Open
Description
In practice, Nextcloud likely only require "read" access to the majority of its directories and not a full read/write access.
It is possible to improve Nextcloud server path restriction as follow:
- Improve paths restrictions in systemd (php-fpm and nginx) services.
- Configure path restrictions in php.ini for Nextcloud. Use php-fpm role variables (Added in php-fpm: php.ini hardening #34) that matches:
open_basedir = /path/DocumentRoot/PHP-scripts/ doc_root = /path/DocumentRoot/PHP-scripts/ include_path = /path/PHP-pear/ extension_dir = /path/PHP-extensions/ mime_magic.magicfile = /path/PHP-magic.mime session.referer_check = /application/path
Note: Application install/update may require an optional switch.
Warning: the occ command still require to access server files fo update it.