search

nkakouros-original / ansible-role-nextcloud

An Ansible role to install Nextcloud
GNU General Public License v3.0
11 stars 5 forks source link

File permission configuration #36

Closed simonspa closed 4 years ago

simonspa commented 4 years ago

Currently we are running the following tasks to set file permissions:

    - name: Find Nextcloud files
      find:
        path: "{{ nextcloud_installation_dir }}"
        file_type: any
        register: nextcloud_installation_files
      listen: nextcloud set secure file permissions
    - name: Set permissions on directories
      file:
        path: "{{ item.path }}"
        owner: "{{ nextcloud_file_owner }}"
        group: "{{ nextcloud_file_owner }}"
        mode: 0o750
        state: directory
        recurse: true
      loop: >-
        {{
          nextcloud_installation_files.files
          | selectattr('isdir')
          | list
        }}
      listen: nextcloud set secure file permissions
    # For files, we are using `shell` as `file` with a loop would take ages
    # to complete.
    - name: Set ownership on files
      command: >-
        find "{{ nextcloud_installation_dir }}"
          -type f
          -exec chown {{
                    nextcloud_file_owner }}:{{ nextcloud_file_owner }} {} \;
          -exec chmod 0640 {} \;
      changed_when: false

The only thing this does as far as I can see is to set 640 on all files and 650 on all directories, all with the nextcloud_file_owner user and group. We could simplify this to

    - name: Set Nextcloud file permissions
      file:
        path: "{{ nextcloud_installation_dir }}"
        mode: u=rwX,g=rX,o=0
        owner: "{{ nextcloud_file_owner }}"
        group: "{{ nextcloud_file_owner }}"
        recurse: true

using the capital X notation of chmod:

execute/search only if the file is a directory or already has execute permission for some user (X)

This should give us the same result.

simonspa commented 4 years ago

Apart from that I was thinking if we would win from setting them more restrictively even. I am currently using a bash script to adjust them:

#!/bin/bash
ocpath='/var/www/nextcloud'
htuser='www-data'
htgroup='www-data'
rootuser='root'

printf "Creating possible missing Directories\n"
mkdir -p $ocpath/data
mkdir -p $ocpath/assets

printf "chmod Files and Directories\n"
find ${ocpath}/ -type f -print0 | xargs -0 chmod 0640
find ${ocpath}/ -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n"
chown -R ${rootuser}:${htgroup} ${ocpath}/
chown -R ${htuser}:${htgroup} ${ocpath}/apps/
chown -R ${htuser}:${htgroup} ${ocpath}/config/
chown -R ${htuser}:${htgroup} ${ocpath}/data/
chown -R ${htuser}:${htgroup} ${ocpath}/themes/
chown -R ${htuser}:${htgroup} ${ocpath}/assets/

chmod +x ${ocpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ocpath}/.htaccess ]
then
    chmod 0644 ${ocpath}/.htaccess
    chown ${rootuser}:${htgroup} ${ocpath}/.htaccess
fi
if [ -f ${ocpath}/data/.htaccess ]
then
    chmod 0644 ${ocpath}/data/.htaccess
    chown ${rootuser}:${htgroup} ${ocpath}/data/.htaccess
fi

which only leaves some directories to www-data.

simonspa commented 4 years ago

Fixed via #37