#PERMISSIONS web server/user

hi, something is not clear to me about PERMISSIONS
on my VPS, I use a panel in which several users manage several websites
these users can’t log with shell/ssh (no password apparently)
then, how can the http user launch occ command ?

if I launch ‘php occ maintenance:repair’ with a sudo user which is not http user for nextcloud … what’s going to happen … ? :scream:

would it be a good idea to give ssh access to the user managing NC folders ?

next, about PERMISSIONS
doing a permission check, is there a permission rule to follow? the same rule for every folder? (750 or 770, 775) and the same for every file ? (640 or 660, 664)

though, giving permission rule is not giving permission to a user
I’ve read that web server may need access … to what exactly ?
Can you bring a light on this subject please ?

I have sftp access with the panel user (cyberduck, to change folder/file permissions)

please, see my ls -lah

vps@panel:/home/USERNAME/web/WEBSITE.COM/public_html/nextcloud$ ls -lah
total 168K
drwxrwxr-x 14 USERNAME USERNAME 4.0K May 29 19:27 .
drwxr-x–x 3 USERNAME www-data 4.0K May 30 10:21 …
drwxr-xr-x 44 USERNAME USERNAME 4.0K May 29 19:27 3rdparty
drwxr-xr-x 81 USERNAME USERNAME 4.0K May 29 20:45 apps
-rw-r–r-- 1 USERNAME USERNAME 19K May 29 19:27 AUTHORS
drwxr-xr-x 2 USERNAME USERNAME 4.0K May 29 19:40 config
-rw-r–r-- 1 USERNAME USERNAME 3.9K May 29 19:27 console.php
-rw-r–r-- 1 USERNAME USERNAME 34K May 29 19:27 COPYING
drwxr-xr-x 22 USERNAME USERNAME 4.0K May 29 19:27 core
-rw-r–r-- 1 USERNAME USERNAME 6.2K May 29 19:27 cron.php
drwxrwx— 12 USERNAME USERNAME 4.0K May 29 17:05 data
-rw-r–r-- 1 USERNAME USERNAME 3.4K May 29 19:28 .htaccess
-rw-r–r-- 1 USERNAME USERNAME 156 May 29 19:27 index.html
-rw-r–r-- 1 USERNAME USERNAME 3.4K May 29 19:27 index.php
drwxr-xr-x 6 USERNAME USERNAME 4.0K May 29 19:27 lib
-rw-r–r-- 1 USERNAME USERNAME 283 May 29 19:27 occ
drwxr-xr-x 2 USERNAME USERNAME 4.0K May 29 19:27 ocm-provider
drwxr-xr-x 2 USERNAME USERNAME 4.0K May 29 19:27 ocs
drwxr-xr-x 2 USERNAME USERNAME 4.0K May 29 19:27 ocs-provider
-rw-r–r-- 1 USERNAME USERNAME 3.1K May 29 19:27 public.php
-rw-r–r-- 1 USERNAME USERNAME 5.3K May 29 19:27 remote.php
drwxr-xr-x 4 USERNAME USERNAME 4.0K May 29 19:27 resources
-rw-r–r-- 1 USERNAME USERNAME 26 May 29 19:27 robots.txt
-rw-r–r-- 1 USERNAME USERNAME 2.4K May 29 19:27 status.php
drwxr-xr-x 3 USERNAME USERNAME 4.0K May 29 19:27 themes
drwxr-xr-x 2 USERNAME USERNAME 4.0K May 29 19:28 updater
-rw-r–r-- 1 USERNAME USERNAME 101 May 29 19:27 .user.ini
-rw-r–r-- 1 USERNAME USERNAME 382 May 29 19:27 version.php

Sorry but what exactly are you trying to achieve? What do you mean by managing multiple websites and what has Nextcloud and occ do with any of this? Nextcloud is not a CMS, alltough there is an app for hosting simple markdown pages on it.

User shouldn’t have to occ things all the time. There is a WebUI to interact with Nextcloud and a WebDAV interface for file transfers.

No!

Again, please explain what your goal is. What exactly do you want Nextcloud to do for you and your users?

thanks @bb77

i’m trying to understand and set what the right permissions should be
for files and folders in html_public and nextcloud folders
PANELUSER >> home/web/DOMAIN.COM/public_html/nextcloud

who should make the permission changes ?

  • PANELUSER (has FTP access, but not SSH) ?
  • SUDOUSER or ROOT ?

if PANELUSER (http user) doesn’t have ssh access, I can’t launch oss command, right ? that’s what I’ve read elsewhere

Is this about installing Nextcloud or about using Nextcloud?

For installing Nextcloud you can use the install script / Install Wizzard, which automatically sets the permissions right. Users, including admin users would then use the WebUI and WebDAV for interacting with Nextcloud and uploading files. It’s usually not a good idea to interact with files hosted by Nextcloud directly on the file system level or via ftp, even on servers with full root access.

