Prevent high costs on s3fs

I have a plan to install Nextcloud on s3fs. I mean using s3fs for mounting the disc where Nextcloud will be installed NOT using s3 as the storage in Nextcloud.

Why do I want it? Because I would like to share the Nextcloud files automatically into my EC2 instances. I would mount the s3fs on both the Nextcloud server as well as on my EC2 and it would automatically sync that way with Nextcloud.

But there is one obstacle. Every read or update of files in Nextcloud is going to cost me something. If there is a malicious user that will have a bigger file and update it every second, Nextcloud will update the underlying S3 object and I pay a lot for this.

My question is: is there a way how to detect or prevent such situation? Like Nextcloud could set some limit for number of file read/writes for a user or at least it could keep track of that number so that I can block the user if he tries to do that?

Or any other advice related to the intent I have?

Thanks for any ideas.

And why do you want that?

Why would you have ‘malicious’ users on your Nextcloud? Are you offering Nextcloud accounts to random people, are you planning some sort of hosting service? If so, I’d say you need to think this all through a bit more, but I’d also say consulting for service providers is a bit outside the scope of this forum :wink:

Well maybe buy a server and some harddisks, and/or don’t use services from companies that monetize every little change you do to your files. :wink:

No, that’s not possible and wouldn’t make much sense imho. I mean, if you just want to share files, you can share them as download/read-only, but if you want to do collaborative work, which Nextcloud was primarily designed for, things are going to change all the time and Nextcloud is going to write those changes to the storage and to the database…

1 Like

Beware, tracking read and write operations adds a little overhead.

Thanks for taking time to answer, bb77.

Firstly, I am not building a hosting company, I would call it rather a developer community. Why am I doing it and how remains out of scope of this forum.

Next, you ask “Why would my user try to harm me”. That is rather strange question. Any Linux server you connect to the internet, you start immediately receiving attempts to hack it. People are attacking computer systems from great variety of reasons and is irellevant for this topic to name them all. May be the guy does not like my service or he feels it to be a competition to him or he just wants to prove that he is smarter than me?

Next you tell me that something like that is not possible and does not need to be because S3 is an unfair service that tries to monetize everything.

In that case I am asking why Nextcloud supports that service as the storage? Does it mean that ANYBODY who is using Nextcloud with S3 is defenseless against this type of attack and just depends on the goodwill of all his users that none of them will try to bring his service down using a very trivial attack? And that you consider such situation normal?

Thanks, kesselb.

That project looks interesting but from the description I lack some context of it. I am unfortunately not familiar with Nextcloud development.

Is it some sort of add-on? How that gets installed?
Also I can see that it logs the user actions into the preferences table if I understand the functionality right. That seems like an expesive way of tracking such things but possibly your code could be modified to store that information somewhere else?

I would prefer more “official” solution but if Nextcloud has none and each S3-based instance of the product is vulnerable to this type of attack your code may be the right solution in the end. Is there a doc how to add it into a Nextcloud installation or so?

Also, I would like to ask - why are you using the preferences table for this? I am sorry, I don’t know Nextcloud details but the name seems different from a purpose like that or I misunderstood the code?

In every case, thanks a lot for your valueable idea!

Well, let’s put it this way, you don’t even need an attacker or a mallicious user to get in a situation where you have to pay unexpected high bills at those hyperscalers, It only takes one misunderstanding of heir pricing model, and/or not 100% understanding of all the implications that your software generates, for you to be in for a nasty surprise when their next bill arrives. :wink:

So basically, you pay a lot of money for a service that is supposed to make your life easier, but instead of being able to use the service worry-free and focus on your core business, you now have to devote resources becoming an expert on that service. And once you figured it out, you have to devote even more resources finding “hacks” to make your software work with that service in a way that remains affordable, i.e. you have to adapt the software to the service, not the other way around as it should be, and all this to use a service you have no control over and whose terms and conditions can change at any time.

