Nextcloud 13.0.1, 12.0.6 and 11.0.8 available with improved password protection

The faking was needed when migrating from OC 10.07 to NC 12.0.6, the migration script did choose that version. As I said in my other post, I followed this guide:https://nextcloud.com/migration/

Is this Script up to date for recheck file permissions?

  #!/bin/bash
ncpath='/var/www/nextcloud'
htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ncpath/data
mkdir -p $ncpath/assets
mkdir -p $ncpath/updater

printf "chmod Files and Directories\n"
find ${ncpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ncpath}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ncpath}
chown -R ${htuser}:${htgroup} ${ncpath}/apps/
chown -R ${htuser}:${htgroup} ${ncpath}/assets/
chown -R ${htuser}:${htgroup} ${ncpath}/config/
chown -R ${htuser}:${htgroup} ${ncpath}/data/
chown -R ${htuser}:${htgroup} ${ncpath}/themes/
chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ncpath}/.htaccess ]
 then
  chmod 0644 ${ncpath}/.htaccess
  chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
fi
if [ -f ${ncpath}/data/.htaccess ]
 then
  chmod 0644 ${ncpath}/data/.htaccess
  chown ${rootuser}:${htgroup} ${ncpath}/data/.htaccess
fi

Just want to ask if it is up to date and I can use it in 13.x anyway. I found the script on a website for installing nc and this should do all stuff whats neccessary. But for what is the asset directory?
Cheers
Edit: Found it again in documentation of nc9:
https://docs.nextcloud.com/server/9/admin_manual/installation/installation_wizard.html#setting-strong-directory-permissions
Why its gone for the latests updates in the documentation?

1 Like

See here:

3 Likes

Is there a problem if I runned it once after update anyway? Or is the updater doing the stuff itself?
Of course I commented out the asset directory. What was the folder assets for?
I saved the script in my homedirectory /home/user/ with ownership root (so no other user is able to edit the file and can´t run it) and it´s not located in the directory of www-data (/var/www/).

Also take care of the data directory in case it is located elsewhere (not in the ${ncpath}). And what’s more, the

chmod +x ${ncpath}/occ

line seems to set execution permission to world. This is a security risk, of course.

Is there a way to repair the permissions? You´re definitly right and I trapped in a relict of previous times :smile:
Any suggestions what I can do? :unamused:

And how handles this Nextcloud 13? Is now the updater responsible for file permissions?
Thank you in advance for the explanation :wink:

Why do you think the permissions are broken in the first place? Does the cloud work? Are there any problems? There should not be any differences in NC 13. Give us a listing of the output of

ls -la

in the nc root directory. Is this a Debian / Ubuntu system? My directory looks like this:

drwxr-xr-x 33 www-data www-data  4096 Mär 16 19:17 3rdparty
drwxrwxrwx 38 www-data www-data  4096 Mär 16 19:17 apps
-rw-r--r--  1 www-data www-data 12063 Mär 16 19:16 AUTHORS
drwxrwxrwx  2 www-data www-data  4096 Mär 17 17:23 config
-rw-r--r--  1 www-data www-data  3593 Mär 16 19:16 console.php
drwxr-xr-x 17 www-data www-data  4096 Mär 16 19:17 core
-rw-r--r--  1 www-data www-data  4946 Mär 16 19:17 cron.php
-rw-r--r--  1 www-data www-data  2806 Mär 16 19:17 .htaccess
-rw-r--r--  1 www-data www-data   179 Mär 16 19:17 index.html
-rw-r--r--  1 www-data www-data  3417 Mär 16 19:16 index.php
drwxr-xr-x  6 www-data www-data  4096 Mär 16 19:17 lib
-rw-r--r--  1 www-data www-data   283 Mär 16 19:16 occ
drwxr-xr-x  2 www-data www-data  4096 Mär 17 17:17 ocs
drwxr-xr-x  2 www-data www-data  4096 Mär 16 19:17 ocs-provider
-rw-r--r--  1 www-data www-data  3214 Mär 16 19:17 public.php
-rw-r--r--  1 www-data www-data  5370 Mär 16 19:16 remote.php
drwxr-xr-x  4 www-data www-data  4096 Mär 16 19:17 resources
-rw-r--r--  1 www-data www-data    26 Mär 16 19:16 robots.txt
drwxr-xr-x 14 www-data www-data  4096 Mär 16 19:17 settings
-rw-r--r--  1 www-data www-data  2274 Mär 16 19:16 status.php
drwxr-xr-x  3 www-data www-data  4096 Mär 16 19:17 themes
drwxr-xr-x  6 www-data www-data  4096 Mär 16 19:17 updater
-rw-r--r--  1 www-data www-data   163 Mär 16 19:16 .user.ini
-rw-r--r--  1 www-data www-data   362 Mär 16 19:16 version.php

You might consult the documentation :wink:
See number 9 here:
https://docs.nextcloud.com/server/13/admin_manual/maintenance/manual_upgrade.html

2 Likes

Thank you. Now all is fine, just one problem left.