There is an app called OCC web, which you could use. But I highly recommend to go with a provider that offers you at least some kind of shell / ssh access with the permissions of the webserver / http user. Otherwise you could come into a situation, where you wouldn’t be able to execute OCC commands anymore.

i’ve got one answer
occ command should only be made by the USER owning the website directory.
in my case this USER has FTS access, but no SSH password.
here is the SSH command that will do as if it was launched by this user “-u USER”

$ sudo -u USER php occ maintenance:repair

i’m here trying to get the right information, but not an automated script, thanks
I’ve installed Nextcloud several times, now on a VPS I would like to be able to check permissions and understand which users should be at work
thanks

Everything is ownd by the http user. File permissions for Nextcloud user accounts are handeld in Nextcloud. The http user or any user that can login to your web space always has access to everything. But why would users need access directly to the webspace in the first place? They can login to their Nextcloud accounts via browser or Sync Clinet and manage their files from there…

I still don’t understand what your actual goal is. I get the feeling you want to use Nextcloud as a front end for your webspace and manage the files for serveral other websites with it… Well, that’s not gonna work…

a second answer from manual upgrade

chown -R www-data:www-data nextcloud
find nextcloud/ -type d -exec chmod 750 {} ;
find nextcloud/ -type f -exec chmod 640 {} ;

so ALL folders should be at 750
and ALL files should be at 640

one question remains “www-data” is it a random UserName ?
or every folder should belong to www-data on a ubuntu server ?

in my case, a different user owns the public_html folder (as shown in my second post : ls -lah)
should i change USERNAME ownership to www-data ?
or make sure that USERNAME owns every folder ? including public_html and nextcloud folders

www-data ist the apache or nginx user on Debian or Ubuntu based systems. On CentOS/RHEL it’s httpd.

1 Like

so i should change the ownership of every folder to www-data (instead of the actual Panel User) ? is it not going to mess with my hestia panel management ?

I’m not using cpanel myself, so I’m not sure about that… But you should probably not change anything at all if you want to manage everything through cpanel. On a Shared Host from a provider you would create a new virtual host through cpanel and upload the files of a webapp via SSH / FTP or WebUI to the appropriate folder set the permissions according to the documentation of the provider and let cpanel handle everything. Isn’t that’s the reason why you would use a software like cpanel in the first place? … :wink: If you are hosting cpanel yourself I guess it’s probably best to ask in their forums or check their documentation…

1 Like

thanks bb77 !

Hi

Create a script that assigns the rights and checks them in the future

nano /root/permissions.sh

Insert

#!/bin/bash
find /var/www/ -type f -print0 | xargs -0 chmod 0640
find /var/www/ -type d -print0 | xargs -0 chmod 0750
chmod -R 775 /var/www/letsencrypt
chmod -R 770 /etc/letsencrypt 
chown -R www-data:www-data /var/www /etc/letsencrypt
chown -R www-data:www-data /var/nc_data
chmod 0644 /var/www/nextcloud/.htaccess
chmod 0644 /var/www/nextcloud/.user.ini
exit 0

Mark the script as executable and then run it directly

chmod +x /root/permissions.sh
/root/permissions.sh

LG Scalar

there is not much to manage through hestia panel
hestia created a http user, then i copied installation files into the public www folder.

this httpuser owns every folder of my NC24 install
i’m trying to figure out permissions coz I have error messages

eg :
missing .ocdata file in /data - but the file is there (permission 640)
0 -rw-r----- 1 httpuser httpuser 0 May 30 18:10 .ocdata

and a cron error, which seems related to this .ocdata file (i dunno how and why) …

I’ve read a lot of articles about .ocdata, permissions, cron but it remains complex to me

thanks but I won’t dare
plus, my http user is not www-data
who is www-data??? ^^

i’m afraid to put my all system down (as before when changing chmod) even with

chown -R myuser:myuser /var/www /etc/letsencrypt

Sorry I don’t know hestia so I cannot tell you which user must own the files. Maybe it’s better to ask in their forums or check their documentation…

The permissons on my installation are 644 (manual installation)

 -rw-r--r--  1 www-data www-data        0 Mai 23 12:51 .ocdata

It’s the default user for web servers on Debian / Ubuntu based distros. But this can be a diffrent name / user on other distributions or if you are using a management panel like hestia…

hestia creates managers for each website, whith ftp access starting at web/ folder :
/home/userprod/**web/**website.net
/home/userprod/**web/**website.net

other websites function well on this VPS (contabo) which is my first one
drupal, wordpress, espo crm, humhub

my .ocdata is owned by the manager ‘userprod’, permissions set to 644
does the server need to be rebboted at every permission changing ?
as you can see, the data folder is aside of the nextcloud folder
So… what could be wrong ?