Hello,
we are migrating our nextCloud instance from a shared hoster ( All-Inkl.com) to a dedicated linux server.
For some time we would like to make both the old instance as well as the new instance available to all our users. But the old instance should be 100% readonly for all users (except maybe some admins).
User should not be able to add, remove or change any files on the old instance. We have around 200 users.
Is there a way to achieve this?
The groupfolders App supports read only shares. But Iβm not sure if thatβs what youβre looking for.
maybe this can be accomplished using chmod 555 for directory and 444 for files .
i wanted to test before posting because it will through obviously some errors. but had no time to do atm.
I would not recommend this in production.
sudo find ./nc_user_data - type f -print0 | sudo xargs -0 chmod 0444
use β-type dβ for directories and 0555 for chmod.
again not suiteble for production without testing.
Conclusion of the testing NC v24:
You may change the permission of the NC_DATA/username to 440 and 550 without major issues.
When a user tries to upload or create (WEB interface) they get a forbidden message.
they may download or open with no problem. files are still accessible but cannot be changed as requested.
Result of changing the NC_DATA folder and files to 440 550 results in similar results but apps no longer work. Files cannot be openend in the WEB interface .pdf .md .txt files will keep loading.
Files can still be downloaden and then openend withβ¦
I Would see this as a valid option. as you mentioned 200+ users I would change NC_DATA and then change the 9 or 10 files/directories needed for apps back manually.
Use these commands on the server where you wish to have everything READ ONLY
Change NC_DATA to what datadirectory => is set in your config.php
cd NC_DATA
sudo find . -type f -print0 | sudo xargs -0 chmod 0440
sudo find . -type d -print0 | sudo xargs -0 chmod 0550
sudo find ./appdata_XXXXXXX -type d -print0 | sudo xargs -0 chmod 0750
sudo find ./updater_XXXXXXX -type d -print0 | sudo xargs -0 chmod 0750
sudo find ./files_external -type d -print0 | sudo xargs -0 chmod 0750
sudo find ./appdata_XXXXXXX -type f -print0 | sudo xargs -0 chmod 0640
sudo find ./updater_XXXXXXX -type f -print0 | sudo xargs -0 chmod 0640
sudo find ./files_external -type f -print0 | sudo xargs -0 chmod 0640
sudo chmod 640 index.html nextcloud.log updater.log
Replace XXXXXXX with your instanceid that can be found in your config.php.
@Vincent_Stans First of all thank you. are considering permission set to www-data:root or something else? moreover I think last line of script is
sudo chmod 640 ../Index.html ../nextcloud.log ../updater.log
I have mine set as www-data:www-data.
no when you cd into NC_DATA (nextcloud-data) and chmod β¦/file.ext you move down one directory
/
/folder
/folder/file.ext
/folder/nextcloud-data/ <-- you're here ../file.ext is 1 file up \ ./file.ext or file.ext is this directory thus 1 file down
/folder/nextcloud-data/file.ext
you should check your datafolder which files to chmod as different apps create files there.
ex. audit.log
ps.
I Previously forgot to mention files .ocdata and .htaccess
I am using docker container version
So my fs is as follow
/Var/www/HTML
Inside there are
./index.html
./data/
Data is the nextcloud data directory following my config, hence if i do
cd NCDATA
I need to go the previous dir to change index.html permission.
What about instead .ocdata? What we need to do?
Thank you again
Again Do not change index.html file in /var/www/HTML or /var/www/HTML/nextcloud or /var/www/nextcloud
/
/var/www/HTML/
/var/www/HTML/nextcloud/index.html <-- Do not touch
/var/www/HTML/nextcloud/data/ <-- you're here ../index.html is 1 file up ( do not touch ) ./index.html or index.html is this directory thus 1 file down
/var/www/HTML/nextcloud/data/index.html
for .ocdata
sudo chmod 640 /var/www/HTML/nextcloud/data/.ocdata
PS.
Forget the index.html as it is empty and read only is sufficient.
last line should be
sudo chmod 640 *.log
Really thank for your patience, I did not see index.html under ./data.
Side note: I cannot open md files and images unfortunately
the easiest way and faster is to modify the nginx proxy configuration:
$ vim config/nginx/default_proxy.conf
...
+ location / {
+ limit_except GET HEAD PROPFIND OPTIONS {
+ deny all;
+ }
+ }
....
But what about the login? Doesnβt it use POST requests?
Could an exception be made for /login and are there any other endpoints that would require an exception?