Nextcloud Docker installation - Correct users

Hello,

I have a question about the Docker installation of Nextcloud.

I’ve set up Nextcloud using Docker, and I’ve mounted certain parts of my host system to the Docker container to easily edit files and back them up.

I’ve noticed that the files created by Nextcloud are owned by user and group "82:82". However, sometimes I see files that are owned by "root":

From what I understand, running a Docker container with full permissions as the root user isn’t ideal due to potential security risks. It might be better to limit the Docker container’s access to the file system by setting the user manually in the Dockerfile or elsewhere.

A few weeks ago, I stumbled upon the user flag in docker-compose. If I’m interpreting it correctly, it allows setting the execution user’s UID and GID.

So, wouldn’t it be a good idea to set this flag to "82:82" for all containers that are sharing files with the Nextcloud server? This way, files wouldn’t accidentally be created or accessed as root.

Are there any internal functionalities or considerations within Nextcloud that would make this approach inadvisable?

I would really appreciate any input on this matter.

Thank you!

From what I understand, running a Docker container with full permissions as the root user isn’t ideal due to potential security risks

There are security trade-offs in both directions. It depends on what you’re most concerned about security-wise.

A few weeks ago, I stumbled upon the user flag in docker-compose. If I’m interpreting it correctly, it allows setting the execution user’s UID and GID
[…]
Are there any internal functionalities or considerations within Nextcloud that would make this approach inadvisable?

Yes, you can use Docker’s user with the image. The main caveat is if you’re using Redis (typical) the PHP redis-session handler config can’t be set by the entrypoint automatically (see here).

(You’ll see the error in the container startup).

You can readily fix this by mounting your own /usr/local/etc/php/conf.d/redis-session.ini within the container with the changes. Example for doing that is here.

You can run the container using specific UID/GID see

solution for the redis issue is mentioned as well.