Please help with right permissions for NC12


i have installed NC12 on my Ubuntu 16.04 with Apache2 and PHP7.

Its running fine but i’m unsure if my folder/file permissions are correct. It would be great if someone can help me with this.

My Nextcloud web folder has the follwoing persmissions:
Owne/Group: www-data
Folder Permission: 755
File Permission: 644
.htaccess Permission: 644

My Nextcloud data folder has the following permission
Its outside the web root (in /var/ncdata)
Owner/Group: www-data
Folder Permission: 770
File Permission 644

Are these permissions ok or should i change something? I dont find any information about this in the docs.
The only information is to set the owner/user to www-data.

It would be nice if someone can help me with this.
Best regards

I guess by default the package should have the correct permissions, so the idea is that you just change the ownership to the HTTP user. But step 9 on this page gives the current recommendation:

1 Like

Thanks linucksrox,

That Link is a Good information but its strange that there are no informations about the correct permissions are found in the docs.
The link is for updating nextcloud and it would be helpful if any info about this would be in the install chapter.

if questions about the correct permissions are asked in the forum, most of the time no answer is given.
Why is there no detailed informTion about the correct permissions? In the past there was the script and information about this in the docs but it was removed and now nothing is explained and beginners are left alone…

Here’s the pull request where they removed the script and the reasoning behind it:
I personally agree that it should still be mentioned in the installation guide somewhere making it more clear to people searching for it, however if you perform a new install using any method described on the manual, your permissions will end up being correct. That’s because they are already set in the archive you can download, and you only need to change ownership which is mentioned as part of the installation.
Ultimately the http user should have read write access to the core application files and data files, making updates super easy, in order to keep up on updates, in order to keep up on security fixes. It’s a trade off, instead of locking down files (which is less useful than it used to be) you make updates easier so less people get stuck with out of date versions of nextcloud with known vulnerabilities.
If you want, you can totally lock down your files a bit more as long as you’re comfortable (and remember) to relax the permissions when you want to update.

Hmm… i dont know

My nextcloud folder has 755 permissions and the files 644.
In the link that you are posted in the post #2 the permissions are set to 750 for folders and 640 for files.

So at this point of view it looks like that the permissions are wrong.

At the moment I don’t know what is wrong and what is correct…
If I set it to 750 and 640, is the internal updater not working? Is it not a good idea? Why is this information on the update doc but not on the install doc?

Is there any platform where the nc supporter can be asked?

This is better because then only the webserver-user can read and write to the files. With the other permissions, other users of the system can read files from Nextcloud. The updater app usually runs with webserver-user permissions as well, so this should work for updates as well.

thank you lincksrox and tflidd,

i set my permissions for both folders (nextcloud webroot and the data folder outside the webroot) to 750 for folders and 640 for files. the owner and group ist set to www-data.

Nextcloud is running fine and i hope thats a safe configuration. I will test the updater if a new version is released. Otherwise i have to change the permissions for the update and after this i will set them back.

I was wondering where the “set strong permission” script went. I asked here and got the answer it is not longer necessary…

@linucksrox thanks for the link!