Unsafe directory creation

Given the ongoing security issues that are occurring with other open source code, I’m interested to know why the code is generating unsafe directory creation - 0777 permissions?

I have plain vanilla install with no additions.

Discovered the following files with code to generate such folders …

nextcloud/lib/private/Files/Storage/Local.php
nextcloud/lib/private/legacy/image.php
nextcloud/3rdparty/doctrine/annotations/lib/Doctrine/Common/Annotations/FileCacheReader.php
nextcloud/3rdparty/doctrine/cache/lib/Doctrine/Common/Cache/FileCache.php
nextcloud/3rdparty/doctrine/common/lib/Doctrine/Common/Proxy/ProxyGenerator.php
nextcloud/3rdparty/sabre/dav/lib/DAVACL/FS/HomeCollection.php
nextcloud/3rdparty/swiftmailer/swiftmailer/lib/classes/Swift/FileSpool.php
nextcloud/3rdparty/pear/archive_tar/Archive/Tar.php
nextcloud/apps/files_external/3rdparty/aws-sdk-php/Aws/S3/Sync/DownloadSyncBuilder.php
nextcloud/apps/files_external/3rdparty/aws-sdk-php/Aws/S3/Sync/DownloadSync.php
nextcloud/apps/files_external/3rdparty/aws-sdk-php/Symfony/Component/ClassLoader/Tests/ClassMapGeneratorTest.php
nextcloud/apps/files_external/3rdparty/aws-sdk-php/Symfony/Component/ClassLoader/ClassCollectionLoader.php
nextcloud/apps/templateeditor/lib/mailtemplate.php

Any thoughts about securing things so that we aren’t creating gaping holes?

Thanks

Think you are supposed to install and get going then its up to you to ensure security.

This bit got missed out of the 11 admin manual I think as didn’t see it there.

Has a script for hardening.

https://docs.nextcloud.com/server/9.0/admin_manual/installation/installation_wizard.html#strong-perms-label

No I tell a lie as its there.

https://docs.nextcloud.com/server/11/admin_manual/installation/installation_wizard.html#strong-perms-label

That sounds like you have installed it on a mounted Windows partition.

On my box i did a

find /var/www/nextcloud -perm 0777

and could not find anything.

@Stuart_Naylor34m … I call this garbage :wink:
Think you are supposed to install and get going then its up to you to ensure security.

This is core code that when folders are created permissions are open to all and sundry with those permissions. From my take this is not a good look. And think this is going to offend someone … it’s sloppy coding!

@Sanook32m
That sounds like you have installed it on a mounted Windows partition.
Nope it’s a LAMP install running Nextcloud 10.0.3 (production)

Nextcloud rocks don’t get me wrong … managing others spaces that get compromised and I discover this … 14 hour unproductive work for no positive outcome is rather frustrating.

So … Any thoughts about securing things so that we aren’t creating gaping holes?

Not really when the answer is above.

Read the manual

And all that.

@Stuart_Naylor NextCloud is installed and those files as listed generate directories with 0777 permissions.

Call me stupid but sorry they should not be set that way.
I don’t get it that I now need to find/replace this code to protect the site in addition.

Read the manual
Please provide me page details in the manual stating where I need to change all this every time a folder is created? Yes I’m a fool and cannot read!

Your comment however glib does not help me or others who read this thread.
As an admin I see little point in having to constantly monitor sites to ensure permissions are as they should be, when this isn’t necessary.

Its posted above.

Already have “strong permissions” per that link … by default
My issue is I need to constantly monitor and update this.
Yes I can edit all that code
Others are not aware
How about this alert is used positively … rather than chucking mud?

I think it was garbage and that was you.

I haven’t got round to checking, but I do know during updates you might have to relax security and then just run a script to make it secure.

Its documented and I posted that but have not got round to doing what Sanook did on linux yet.
He states there isn’t any 777 perms and all the folders you listed are on install and covered and its untrue that this will happen on every folder creation.

I dunno, I am sure others might comment, maybe we should wait to see?

What is the output of

mount

Ok so the fool at this end is asking … why are those permissions not set securely from the get go?
Why 777 and not 755 by default?
I don’t see that as rocket science.
This isn’t personal as some are taking it.
Best fix it from the get go and not patch up later.

They are set of course. If they were not, i would have the same issue, but i don’t.

@Sanook I’m chasing down holes in a client server space and NextCloud is 1 of 3 codes spaces with holes.
If I don’t raise it here and NextCloud is seen to have issues I fail.
All those files have the ability to create folders with 0777 … not a good look
Let’s fix it and ensure it doesn’t happen in next updates?
I call this fix it or fail!

Well, that could be an issue with your file system or with your user permission settings.

But you can file a bug here if you like: https://github.com/nextcloud/server/issues
:wink:

After looking and haven’t locked down this install yet or done any of the maintenance scripts, that on a clean install find /var/www/ -perm 0777 returns nothing

That is recursive by default isn’t it?

That was a 11.1 install.