I’ve been running NC since version 9 (now 12.0.3) and from old Owncloud days I’m still using two scripts, which set the permissions for the update process and for a hardened production process. Before every update I’ve checked if my scripts (only slightly modified though because of paths) were still equal to the ones in the Nextcloud documentation. But now these scripts were erased from the documentation for every NC version. (Link before was: https://docs.nextcloud.com/server/11/admin_manual/maintenance/update.html#set-updating-permissions-label)
On another topic I’ve read:
So, I think it is recommended now not to use such hardened permissions, is that right?
Maybe because on a proper configured root server these hardening doesn’t gain much towards security, am I right? @JasonBayton Is there any location where one can see the proper/required file permissions beneath the owner “www-data, …” → read, write, execute?
I’m sure there might be, though I can’t recall offhand - perhaps @tflidd or @MichaIng know where it is, or what they are (if only the latter, a how-to/faq should be created)…
I think granting a user/process just as much priviledge as required to run things is not “the old way” or “hardened” in any way, it is just the very basic principle of internet server maintenance. chmodding 777 makes things very easy, but also very easy to mess up - for yourself, your local users and the whole WWW which can send data to your box(es). i have this old setperms-script, too, and i suggest you keep (and run) yours. give the installer as much privilege as it needs for the installation/upgrade, then revoke it again. i just did this with nc-12.0.3 and there was no problem at all.
GOOD LUCK!
The reason to change the documentation was the updater app. It needs access to update the code. Before, the webserver user had only write access to the data-folder and the config-file. The apps folder was optional (if you want to allow to install apps via web-interface). All other files were readable for the webserver user but not writable. But during the update you would have to change the permissions.
Definitely my thinking! And I would never chmod 777 things! In my opinion wrong permissions and owner of files/processes are very dangerous and unfortunately all too frequent.
But since there is the updater, now there are new “requirements”:
Let’s say “need” in quotes, because you can give the right permissions temporary when updating. The only thing is, that you should watch the (major) NC updates more closely, because if some things in files/paths change fundamentally, the actual set up strict permissions for production will maybe cause some troubles one day.
So to sum up: Nextcloud is a php web application with connection to a database like Wordpress, Joomla and many more. It seems to be, that using an updater and make important files writable to the application itself is common use now and okayish in security aspects, respectively the common compromise for the trade off between security and usability. (Usability can practically lead to more security, too, if it is easier and faster to update.) So, if the permissions are set correctly, especially write and execute, (should be the case after a fresh install), then it’ll be safe and now the supported way of using/updating NC is not to use “hardened” permissions.
Of course it is always the safest way/safer to restrict permissions when they are not needed, but now you have no official support and help in the NC documentation.
I for one am going to use the “new way” NC provides by loosen the permissions and owner settings for regular use, although I do not agree that it was the right way to erase the support/help/actualization of those scripts of permission “hardening” out of the documentation. It was additionally the easiest way to find out which permissions NC needs for running regularly and for update.
To clarify, would setting the unmask 0022 in Apache cause any issues with a Nextcloud installation in which the data folder is outside the folder containing the program?