Nextcloud data file/folder permissions (current permissions safe?)

Hello,

I have a rather generic question. Quite a long time ago I set up Nextcloud on my RaspberryPi, using a separate directory for Nextcloud data: /nextcloudfiles (i.e. subfolder in root).

In there I see one sub-folder per user, as well as some log files. They’er all owned by www-data:www-data with drwxr-xr-x (755) permissions.

Now, doing something else I just realised this, and wondered if it’s OK that the ‘other’ users and groups on the system have access? I mean, in theory nobody but me should have access to those, as there’s no ‘normal’ users and I followed other security instructions in the NC documentation.

But still - would it be better to change the existing permissions and update the umask settings in apache (to 027) to cover future files & directories?

Here I saw that (quite some years ago) the default permissions would be set to 600 when updating. Is that still true? If so, and given that my permissions are different, should I correct this?

Many thanks!

Hi @glotzbach,
if you want to have more security, set the folder permission to 770 or 700( the owner and the group are the same ) the other user cannot have access to the data although they have permission on the file because they haven’t permissions on the parent folder.

Do you have “other” user than root or www-data? Where is the risk with “other” user?

An attacker uses apache2 (user www-data) from outside and not ssh (user pi?) from inside your network. Deactivate ssh from outside.

Hello, I am also worry about permissions on an instance (with Yunohost). I don’t know why users folders and files haven’t the same permissions…

for example:

ls -l /home/yunohost.app/nextcloud/data/
total 70484
drwxr-x--- 15 nextcloud nextcloud     4096 Nov 30 20:22 appdata_oca57jamn4xu
drwxr-xr-x  5 nextcloud nextcloud     4096 Mar 21 10:04 user1
drwxr-xr-x  4 nextcloud nextcloud     4096 Mar 24 22:38 user2
drwxr-x---  5 nextcloud nextcloud     4096 Apr 11 13:53 user3
drwxr-x---  4 nextcloud nextcloud     4096 Mar 28 09:38 user4
drwxr-x---  7 nextcloud nextcloud     4096 Feb 10 15:20 user5
drwxr-x---  6 nextcloud nextcloud     4096 Jan 24 11:47 user6
drwxr-xr-x  4 nextcloud nextcloud     4096 Mar  1 11:13 user7
drwxr-x---  8 nextcloud nextcloud     4096 Feb 14 16:58 __groupfolders
-rw-r-----  1 nextcloud nextcloud        0 Dec  7 21:55 index.html
drwxr-xr-x  4 nextcloud nextcloud     4096 Mar 24 15:41 user8
drwxr-x---  4 nextcloud nextcloud     4096 Feb 10 11:24 user9
drwxr-xr-x  5 nextcloud nextcloud     4096 Apr  4 18:35 user10
drwxr-x---  2 nextcloud nextcloud     4096 Nov 30 16:42 mobilizon_notifs
drwxr-x---  5 nextcloud nextcloud     4096 Apr  8 19:45 user11
drwxr-xr-x  5 nextcloud nextcloud     4096 Apr 13 11:04 user12
-rw-r-----  1 nextcloud nextcloud 72027427 Apr 15 16:00 nextcloud.log
drwxr-xr-x  4 nextcloud nextcloud     4096 Mar  9 14:33 user13
drwxr-x---  5 nextcloud nextcloud     4096 Jan 19 20:05 user14
drwxr-x---  6 nextcloud nextcloud     4096 Apr 13 11:33 user15
drwxr-x---  7 nextcloud nextcloud     4096 Feb 24 02:51 user16
drwxr-x---  5 nextcloud nextcloud     4096 Feb  9 14:43 user17
drwxr-x---  6 nextcloud nextcloud     4096 Dec  2 13:15 user18
drwxr-x---  4 nextcloud nextcloud     4096 Feb 11 18:49 user19
drwxr-xr-x  4 nextcloud nextcloud     4096 Feb 28 10:53 user20
drwxr-xr-x  6 nextcloud nextcloud     4096 Feb 26 20:32 user21

with files:

