Where is the "set strong permissions" script?

clouduser · May 23, 2017, 7:10am

Hello,

in ownCloud and Nextcloud < 10.0 there was a script in the documentation to set strong permissions for .htaccess/folders…

Can someone tell me what happened with it? I Upgraded yesterday from OC 9.1 to Nextcloud 10 -> 11 -> 12 and i now im working on the rework.

Is it no longer needed or can i just take the old script?

Greetings

Therion7777 · May 23, 2017, 12:45pm

enoch85 · May 23, 2017, 1:27pm

github.com

nextcloud/vm/blob/master/static/setup_secure_permissions_nextcloud.sh

#!/bin/bash

# Tech and Me © - 2018, https://www.techandme.se/

# shellcheck disable=2034,2059
true
# shellcheck source=lib.sh
. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh)

# Check for errors + debug code and abort if something isn't right
# 1 = ON
# 0 = OFF
DEBUG=0
debug_mode

htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"

This file has been truncated. show original

clouduser · May 23, 2017, 2:03pm

Thanks! I’ve searched everywhere but couldn’t find why it was removed from the documentation…

So if i read this whole story right… i should give my nextcloud-folder the following permissions…

chown -R apache:apache NEXTCLOUD-ROOT
chown -R apache:apache PATH-TO-DATA

find NEXTCLOUD-ROOT/ -type f -print0 | xargs -0 chmod 0640
find NEXTCLOUD-ROOT/ -type d -print0 | xargs -0 chmod 0750

find PATH-TO-DATA/ -type f -print0 | xargs -0 chmod 0640
find PATH-TO-DATA/ -type d -print0 | xargs -0 chmod 0750

What is with the .htaccess-files?

I’ve tested this on my demo system and it should work. But when i create/upload a new file via webinterface… the permissions are 644. Is this right?

MichaIng · May 23, 2017, 7:28pm

As the main reason to finally drop the script was the block of nextcloud updates, .htaccess files should also be writeable/owned by webserver user, as they are also shipped with updates.

enoch85 · May 24, 2017, 12:46pm

It blocks upgrades beacuse the permissions isn’t as safe as with root:www-data. So it’s actually worse to not use strong permissions. In the Nextcloud VM we solved that by making our own script for it: https://github.com/nextcloud/vm/blob/master/nextcloud_update.sh

e-raser · November 22, 2020, 1:46pm

What is the current recommendation? I still use a version of the “nextcloud set strong permissions” script dated 03/2018 which still works just fine.

I think there still is a need to set those permissions from a security point of view.

Unfortunately the only official script available nowadays seems to be https://github.com/nextcloud/vm/blob/master/static/setup_secure_permissions_nextcloud.sh which obviously is for the VM versions of Nextcloud, so I´m wondering…

Update: Found https://github.com/nextcloud/documentation/issues/1353 which is still open. Seems currently there´s just no common sense in the nextcloud community bout that

e-raser · December 9, 2022, 4:33pm

Funny to search for a thing on the web and end up in a NC forum topic where the last comment is of yourself already asking the same question you (again/still) have today: priceless.