Home directory access list

denisbg · May 15, 2019, 3:36pm

Français

Bonjour.
J’ai un petit problème avec Nextcloud qui modifie l’access list sur les home directory.
Si je crée un utilisateur AVANT l’installation de Nextcloud, les acl sur son home dir sont :
# file: /home/user01
# owner: user01
# group: 13940
user::rwx
group::r-x
other::r-x
(droits : drwxr-xr-x)

Si je crée un utilisateur APRES avoir installé Nextcloud, les acl sur son homedir sont :
# file: /home/user02
# owner: user02
# group: 99668
user::rwx
group::r-x
group:nextcloud:rwx
mask::rwx
other::r-x
(droits : drwxrwxr-x+)

L’ennui c’est que ces acl interdisent de se connecter en SSH avec une clé publique pour user02 en raison du privilège de nextcloud sur le dossier.
Extrait de /var/log/auth.log :
Authentication refused: bad ownership or modes for directory /home/user02

Est-ce que je peux remettre le homedir en 755 sans affecter le comportement de Nextcloud ?
Merci d’avance

English

Hi.
I have an issue with Nextcloud modifying the standard acl on users home directories :
If I create a user BEFORE installing Nextcloud, the ACL on the homedir are :
# file: /home/user01
# owner: user01
# group: 13940
user::rwx
group::r-x
other::r-x
(droits : drwxr-xr-x)

If I create a user AFTER Nextcloud installation, the ACL on the homedir are :
# file: /home/user02
# owner: user02
# group: 99668
user::rwx
group::r-x
group:nextcloud:rwx
mask::rwx
other::r-x
(droits : drwxrwxr-x+)

Problem is that SSH access with public key does not work for user02 because of the privilege granted to nextcloud on the user’s homedir.
Extract from /var/log/auth.log :
Authentication refused: bad ownership or modes for directory /home/user02

Is it safe to revert the homedir to 755 without affecting Nextcloud ?
Thanks in advance

Aleks · May 15, 2019, 4:04pm

I think the point is that the group nextcloud shouldn’t be able to access the content of /home/user/.ssh … If nextcloud has write permissions on the home folder, then my understanding is that it can then change the permission of /home/user/.ssh ? (Would need to doublecheck that part)

But if you remove the write permissions, then nextcloud won’t be able to create/delete files or subfolder in the home directory … So meh

denisbg · May 16, 2019, 3:37pm

Hi Aleks
I agree with you : nextcloud should not be allowed to access /home/user/.ssh
But the strange thing is that when I installed Nextcloud I unchecked the box “Authorize Nextcloud to access users home directories”.
So nextcloud should not have been granted the right to access the homedir in the beginning !

matlag · September 13, 2019, 6:44pm

Hello!

Did you find a way to have both NC and ssh key authentication play along?

Thanks!