Major Security issue with Local External Storage

Because Nextcloud is run as ‘apache’ or whatever web server user you’re using, and that user must have ownership of the NC installation files / webroot, it’s possible for any user that has been given “Local” mount permissions to mount the NC root, and be able to bring up the ~/nextcloud/config/config.php file, giving them access to things like the database credentials, password salt, redis credentials, etc.

I know that I’m going to get answers like, don’t give local mount access, or use a secondary admin with fewer rights but these are bandaids for a glaring security issue. There are lots of reasons why you want to allow local mounts by your users, and there are also lots of scenarios where the admin user of Nextcloud should potentially be restricted from certain paths in the filesystem.

Is there a configuration option to completely lock out certain filesystem paths from the app configuration file, or the system configuration? (read: NOT FROM THE WEB CONSOLE, which defeats the purpose since the admin user would still be able to remove those locks).

If not, I’d like to propose a two-way config option that would create either an allow-list, or a deny-list, something like this…

$CONFIG = array (
  'external_storage' => array (
      'paths_allow' => array (
      'paths_deny' => array (

I know that in the example above, the block of the /var/www/nextcloud/ is not applicable in the context of what’s allowed, but I would suggest that paths_allow and paths_deny are not mutually exclusive… you wouldn’t have to use both, but you can if you need such as the case of /mnt/ where the a path is allowed but a specific sub-folder is denied.

If there is a facility to do this already, that’s great, please point it out, but if not, I would be willing to put time into a pull request to add this functionality to the app, and would appreciate suggestions.


1 Like


In general please submit things you think are issues to

Yes giving user local mount permissions creates all kind of issues. For example you have write permissions to other folders your webserver has access to as well etc. Hence this is not recommended.

What you describe it not there. But a PR would be welcome.


1 Like

Thanks @rullzer, wasn’t aware of hackerone, will use that going forward.