Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nextcloud: Better paths restrictions #62

Open
JGoutin opened this issue Mar 23, 2023 · 0 comments
Open

nextcloud: Better paths restrictions #62

JGoutin opened this issue Mar 23, 2023 · 0 comments
Labels
enhancement New feature or request security Related to security hardening

Comments

@JGoutin
Copy link
Owner

JGoutin commented Mar 23, 2023
edited
Loading

In practice, Nextcloud likely only require "read" access to the majority of its directories and not a full read/write access.

It is possible to improve Nextcloud server path restriction as follow:

  • Improve paths restrictions in systemd (php-fpm and nginx) services.
  • Configure path restrictions in php.ini for Nextcloud. Use php-fpm role variables (Added in php-fpm: php.ini hardening #34) that matches: 
    open_basedir = /path/DocumentRoot/PHP-scripts/
doc_root = /path/DocumentRoot/PHP-scripts/
include_path = /path/PHP-pear/
extension_dir  = /path/PHP-extensions/
mime_magic.magicfile = /path/PHP-magic.mime
session.referer_check   = /application/path

Note: Application install/update may require an optional switch.
Warning: the occ command still require to access server files fo update it.
@JGoutin JGoutin added enhancement New feature or request security Related to security hardening labels Mar 23, 2023
@JGoutin JGoutin changed the title nextcloud: Add php.ini paths restrictions nextcloud: Add php.ini paths & function restrictions Mar 23, 2023
@JGoutin JGoutin changed the title nextcloud: Add php.ini paths & function restrictions nextcloud: Add php.ini paths & functions restrictions Mar 23, 2023
@JGoutin JGoutin changed the title nextcloud: Add php.ini paths & functions restrictions nextcloud: Better paths restrictions Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request security Related to security hardening
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@JGoutin