is it really necessary that the .htaccess file is writeable for the user www-data ?
I’m neither a security nor an apache guru, but this weird.
If an attacker finds a hole in Apache he is able to manipulate the .htaccess file !
What is about assigning the file to root:root and changing to www-data:www-data when changing the configuration and afterwards reassigning to root:root. That’s a bit complicated, but in my eyes much safer. Or does it have be to writeable for www-data the whole time ?
I haven‘t done research if the hardening docs have changed since the start of nextcloud. Some years ago I found scripts that would change permissions on the nc-structure before and after upgrade. And actually I have .htaccess at
chmod 644 and
That being said, nextcloud setting page will show all tests passed even if the permissions aren‘t hardened. (The script changes other files to be owned by root)
thanks for your answer. Just to be clear: you have these permissions and owners and your nextcloud is still running without problems ?
yes - that’s right. (I just have to change the permissions before the update.)
Have you seen the discussion here? No hardened file permissions recommended anymore?
The pros and cons are laid out there.
thanks for your answer. I didn’t know this discussion, i will check it.