Make whole NextCloud instance readonly


we are migrating our nextCloud instance from a shared hoster ( to a dedicated linux server.
For some time we would like to make both the old instance as well as the new instance available to all our users. But the old instance should be 100% readonly for all users (except maybe some admins).
User should not be able to add, remove or change any files on the old instance. We have around 200 users.

Is there a way to achieve this?

The groupfolders App supports read only shares. But I’m not sure if that’s what you’re looking for.

maybe this can be accomplished using chmod 555 for directory and 444 for files .

i wanted to test before posting because it will through obviously some errors. but had no time to do atm.

I would not recommend this in production.

sudo find ./nc_user_data - type f -print0 | sudo xargs -0 chmod 0444

use β€œ-type d” for directories and 0555 for chmod.

again not suiteble for production without testing.

Conclusion of the testing NC v24:

You may change the permission of the NC_DATA/username to 440 and 550 without major issues.
When a user tries to upload or create (WEB interface) they get a forbidden message.
they may download or open with no problem. files are still accessible but cannot be changed as requested.

Result of changing the NC_DATA folder and files to 440 550 results in similar results but apps no longer work. Files cannot be openend in the WEB interface .pdf .md .txt files will keep loading.
Files can still be downloaden and then openend with…

I Would see this as a valid option. as you mentioned 200+ users I would change NC_DATA and then change the 9 or 10 files/directories needed for apps back manually.

Use these commands on the server where you wish to have everything READ ONLY

Change NC_DATA to what datadirectory => is set in your config.php

sudo find . -type f -print0 | sudo xargs -0 chmod 0440
sudo find . -type d -print0 | sudo xargs -0 chmod 0550
sudo find ./appdata_XXXXXXX -type d -print0 | sudo xargs -0 chmod 0750
sudo find ./updater_XXXXXXX -type d -print0 | sudo xargs -0 chmod 0750
sudo find ./files_external -type d -print0 | sudo xargs -0 chmod 0750
sudo find ./appdata_XXXXXXX -type f -print0 | sudo xargs -0 chmod 0640
sudo find ./updater_XXXXXXX -type f -print0 | sudo xargs -0 chmod 0640
sudo find ./files_external -type f -print0 | sudo xargs -0 chmod 0640
sudo chmod 640 index.html nextcloud.log updater.log

Replace XXXXXXX with your instanceid that can be found in your config.php.

1 Like

@Vincent_Stans First of all thank you. are considering permission set to www-data:root or something else? moreover I think last line of script is

sudo chmod 640 ../Index.html ../nextcloud.log ../updater.log

I have mine set as www-data:www-data.

no when you cd into NC_DATA (nextcloud-data) and chmod …/file.ext you move down one directory

/folder/nextcloud-data/  <-- you're here ../file.ext is 1 file up \  ./file.ext or file.ext is this directory thus 1 file down

you should check your datafolder which files to chmod as different apps create files there.

ex. audit.log


I Previously forgot to mention files .ocdata and .htaccess

I am using docker container version
So my fs is as follow
Inside there are
Data is the nextcloud data directory following my config, hence if i do
I need to go the previous dir to change index.html permission.
What about instead .ocdata? What we need to do?
Thank you again

Again Do not change index.html file in /var/www/HTML or /var/www/HTML/nextcloud or /var/www/nextcloud

/var/www/HTML/nextcloud/index.html <-- Do not touch
/var/www/HTML/nextcloud/data/  <-- you're here ../index.html is 1 file up ( do not touch )  ./index.html or index.html is this directory thus 1 file down

for .ocdata

sudo chmod 640 /var/www/HTML/nextcloud/data/.ocdata


Forget the index.html as it is empty and read only is sufficient.
last line should be

sudo chmod 640 *.log

Really thank for your patience, I did not see index.html under ./data.
Side note: I cannot open md files and images unfortunately