ls -l /home/yunohost.app/nextcloud/data/user1/files/
total 16272
drwxr-xr-x 2 nextcloud nextcloud     4096 Mar  8 10:05  Collectifs
drwxr-xr-x 2 nextcloud nextcloud     4096 Mar  2 17:21  Documents
drwxr-xr-x 2 nextcloud nextcloud     4096 Mar  2 17:21  Modèles
-rw-r--r-- 1 nextcloud nextcloud  3963036 Mar  2 17:21 'Nextcloud intro.mp4'
-rw-r--r-- 1 nextcloud nextcloud 11640931 Mar  2 17:21 'Nextcloud Manual.pdf'
-rw-r--r-- 1 nextcloud nextcloud    50598 Mar  2 17:21  Nextcloud.png
drwxr-xr-x 2 nextcloud nextcloud     4096 Mar  2 17:21  Photos
-rw-r--r-- 1 nextcloud nextcloud   976625 Mar  2 17:21 'Reasons to use Nextcloud.pdf'
drwxr-xr-x 2 nextcloud nextcloud     4096 Mar  2 17:21  Talk

or

ls -l /home/yunohost.app/nextcloud/data/ecranvillage/files/
total 16276
drwxr-xr-x 2 nextcloud nextcloud     4096 Mar 14 20:56  Collectifs
drwxr-xr-x 2 nextcloud nextcloud     4096 Apr 11 13:18  Documents
drwxr-xr-x 2 nextcloud nextcloud     4096 Apr 11 13:18  Modèles
-rw-r--r-- 1 nextcloud nextcloud  3963036 Apr 11 13:18 'Nextcloud intro.mp4'
-rw-r--r-- 1 nextcloud nextcloud 11640931 Apr 11 13:18 'Nextcloud Manual.pdf'
-rw-r--r-- 1 nextcloud nextcloud    50598 Apr 11 13:18  Nextcloud.png
drwxr-xr-x 2 nextcloud nextcloud     4096 Apr 11 13:18  Photos
-rw-r--r-- 1 nextcloud nextcloud        1 Apr 11 13:58  Readme.md
-rw-r--r-- 1 nextcloud nextcloud   976625 Apr 11 13:18 'Reasons to use Nextcloud.pdf'
drwxr-xr-x 2 nextcloud nextcloud     4096 Apr 11 13:18  Talk

or

ls -l /home/yunohost.app/nextcloud/data/user18/files/
total 16288
-rw-r----- 1 nextcloud nextcloud  3843032 Feb  6 11:00 'APPEL DU CACA 2022.pdf'
drwxr-x--- 8 nextcloud nextcloud     4096 Feb 10 11:07  Bureau
drwxr-x--- 2 nextcloud nextcloud     4096 Mar  7 17:33  Collectifs
drwxr-x--- 2 nextcloud nextcloud     4096 Nov 11 00:49  Documents
drwxr-x--- 2 nextcloud nextcloud     4096 Feb 20 22:29  Exemple
drwxr-x--- 3 nextcloud nextcloud     4096 Dec 19 13:56 'Formation Cefora'
drwxr-x--- 2 nextcloud nextcloud     4096 Nov 11 00:49  Modèles
drwxr-x--- 3 nextcloud nextcloud     4096 Feb 19 14:14  moncoffre
-rw-r----- 1 nextcloud nextcloud 11639371 Nov 11 00:49 'Nextcloud Manual.pdf'
drwxr-x--- 2 nextcloud nextcloud     4096 Apr  8 19:17  Notes
drwxr-x--- 2 nextcloud nextcloud     4096 Feb 20 21:00 'Nouveau dossier'
drwxr-x--- 3 nextcloud nextcloud     4096 Nov 14 14:42  Photos
drwxr-xr-x 2 nextcloud nextcloud     4096 Feb 25 00:00  Public
-rw-r----- 1 nextcloud nextcloud        1 Feb 10 23:53  Readme.md
-rw-r----- 1 nextcloud nextcloud   976625 Nov 11 00:49 'Reasons to use Nextcloud.pdf'
drwxr-x--- 2 nextcloud nextcloud     4096 Dec 20 16:22  Stagiaires
-rw-r--r-- 1 nextcloud nextcloud   151882 Sep  4  2020 'Statuts Association Écran Village 2020 (2).pdf'
drwxr-x--- 2 nextcloud nextcloud     4096 Jan 20 12:53  Talk

