I decided to do it with ACL. Here’s what I did :
chown -R jerome:jerome /path/to/nextcloud
setfacl -Rm d:u:www-data:rwX,u:www-data:rwX /path/to/nextcloud
setfacl -Rm d:u:jerome:rwX,u:jerome:rwX /path/to/nextcloud
It seemed to work fine, until I did a CLI update (as user jerome) and Nextcloud wouldn’t start due to config.php not being readable by www-data.
This thread pointed me to the file that does the chmod:
// Prevent others not to read the config
chmod($this->configFilePath, 0640);
I chmodded to 0660 and could login again.
Changing the line to
// Prevent others not to read the config
chmod($this->configFilePath, 0660);
would still prevent the file from being read by others while allowing www-data to write it even when the CLI update is performed by another user of the group.
Would that make sense?
Should I open an issue, or even a PR?
Note: I’m new to ACL and still figuring things out. I thought it would be a silver bullet but then realized that chmod overrides the ACL (rationale here). Maybe this is not the way to go, after all Thoughts welcome.