Nextcloud umask – trial and error

Here’s a quick guide for those of you running nextcloud and have a very specific set of circumstances like I do, which creates problems:

  • Nextcloud on Docker
  • External Storages added to Nextcloud via attached docker storages, and configured in Nextcloud as a “Local” storage
  • Access said storages via both Linux/Mac file explorer, as well as via the Nextcloud web interface or app interface.

OK, if you are still with me, then you need to concern yourself with Nextcloud’s default umask setting. Basically, if you think of Linux file permissions, the umask asked as an inverse way to tell a system what permissions to set on new files and directories. The problem I was having was the permissions were too strict, and anything I created via the Nextcloud web or app interface was not accessible via my Linux or Mac file explorer (ie. I could edit files or create new files/directories in directories previously created in the web app).

Nextcloud warns against changing this, for good reason. The default setting is good for most people. I’m not most people, and I still have some other checks and balances in for security reasons.

The way to change the setting in question is with your config.php file. For docker, this should be in /var/www/nextcloud/config/ – and the setting you are looking to add, or change if it’s already there is:

'localstorage.umask' => 0002,

Add that snippet above somewhere inside the configuration array. You will likely need to restart the container for this to take effect. This will set your files to have a more permissive ‘group’ permission, in my case this was needed to create files and directories in any interface I wanted. The equivalent chmod number for the permissions is 0775. This still prevents ‘others’ from writing files to these directories; if you want a more restrictive setting, you could try setting the umask to 0003, which would make all new files and directories have a permission number of 0774, which would be read/write/execute for file owners and group members, but just ‘read only’ for ‘others’.

If like me you are running the container on Unraid, you can access the file via your appdata share. Just navigate to the folder with your container name (in my case, /nextcloud/) and substitute that for ‘/var/’ in the directory above. So in my case, the full path was appdata/nextcloud/www/nextcloud/config/.

Leave a Reply

Comments are disabled, except those originating from the fediverse (Mastodon, Akkoma, etc.). Additionally, comments must be manually approved before they will appear here.