I followed this tutorial: Howto: Change / Move data directory after installation

And used Method 2 to symlink out my data directory. When I do you suggested number 9, do I need to do this also on the linked directories? Or does linux do it automaticly? I looked now in the directory and the symlink itself is 777.
To be on the secure site:
I went to /var/www/ and followed your suggestion. Was this right or do I need to go in the nextcloud directory?

I looked at the linked directory:

drwxrwx— 19 www-data www-data 4096 Feb 28 07:25 data

This is still correct, but in this it seems to look not correct, e.g.:

-rwxrwxrwx 1 www-data www-data 1126022 Mar 17 11:37 updater.log
drwxr-xr-x 4 www-data www-data 4096 Mar 17 11:42 updater-oc6t6ey2ygrc
drwxrwxrwx 4 www-data www-data 4096 Aug 19 2017 updater-oc6wqgwqj867

Now I see that I have a bigger problem with my permissions and I will open for this next time a new topic, sorry for spamming for support in the news category :wink:

You have also lines that are executeable to others :wink: So I´m still asking what the savest solution :slight_smile:
When you will follow Bernie_O´s suggestion your permissions will look different than your previous ones.
So it´s a little bit confusing for me and that the reason why I´m asking :slight_smile:

1 Like

The x that you see in the “other” row are directories, so these are not executable flags. You might still be right, @Bernie_O has good suggestions.

yes, if you mean the first flag. But you have also an x =executable for ownership others. It´s like 751 atm but as in documention you need for my understanding a 750 for your directories :wink: For example your settings directory :wink:

I hope somebody can answer my question about the symlinked directories in my post #47 (Nextcloud 13.0.1, 12.0.6 and 11.0.8 available with improved password protection)

No, I mean the third flag for others. The x flag on directories does not include executable (you cannot execute a directory) but only accessible. For the content of the directory the normal access rules apply. So you still need the x flag to execute files, this is not given by the x flag of the containing directory.Still, to enhance security it is still useful to remove the x flag from directories also.

1 Like

The symlink itself by default is 777, which is no problem if the permissions of the actual data directory is stricter, which counts.

As theoretically only the webserver needs to acress to the actual data directory, it should be possible to set it’s permissions to 700 for folders and 600 for files. If you want to be on the secure side, just set data/.htaccess permissions to 400 or owned by root:www-data and 640. But webserver configuration should prevent direct access to this anyway.

When I do this in /var/www/

chown -R www-data:www-data nextcloud
find nextcloud/ -type d -exec chmod 750 {} ;
find nextcloud/ -type f -exec chmod 640 {} ;

it will not be reflected by the the symlink, will it?

I thought it will also reflect the symlinks, but in the structure data I see this user for example:

drwxr-xr-x 4 www-data www-data 4096 Feb 12 22:10 test

So I need to run these commands also in the symlinked structure?
@eehmke It´s debian.

total 120
drwxr-x— 13 www-data www-data 4096 Mar 17 11:36 .
drwxr-xr-x 5 root root 4096 Feb 17 16:02 …

First one is the nextcloud dir and second is www :wink:

Is that also correct?

As said, the permissions of the symlink /path/to/nextcloud/data doesn’t matter. Just the permissions of the actual data folder, where the link is pointing to, is relevant and changing this will not be reflected by the symlink.

Thx for clarifying my questions. So I need to run the commands again for the data, where the link is pointing to?

Yes exactly, chown/chmod does not follow symlinks.

1 Like

Thx for explaining permissions for symlinks :slight_smile: It will help me a lot in future :wink:

Update seemed to go smoothly. Only thing I noticed is now I get trusted domain error in my logs? Guess I spoke to soon. I tried to update my theme and the change did not work and got the following error messages.

Doctrine\DBAL\Exception\UniqueConstraintViolationException: An exception occurred while executing ‘INSERT INTO oc_filecache (mimepart,mimetype,mtime,size,etag,storage_mtime,permissions,parent,checksum,path_hash,path,name,storage) SELECT ?,?,?,?,?,?,?,?,?,?,?,?,? FROM oc_filecache WHERE storage = ? AND path_hash = ? HAVING COUNT(*) = 0’ with params