Bernd Lentes wrote: > 1. > https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#installation-wizard > The recommendation is to change the owner of the DocumentRoot of the > Nextcloud installation to www-data, the user the apache2 process is running. > "chown -R www-data:www-data /var/www/nextcloud/" > This is weird, isn't it ? I remember > http://httpd.apache.org/docs/2.4/misc/security_tips.html "Permissions on > ServerRoot Directories" > which is contradictory to that. > > 2. The second recommendation is even stranger: > https://docs.nextcloud.com/server/19/admin_manual/installation/source_installation.html#pretty-urls > "mod_env and mod_rewrite must be installed on your webserver and the > .htaccess must be writable by the HTTP user. Then you can set in the > config.php two variables:" > .htaccess writeable by the HTTP User !?! I'm no Webserver expert, but i get > pain in my stomach reading this. > What do you think ? > Has anyone experience in installing nextcloud ? > Would it be a good idea to install nextcloud via snap, which seems to be more > secure ? I agree, that the recommendations are insecure. I made some tests with different permissions. Not all files and directories have to be owned by "www-data".
The following files/directories should be owned by www-data. There are some checks in the Nextcloud codebase which otherwise complain about missing permissions. Other files can be owned e.g. by root. nextcloud/apps/ nextcloud/config/ nextcloud/data/ The location for Nextcloud data (default: nextcloud/data/) can be changed. Changing the permissions of nextcloud/apps/ and nextcloud/config/ is not trivial because of the checks in the code. Also some functionality will be lost, of the permissions are changed, e.g. updating apps from the GUI will not work, if /nextcloud/apps/ is read-only. Greetings, Björn --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
