is it really necessary that the .htaccess file is writeable for the user www-data ?
I’m neither a security nor an apache guru, but this weird.
If an attacker finds a hole in Apache he is able to manipulate the .htaccess file !
What is about assigning the file to root:root and changing to www-data:www-data when changing the configuration and afterwards reassigning to root:root. That’s a bit complicated, but in my eyes much safer. Or does it have be to writeable for www-data the whole time ?
I haven‘t done research if the hardening docs have changed since the start of nextcloud. Some years ago I found scripts that would change permissions on the nc-structure before and after upgrade. And actually I have .htaccess at chmod 644 and chown root:www-data.
That being said, nextcloud setting page will show all tests passed even if the permissions aren‘t hardened. (The script changes other files to be owned by root)
Best, Bernd