docs: add file permissions guidance to hardening page

skjnldsv · skjnldsv · commit 48828f58a977 · 2026-05-19T16:12:53.000+02:00
Adds a new 'Set strong file permissions' subsection to the Deployment section of harden_server.rst. The permissions section was removed in PR #431 because the web updater needs write access to the install dir, but no replacement guidance was added. This restores the guidance with the tradeoff clearly documented: - baseline chmod/chown commands for read-only install dir - note that data/ and apps/ must stay writable - note that web updater must be disabled (upgrade.disable-web) before applying stricter install-dir permissions Fixes #1353 Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
diff --git a/admin_manual/installation/harden_server.rst b/admin_manual/installation/harden_server.rst
@@ -74,6 +74,47 @@ installation.
 .. You may also move your data directory on an existing
 .. installation; see :doc:``
 
+Set strong file permissions
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Strong file system permissions reduce the attack surface if an attacker gains
+access to the web server process. The recommended baseline sets the Nextcloud
+installation directory to read-only for the web server user:
+
+.. code-block:: bash
+
+   # Set ownership: root owns the files, web server group can read
+   sudo chown -R root:www-data /var/www/nextcloud/
+
+   # Files: owner read/write, group read-only, no world access
+   sudo find /var/www/nextcloud/ -type f -print0 | sudo xargs -0 chmod 0640
+
+   # Directories: owner full, group read+execute, no world access
+   sudo find /var/www/nextcloud/ -type d -print0 | sudo xargs -0 chmod 0750
+
+The **data directory** must remain writable by the web server user:
+
+.. code-block:: bash
+
+   sudo chown -R www-data:www-data /path/to/nextcloud-data/
+
+If you install or update apps via the Nextcloud **app store**, the ``apps/``
+directory also needs to be writable by the web server:
+
+.. code-block:: bash
+
+   sudo chown -R www-data:www-data /var/www/nextcloud/apps/
+
+.. note::
+
+   The built-in **web updater** requires write access to the entire Nextcloud
+   installation directory. If you apply the read-only permissions above,
+   the web updater will fail. Disable it first by adding the following to
+   ``config/config.php``, then use the command-line updater or package
+   manager instead::
+
+      'upgrade.disable-web' => true,
+
 Disable preview image generation
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