Well, afaik, there’s no built-in feature in Nextcloud that lets you control how often someone changes a file. There is the usage report @kesselb linked to, but that does not actually prevent someone from doing what you describe, but it can at least help you discover that something like this is happening.

2 Likes

Larger hosting companies might have their own S3 storage backends where they don’t have these costs, or if they are using paid services, they might have trustable users. Or for smaller setups, you just have local storage.

In the first step, it could perhaps be easier to see if on base of s3fs you can put on some restrictions, so you limit the number of access.

It seems for the S3 connections in Nextcloud, if you want to add/change behavior, that you probably need to dive deeper into the details of the implementations.

I am sorry but the reactions so far seems to me like trying to lie to yourself.

The real situation is this one.

Nextcloud supports a configuration with S3 as the primary storage. In this configuration any attacker can cause big financial damage to the Nextcloud instance owner. He just needs to run a script in endless loop changing a number of files repeatedly.
Not only that the provider has no defense against this attack, he even has no way of finding out which user executed that attack.

If a user of a SW system can cause damage, that situation is called a security hole.
So Nextcloud in one of its supported configurations has a serious security hole.

The user doesn’t even know what kind of storage backend you are using, so how likely is such an attack?

But yes, you’re right, Nextcloud has no such protection built in, nor does it come with any other features specifically designed for hosting providers. Or to put it simply, out of the box it’s not particularly well suited for multi-tenancy setups, imho.

In order to offer Nextcloud as a service, additional configuration and tooling is required in almost all cases, which means that depending on the nature of the service you are offering and the underlying infrastructure you are using, additional things will need to be built around it and/or integrated with add-ons or apps, and some things may not be possible at all or may still need to be developed, and/or may involve certain risks in certain scenarios.

Well, that’s a bit of a stretch imho :wink:

And btw, no one is forcing you to use AWS. There are plenty of other object storage providers out there, or maybe local storage on a dedicated server (you don’t have to host it on premise) would be a better option for your specific usecase.

Anyway, if using AWS is so important to you, why don’t you just post a feature request on GitHub, or better yet, develop something yourself for this specific use case, instead of rambling on here. Not only would you be helping yourself and your developer community by doing so, but you would also be helping other users who are considering using AWS S3 as their primary storage.

2 Likes

Yes in your case, this is an issue. And probably for a few others as well, but 90% are not affected because they don’t use such a system. And even when you have a config like this one, if you know to have only reasonable users, they have no interest in doing such an “attack”.

Nextcloud has a bug bounty program, but their conditions differ:

To get the features you’d like:

  • wait until somebody implements the feature
  • do it yourself
  • get it through official support (buying enterprise support, however I’d ask first if they can help with that)
  • find a different way to do what you’d like (or something similar)

What I don’t understand, if you’d use the S3 storage within Nextcloud, then it would make sense for me to say, perhaps you want to have a fall back strategy, in case there are too many queries that drive the cost up too much (could be a software bug, a user with a problem), and from Nextcloud-side there could be a way to cache certain quick and repetetive activity for some time.

However, if you use s3fs, for Nextcloud this looks like normal hard drive storage, why should they do anything different than for a normal hard drive?

and your “security hole” would be in s3fs rather then Nextcloud.

3 Likes

Nextcloud on s3fs is not a supported configuration so there is no security hole here. Nextcloud with S3 as primary storage is supported and therefore there is a security hole in this configuration.

The next step would be to report that security hole.
Before I can report such a security hole, I need to find out whether it really is a security hole or not since I am no NC expert. Therefore I am rambling on here to understand whether this is a hole or NC has a fix for that. From your answers I am quite sure now that this is simply a security hole.

Unfortunately I have no time for reporting that hole. Rather I would like to solve the issue just for myself and let the community possibly care for this hole as they like. Note that depicting a security hole should not be taken as a criticism but rather help.

I heard that there is a way how one could write a PHP code that listens to the events produced by NC. That looks promising and I’d like to implement my own workaround for this issue. Can someone give me more info about how to do it? From the GitHub project above from kesselb I am not getting an idea how to apply that solution to a concrete NC installation.