My Nextcloud server was setup as a root user

NikolaS · September 19, 2023, 9:34pm

Hello,

I’ve had a “test” NextCloud instance running on my web server for around 2 years that I’ve created with the root user. So the whole web application in the public directory was owned by root. That’s probably as I was running 777 permissions on all files. I’ve checked the logs and don’t see anything fishy, but as this is a “backup/beta” server for me, I’d like to check if there’s a way my installation was compromised somehow.

I know it was dangerous leaving it as is, but what harm could have been done and what are the steps I should take? I know I’m not the first or the last one to do this. Stupid sudo su.

I’ve got Teamcity and Jenkins running here to deploy my build to production so I’m scared not to deploy malware there.

I’ve got clamav that I ocassionaly use:

----------- SCAN SUMMARY -----------
Known viruses: 8672753
Engine version: 0.103.10
Scanned directories: 21567
Scanned files: 103565
Infected files: 0
Data scanned: 5046.54 MB
Data read: 10907.13 MB (ratio 0.46:1)
Time: 853.050 sec (14 m 13 s)
Start Date: 2023:09:19 23:14:27
End Date: 2023:09:19 23:28:40
[root@xxxxx bin]#

Thanks a bunch guys,

Have a good day.

devnull · September 20, 2023, 6:55am

I don’t think that it is really a security risk to use all folders and files with 777 even if security experts like to claim the opposite.

It might be risky if you have normal users on your server because these users get write access because of other (last 7 of 777). But normal attacks on server systems without normal users are done via the services themselves. And with e.g. Apache2/nginx incl. Nextcloud www-data:www-data of course also has the authorization 775 or 770. And whether www-data received authorization 7 via other (777) is then also irrelevant.

wwe · September 21, 2023, 7:27pm

from Nextcloud point of view I fully agree with devnull. the only additional attack vector would be if the server is compromised through another service running on the same system (this where 777 becomes relevant).

The files and database content stored in the application are “passive” so they are not executed by the application. you can migrate the data to another “safe” system and this will left behind all theoretical malware living on your current system.