

{                                
    "system": {              
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "carmagnole.org",     
            "public.carmagnole.org"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "30.0.4.1",
        "overwrite.cli.url": "https:\/\/carmagnole.org",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "default_phone_region": "FR",
        "loglevel": 2,
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtptimeout": "30",
        "mail_smtpdebug": false,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 0
        },
        "maintenance_window_start": 1,
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpsecure": "ssl",
        "maintenance": false,
        "theme": "",
        "app_install_overwrite": [
            "sharingpath"
        ],
        "defaultapp": "files,deck"
    }
}

Apps

The output of occ app:list (if possible).

Enabled:          
  - activity: 3.0.0     
  - app_api: 4.0.3    
  - bruteforcesettings: 3.0.0
  - calendar: 5.0.8
  - circles: 30.0.0
  - cloud_federation_api: 1.13.0 
  - comments: 1.20.1          
  - contacts: 6.1.1    
  - contactsinteraction: 1.11.0
  - dashboard: 7.10.0           
  - dav: 1.31.1           
  - federatedfilesharing: 1.20.0
  - federation: 1.20.0 
  - files: 2.2.0      
  - files_downloadlimit: 3.0.0                                                        
  - files_external: 1.22.0 
  - files_pdfviewer: 3.0.0                                                            
  - files_reminders: 1.3.0    
  - files_sharing: 1.22.0
  - files_trashbin: 1.20.1                                                            
  - files_versions: 1.23.0              
  - firstrunwizard: 3.0.0
  - logreader: 3.0.0
  - lookup_server_connector: 1.18.0
  - mail: 4.1.0
  - multiboards: 1.0.4
  - nextcloud_announcements: 2.0.0
  - notes: 4.11.0
  - notifications: 3.0.0
  - oauth2: 1.18.1
  - password_policy: 2.0.0
  - photos: 3.0.2
  - privacy: 2.0.0
  - provisioning_api: 1.20.0
  - recommendations: 3.0.0
  - related_resources: 1.5.0
  - richdocuments: 8.5.3
  - serverinfo: 2.0.0
  - settings: 1.13.0
  - sharebymail: 1.20.0
  - spreed: 20.1.1
  - support: 2.0.0
- survey_client: 2.0.0
  - systemtags: 1.20.0
  - tasks: 0.16.1
  - text: 4.1.0
  - theming: 2.5.0
  - twofactor_backupcodes: 1.19.0
  - updatenotification: 1.20.0
  - user_status: 1.10.0
  - viewer: 3.0.0
  - webhook_listeners: 1.1.0-dev
  - workflowengine: 2.12.0
Disabled:
  - admin_audit: 1.20.0
  - encryption: 2.18.0
  - files_antivirus: 5.6.1 (installed 5.6.1)
  - suspicious_login: 8.0.0
  - twofactor_nextcloud_notification: 4.0.0 
  - twofactor_totp: 12.0.0-dev
  - user_ldap: 1.21.0
  - weather_status: 1.10.0 (installed 1.9.0)

sshd_config

PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server
ClientAliveInterval 120

Thank you if you could help me :heart_eyes:

2

SFTP should work in this case, but the highest performing External Storage backend in this case will be Local.

For troubleshooting SFTP, IIRC additional info about the connection/etc should be visible in your Nextcloud log. May require INFO loglevel (1) to temporarily be set.

1 Like
3

OK Thank you. About local doc says

this is a significant security risk

Perhaps I should seek another way to :

  1. Backup my datas.
  2. Share what I want with who I want.
4

The warning re: Local storage is about permitting non-admins to add Local External Storage mounts.

In Nextcloud, there are two categories of External Storage mounts: global and personal.

Permitting non-admins (users) to create mounts of arbitrary server-side directories would be a security risk.

That is not permitted for this very reason.

2 Likes
5

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.