File permissions when moving files from nextcloud to external storage

The Basics

• Nextcloud Server version (e.g., 29.x.x):
  • 30.0.10.1
• Operating system and version (e.g., Ubuntu 24.04):
  • nextcloud AIO docker installed on Centos Stream 9
• Web server and version (e.g, Apache 2.4.25):
  • Apache 2.4.63
• Reverse proxy and version _(e.g. nginx 1.27.2)
  • n/a
• PHP version (e.g, 8.3):
  • 8.3.20
• Is this the first time you’ve seen this error? (Yes / No):
  • Question not an error
• When did this problem seem to first start?
  • I think it’s default
• Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
  • AIO
• Are you using CloudfIare, mod_security, or similar? (Yes / No)
  • No

Summary of the issue you are facing:

TLDR: What’s the best way to manage permissions on files saved to shared external storage?

I am using Nextcloud on a home server for my family to manage their own and shared files. We have a shared family photo album that we put our photos in to. We also have a bunch of shared files etc. Both the shared album and shared files have existed for a long time prior to using nextcloud, and are backed up using duplicati.

Both my partner and I have users on the local server, with the group “family” which used to own the files in these share drives. So for example photos created by me were owned by me:family with 0664 permissions, and those created by my partner were them:family with the same permissions. This way we still owned our own creations, but each of us had full access to manage them. To manage the photos and videos we create, I run a cron job every day to rename them based on metadata and move them to type/date based directories (using exiftool). I also archive old/infrequently accessed files into a deep store for cheaper backup. To run these tasks the “me” user needs to be able to rename and move files around.

When I added the external storage to nextcloud I also changed the ownership of all these files to www-data:www-data. I gave my partner and I membership to www-data group which seemed to work - now I could access the files directly from the server and run backups etc. The down side is I could no longer move files that were newly added to the shares unless I used the nextcloud interface (so no more automated archiving), and we can’t see who originally owned the file. But it seemed to work for now.

Unfortunately the shared photo album isn’t working so well. I use the nextcloud app to save the photos we take to a holding directory in the photo album, and then run a cron job every day to file the photos and videos via exiftool which renames and moves the files based on metadata. These photos are all created in the nextcloud app with ownership www-data:www-data and permissions 0644. This means that only www-data user can move them, which in turn means I can’t automate the filing and backup process from my normal user.

I think I have a couple of potential solutions and want advice on which is the best for my situation.

Option 1: include a step in the cron job to chmod all the files in the shared directory to add g+w. I could make this all newly created files so it wouldnt take long each day. This would mean members of www-data (ie me and my partner and www-data) can properly manage the files. Seems like a simple enough option.

Option 2: run the cron job from the www-data user. I think I’d also need to use that user to run our backup software duplicati, rather than running that as me right now. Both these options are fine, the only downside that I can think of is that I’d need to remember to check the cron logs for that user every now and then to make sure that the script is running. Or I guess I could add a script to my cron that runs commands as the www-data user. Both work ok and would mean I dont need to change file permissions.

Option 3: Make it so nextcloud flags shared files (ie anything on the external storage) with the same permissions for user and group (ie 0664 rather than 0644, and 775 for executables). Is this possible? the “default share permissions” in the sharing settings don’t seem to affect file permissions. Would mean I dont need to mess around with cron and sudo.

Option 4: run nextcloud as a different user. Would just mean running the AIO docker from my user by default, which I do for many of my other containers. From what I read this one is not possible for “technical reasons” whatever that means.

Which of these is better?

Why you do it as complicated as you do? Why not simply use WebDAV? If the family photo album is shared inside Nextcloud, you just need to setup a WebDAV-Mount either in the Nextcloud itself or on any other Linux-Device in its /etc/fstab, eg like this:

# WebDavLaufwerke einbinden:
https://nextcloud.yourdomain.com/remote.php/dav/files/User/       /media/Nextcloud/User         davfs           user,noauto             0       0

Now you can do all the renames and moves with the normal user who was used to mount the WebDAV. Also you can do the Backup from there with normal user-Access.

Thanks for responding. Just to confirm, you suggest that I access the files using a webdav share - even when accessing the files from the server on which they are physically located? It’s “external storage” to the nextcloud instance (also located on the same server) but is actually just a data directory to the server.

I used to use a simpler share based approach but switched to nextcloud because I thought it would be a more stable way to manage access and automate uploads etc rather than using google drive or dropbox or some other service to automatically grab photos as they are taken, along with providing private and more easily accessed file sharing for everyone in the family. I think you’re suggesting to go back to the way it was?

Yes. The WebDAV-Example is still on my own Nextcloud-Server. I do use Cronjobs not for Photo files, but for Open-Andro Maps. I do ride on Bicycles alot and use for that a Android App called OruxMaps what works with offline maps. An cronJob will update this maps in the nights and safe the maps in my Nextcloud using WebDAV Mounts.

The phone will got the updated Map Files somewhat later in the same night using FolderSync also from my own Nextcloud. Other family members and those phones do same. So maps needs to be downloded just once in a night via Internet-Connection. FolderSync do the sync via WIFI every night the phone is connected to home WIFI.

For the Nextcloud itself it is this ways same as any other Upload or download with any Nexcloud Cleint would also be.

General advice:

It’s best access files stored in Nextcloud through official interface e.g. WebDAV so the application can keep track of changes and offer functions like trashbin and versions. If you temper with Nextcloud’s storage the system might behave unexpected and data loss might occur.

Long story short - Nextcloud is designed to fully control the storage - this is the reason the files in the storage are owner by www-data and not Alice or Bob… if you start manipulating this files - you are sooner or later in trouble - don’t do this it’s fine to read the files e.g. for backups.