I’m trying to set up nextcloud 13 so that all program files are read only for the webserver. Maybe I’m just paranoid, but i consider it bad security practice if a webserver could possibly change the code its running.
So setting all the files to read only gives this error:
Cannot write into "config" directory!
This can usually be fixed by giving the webserver write access to the config directory. See https://docs.nextcloud.com/server/13/go.php?to=admin-dir_permissions
So I need go give the webserver write access to config.php. i see that most users like to config nextcloud through the web interface, I’d prefer not to.
It would take only one bad script on the webserver and someone could write some code in the config.php file that will be executed for all users on all requests.
By quickly looking in the code i saw that there is a check like this
if (!$configFileWritable && !OC_Helper::isReadOnlyConfigEnabled()
So there seems to be a way to allow read only configuration, but I didn’t manage to enable it.
Does anyone know how to do that?
BTW: the link provided in the error is not helpful at all
I see your concern. It’s probably already a huge problem, if users can execute a bad script. In the past, the recommendation was that the principle code is write only but the configuration should be changeable in order to be able to use the web interface. More recently, the web-updater is the main issue that all the code is writeable for the php user.
However, for security-focused users, there is an option in the config.php that allows to use Nextcloud with the config.php in read-only mode:
/**
* In certain environments it is desired to have a read-only configuration file.
* When this switch is set to ``true`` Nextcloud will not verify whether the
* configuration is writable. However, it will not be possible to configure
* all options via the Web interface. Furthermore, when updating Nextcloud
* it is required to make the configuration file writable again for the update
* process.
*
* Defaults to ``false``
*/
'config_is_read_only' => false,
If you want to install/update apps: yes. There is also an option to have a read-only apps-folder and you can have a writable second one. If you make it writable only during the updates, this can be an option but it won’t be a good idea if that prevents you from updating your system on a regular basis.
why do you think it is not a good idea? I normally prefer to update web stuff like nextcloud or e.g. wordpress from the command line. And there i can work as a user with write permissions. As alternative i give write permission, do update over the web interface, remove write permissions again.
And I can do this pretty regularly. Just automated updating is not possible, but I don’t like automated updates anyway
is appstoreenabled the option you are talking about?
No, there is no problem about that, there is just an additional step. The only problem I see is that people might do less or no updates, which is not good for security. But if you are willing to take this extra step, there is no problem.
Thanks a lot for the help. The writable flag int the apps_paths does not seem to work, but it does not matter for me because appstoreenabled does what i want.