also with __goupfolders

~# ls -l /home/yunohost.app/nextcloud/data/__groupfolders/1
total 740
drwxr-x--- 2 nextcloud nextcloud   4096 Feb  2 17:03 'Charte Graphique'
-rw-r----- 1 nextcloud nextcloud    531 Feb 23 19:22  Readme.md
drwxr-x--- 2 nextcloud nextcloud   4096 Jan 21 12:21 'Statuts, Règlement intérieur, Objectifs'
-rw-r--r-- 1 nextcloud nextcloud 742588 Feb 23 19:08 'Tuto inscription Cloud Linux07.pdf'


~# ls -l /home/yunohost.app/nextcloud/data/__groupfolders/2
total 6736
drwxr-x--- 9 nextcloud nextcloud    4096 Mar 16 19:51  AG
-rw-r----- 1 nextcloud nextcloud    9820 Mar  1 16:51 "autour d'elles 2022.xlsx"
drwxr-x--- 4 nextcloud nextcloud    4096 Jan 30 22:41  CA
drwxr-x--- 2 nextcloud nextcloud    4096 Jan 30 22:42 'Comité Finances'
drwxr-x--- 4 nextcloud nextcloud    4096 Jan 30 22:43 'Commission Communication'
drwxr-x--- 2 nextcloud nextcloud    4096 Jan 30 22:44 'Commission Événéments Animations'
drwxr-x--- 2 nextcloud nextcloud    4096 Jan 30 23:40 'Commission Jeune Public'
-rw-r----- 1 nextcloud nextcloud  166608 Mar 21 17:01 'courrier démarchage établissements scolaires atelier cinéma 2020.pdf'
drwxr-x--- 3 nextcloud nextcloud    4096 Apr  6 19:03 'Documents Administratifs'
drwxr-x--- 2 nextcloud nextcloud    4096 Feb 11 14:10 'Documents techniques'
drwxr-x--- 6 nextcloud nextcloud    4096 Jan 30 22:50 'Dossiers Subventions'
drwxr-x--- 2 nextcloud nextcloud    4096 Jan 30 22:52 'Écran Village'
-rw-r----- 1 nextcloud nextcloud 6631273 Oct 21  2019 'Nextcloud Manual.pdf'
drwxr-x--- 3 nextcloud nextcloud    4096 Jan 30 23:43  Photos
-rw-r----- 1 nextcloud nextcloud   22737 Feb 15 15:45 'planning séances 2022.ods'
drwxr-xr-x 2 nextcloud nextcloud    4096 Mar 21 17:12  Programme
-rw-r----- 1 nextcloud nextcloud     538 Feb 23 19:24  Readme.md
drwxr-x--- 4 nextcloud nextcloud    4096 Jan 30 23:44 'Ressources Humaines'
drwxr-x--- 4 nextcloud nextcloud    4096 Jan 30 23:44  SFEIC
```

Why ??? Do you think I can change these permissions without breaking ?

hi @rodinux, this is not a real issue unless you have a permissions problem.
The current permissions are good

the x is for execute a file but you can’t execute a pdf file

you can change the permissions but you must let the nextcloud user as a group or user of files and folder and let read and write permissions (rw) for the user or group on it.

Thanks for your message. Ok, but why some users have their user folder with drwxr-xr-x and others with drwxr-x--- ??

For going forward: Nextcloud creates folders and files with the default permissions on the system, obeying the umask setting mentioned in the first post. The yunohost packagers may have changed the way they run Nextcloud and inadvertently changed that setting too. I see those user folders alternate back and forth between the two permissons settings, so I’d have to assume they did so multiple times, or else something else on your system did.

If you’re concerned about what’s there (or plan on giving SSH access to someone that shouldn’t have access to these users’ folders), then you can change the permissions with chmod. Don’t take my word for it, but I think sudo chmod -R o-a /home/yunohost.app/nextcloud/data is the right command for your setup.