Restricting External Storage `local` paths

Nextcloud version: 17.0.1.1
Operating system and version: CentOS 8
Apache version: 2.4.37
PHP version: 7.3

The issue you are facing:

I have a server with a software stack including a number of Apache run applications (~4), NextCloud being one of them. This will be a client run machine, where they control the “Admin” user.

I want to utilize the " External Storage " feature to create a shared storage space between accounts, but due to the fact that NextCloud is run by Apache, and at least one of the other applications run by Apache is proprietary, it exposes a risk that the admin user could create a " local " storage location which would expose that applications source code.

  1. Is there a capability within the “External Storage” plugin which would allow me to set restrictions on allowable paths that can be used for “local” storage? Perhaps in the config.php?

OR

  1. Alternatively, is there a way to include an external storage space, accessible to one or more users without the “External Storage” plugin, or at least without exposing it to ANY user (including the admin)?

(N.B. I’ve asked the same question on Stack ServerFault here: https://serverfault.com/questions/995045/nextcloud-local-external-storage-restrictions)

So I’m trying to come at this from another angle, where I’m using php_admin_value openbasedir ... to lock down it’s ability to use anything other than what I specify, but that said… it would be far nicer to be able to set the single dir up using the config and hide the entire module than leaving it accessible unnecessarily.

You can crate different Virtual Hosts with different users and groups with e.g. apache2-mpm-itk:

<IfModule mpm_itk_module>
AssignUserId username groupname
</IfModule>

This will give you opportunity to separate access on the OC level and in the same way you can added one folder to the shared group of users so that NC and your proprietary application could have an access to only this shared folder.
In this case NC admins without shell root access will not be able to create and expose other folders, this means your application source code will be in safe place.

I’ll take a look at that @gas85, thanks for the explanation! I started to look at mod_privileges for the same reason, but this looks a bit more in line with my goals. Very much appreciated.

1 Like