User folders' permissions

MeiRos · April 22, 2018, 7:01pm

What are the right permissions for the user folders in data folder?
I have two different types:

drwxr-xr-x 6 nginx nginx

drwxr-x— 4 nginx nginx

PancakeConnaisseur · April 22, 2018, 7:12pm

It does not matter for Nextcloud cause the last three are for “others” and Nextcloud will use those files as nginx.

I would still recommend to use the second one, drwxr-x—. This is more secure since nobody except the webserver (nginx/Nextcloud) will be able to access the files even if your main folder (/var/www/nextcloud) is unprotected.

MeiRos · April 22, 2018, 9:12pm

Thanks for the answer.
Do you have any idea why there are different permissions for user folders? I haven’t change permissions, both are set by Nextcloud.

PancakeConnaisseur · April 22, 2018, 10:04pm

They are of different sensitivity. For example a local user (here: “other”) can be allowed to read script files like index.php, there are no secrets there, it is just source code. But config.php contains login credentials for your database or the data folder contains the users files which should remain private.

MeiRos · April 23, 2018, 8:07am

Sorry my english.
I did mean why user1 folder have different permissions than user2 folder?
In the data folder are user folders, like admin, user1 and user2. At the moment user1 and admin folders have different permissions than user2 folder. User1 and user2 is not in admin group.
Folder = directory

Schmu · April 23, 2018, 2:26pm

Actually every file and folder which is newly created by Nextcloud (and therefor by nginx) will have the same specific permissions. There won’t be any differences (between different NC users for example).

Which permissions are set for newly created folder/ files is defined by the users umask; in this case the umask of nginx.

The most likely reason why there are any differences in the file/ folder permissions is, because somebody changed these permissions in the past. Could have happened by a script that primarily or secondarily hardened the permissions of the NC data directory, because like @PancakeConnaisseur having read permissions for “world”/ “others” is a security risk.

On my server I had to change the umask value for my web server user (http for me, nginx for you), too.
There are different ways how to achieve that. One possibility is to define a umask value in the service files or init script of php-fpm (PHP is actually creating the folders/ files when running web server nginx). Example here:

The better umask setting for you would be:
umask 027

Default value is usually 022.

MeiRos · April 23, 2018, 3:48pm

Thanks Schmu!
This is getting really weird. I have not done any hardening (or softening) and permissions are different. Actually the most secure settings are for the oldest user… Maybe php update did something.

Schmu · April 23, 2018, 5:17pm

Yeah, that’s possible. Updates would also change my umask settings in /etc/profile every now and then if I would simply let the updater overwrite that file.

MeiRos · April 23, 2018, 7:22pm

I get umask 0002 “su -l nginx -c umask -s /bin/bash”. (I’m logged in as root)
And “umask” gives 0022…
So is PHP using the umask which can be seen with umask command when logged in as root?