To be able to query the metrics of my nextcloud instance with prometheus, I use the nextcloud-exporter. There must be an acces token set in the serverinfo app for the exporter. Is there a way to set this token in the nextcloud config file instead of using the occ command (occ config:app:set serverinfo token --value “access-token”)?
I don’t understand why occ is a problem… but running occ command results in such attribute in your config.php:
'serverinfo' =>
array (
'token' => 'access-token',
),
@wwe occ config:app:set writes the config value in the database, whereas occ config:system:set writes it in config.php.
3 Likes
thank you for heads up @tcit very welcome. I was not aware of this detail, always used occ config:system:get serverinfo token and missed the difference in the OP post.
Apologies for the necro, but I’m trying to do exactly the same thing, so I figure this is the best place to ask.
occ seems to require using --value to pass the value through a command line arg, but passing the token there will expose it to anyone who can read command lines from /proc, which normally is every user on the system.
This doesn’t seem like a good way to manage secrets, is there something I’m missing? occ doesn’t seem to take values from stdin, when I try I just get a message about the token being set to an empty string (also not sure how I feel about the fact that the secret is being logged in plaintext… Maybe I should just hold off on using nextcloud’s metrics for now).
occ runs maybe 1 sec - is it a real world security problem? if you feel so please add the token to you config.php in way you feel secure enough.
It does require an attacker to get code execution access in a context that doesn’t hide /proc through namespace magic, but passing secrets through /proc isn’t great on multi-tenant hosts.
Nextcloud setup in this case is run through scripts that attempt to emulate immutable infrastructure, so occ runs and passes through this token predictably on every system reboot. An attacker with knowledge of maintenance schedules could have pretty easy access.
As I understood it app config is not read from config.php but from the database.
To be sure, I have tried adding:
'serverinfo' =>
array (
'token' => 'access-token',
),
to the bottom of config.php. curl -H 'NC-Token: access-token' to the serverinfo URL gives me authentication failures as I expected. Should that be working?
I didn’t test - the official way s good enough for me. I think it’s best you run the command - and monitor changes in config and database and choose for the way you can apply this settings in a way which is secure enough for you.
Hrm, I thought the database was a bit of a no-touch zone. Is it actually a good idea to manually set values there? I suppose fixing it is fairly trivial when things actually change, so perhaps it’s not too bad.
Still, this seems like a bit of a blind spot. In fact, setting up metrics without exposing them to the world appears to be a blind spot for a lot of services, guess I should be glad nextcloud has functional authentication for this at all.
The following does it.
INSERT INTO oc_appconfig VALUES ('serverinfo', 'token', 'your-access-token');
Otherwise, would you be fine using an environment variable?
1 Like