User A can delete files from User B without any rights for that file

Authentication “Log-in credentials save in session”

I logged in as “frans” in Nextcloud and was able to delete the file “kk.txt”, as you can see above i had no rights to do that.

What am i doing wrong?

is frans - the user or the goup - part of root - the group (or any other privileged group)?

about nextcloud: afaik most files should belong to your webuser… (in most cases www-data:www-data) and then nextcloud is taking care of the permissions.

Thnx for your reply.

frans is a user and a group on my linux server.

In linux is frans a member of these groups:


Ok, so what your are telling me is that all the files on linux must have the rights www-data:www-data.

I was looking for a way to see on linux who created it and that works the way i did :wink:

so frans has the same rights as www-data. which could clearly be a problem.

It’s me, i’ll remove frans from that groep and have a look if the “delete” action is still posible.

There is nothing changed JimmyKater, i’m not able to read a file created by NextCloudAdmin (same as before removing frans from group www-data) and still can delete it.

Quick question:
is www-data member of the group NextCloudAdmin?

No Schmu, www-data is not a member of the group NextCloudAdmin

I’m highly confused here :smiley:
In general, every action you take in Nextcloud (which concerns file creation or modification) is performed by the web server and therefor the user the web server is running with:

–> NC user modifying file --> PHP --> web server --> user “www-data” modifying file on filesystem

(Other) users on OS level are usually not relevant. The tricky part - which probably causes some confusion here (also on my side) - is the SMB share. You seem to access the SMB share via the user “Transfer”, right? In that case, PHP is accessing another server with the user permissions of user “Transfer”. A Nextcloud user who is granted editing rights, can perform every file action which the user “Transfer” is allowed to on that remote system.

I can only assume that the user Transfer has some kind of admin rights and access and change all these files?

What I’m trying to say is: The OS (Linux) doesn’t know about the NC users and their permissions and the other way round does Nextcloud not know the OS users and their permissions.

Yes Schmu, its a bit strange when its true what you wrote (sorry for the way i wrote this). I can create maps and files in Nextcloud wich presents rights for the used account (nextcloud) in Linux.

No i’m using authentication "Log-in credentials save in session” for the SMB/CIFS and on the linux site i add the user and password for smb.

“transfer” is a group, i created to make it possible to let more users (when member) access the folders “In” and “Out”.

I understand what you say here “What I’m trying to say is: The OS (Linux) doesn’t know about the NC users and their permissions and the other way round does Nextcloud not know the OS users and their permissions.”

Oh, I didn’t know this is possible. Maybe there lies the root cause of your issue somewhere. At least with the standard setup of only the web server user accessing the files, I didn’t come across such an issue before. Unfortunately, I can’t help any further, because I don’t understand who you achieved the NC user representation on the filesystem level.

Sorry for the noise.

Schmu thnx for your time and help think.

This is why, the parent directory looking like this (frans and NextCloudAdmin are member of group transfer)

root@BigFeet:/shares/intranet/transfer# ls -lt
total 8
drwxrwxr-- 3 www-data transfer 4096 Jun 1 11:26 In
drwxrwxr-- 2 www-data transfer 4096 May 30 15:06 Out