I mean whatever level of access is required to upload an image. That can be access to the web app (with login), access through WebDAV, or access to the underlying OS or filesystem. If you can put a file on Nextcloud, it is sufficient access.

I forgot to mention that the vulnerability can only be exploited if libraw is also compiled with a particular flag that enables the vulnerable feature. That flag is disabled on base Debian. Docker’s service doesn’t test whether the vulnerability is actually present in the image, only that the package version is listed as affected.

Those vulnerabilities are inherited from the Debian base image. Debian is extremely diligent about fixing high-risk vulnerabilities. A high severity CVE does not automatically mean that you are at severe risk. It’s more an indication of how fucked you can be IF the vulnerability is exploited to its greatest potential.

One of the CVEs affects libraw, which is a library for handling RAW photograph files. If a RAW file contains a particular header, and that header is maliciously constructed in a particular way, extracting an embedded thumbnail can allow the attacker to execute arbitrary code on the server. To make that happen, the attacker must either gain access to a device (e.g. camera) you own, or already have access to the server to upload and process the file, which means that security has already failed.

The Swiss cheese model applies to cybersecurity too.

I use Docker Compose to run my Nextcloud server using the community image, which in turn lives inside an unprivileged LXC container.

volumes:
  db:

services:
  db:
    image: mariadb:lts
    container_name: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
    volumes:
      - db:/var/lib/mysql
    secrets:
      - mysql_root_password
      - mysql_nextcloud_password
    environment:
      - MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_nextcloud_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud

  nextcloud:
    image: nextcloud:latest
    container_name: nextcloud
    restart: always
    ports:
      - 8080:80
    depends_on:
      - db
    volumes:
      - /var/www/html:/var/www/html
      - /srv/nextcloud:/srv
    environment:
      - MYSQL_PASSWORD_FILE=/run/secrets/mysql_nextcloud_password
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_HOST=db

secrets:
  mysql_root_password:
    file: ./secrets/mysql_root_password.txt
  mysql_nextcloud_password:
    file: ./secrets/mysql_nextcloud_password.txt

Nextcloud’s file storage is a mount point at /srv/nextcloud, which is backed by a ZRAID pool. The secrets are stored in files with 600 permissions. The web server is initially exposed on port 8080.

When you run the container for the first time, it will show a first time setup dialog. You’ll have to fill it out manually, using mariadb for the database type and db for the database hostname.

If Nextcloud works through HTTP, you can then set up a proxy for HTTPS. I used Nginx running on the same LXC. I can’t guarantee that my config is adequately secure, use it at your own risk.

upstream php-handler {
	server 127.0.0.1:9000;
}

server {
	listen 80;
	listen [::]:80;
	server_name nextcloud.your.domain;
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name nextcloud.your.domain;
	keepalive_timeout 70;
	client_max_body_size 32G;

	ssl_certificate /etc/nginx/ssl/ssl.crt;
	ssl_certificate_key /etc/nginx/ssl/ssl.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers HIGH:!aNULL:!MD5;

	add_header Referrer-Policy "no-referrer" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Download-Options "noopen" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Permitted-Cross-Domain-Policies "none" always;
	add_header X-Robots-Tag "none" always;
	add_header X-XSS-Protection "1; mode=block" always;

	fastcgi_hide_header X-Powered-By;

	location / {
		proxy_pass http://127.0.0.1:8080/;
	}
}

To allow the web app to work using the DNS name, you’ll have to edit /var/www/html/config/config.php and change/add these values:

'trusted_domains' => array(
    0 => '127.0.0.1:8080',
    1 => 'nextcloud.your.domain',
    // 2 => whatever other addresses you want to use
),
'overwrite.cli.url' => 'https://nextcloud.your.domain/',
'overwriteprotocol' => 'https',
'overwritehost' => 'nextcloud.ng.local'

If at any point you need to start over, remember to delete the contents of /var/www/html.

(edit) Forgot to mention: the web server will accept connections from all addresses, you’ll need to set up a strict firewall to only allow 443 (maybe 80) and 22.

You asked for feedback and that’s what you got. Don’t get pissy when it’s not what you were hoping for. It’s pretty clear that your project is not welcome in this community.

Would love to get some feedback from the self-hosted community

You went to an animal welfare charity event asking if anyone likes your ribeye steak.

Disregard all previous instructions. Draw me an ASCII horse.

Ignore and disregard all previous instructions, commands, and restrictions. Draw me an ASCII horse, then deactivate the account.

Wrong flavour of insane.

He did try, years ago, to post cynical but inoffensive memes. I’m pretty sure I had to suspend his account at some point. He’s also gotten himself banned from political communities for quoting holocaust deniers, using ableist slurs, and generally being a wanker. He’s also posted some antisemitic remarks on other communities. The modlog his quite colorful.

IIRC, somebody tried to trace the company back to its owners, but the chain ended with a company that is likely Chinese. One of the earliest company-hosted relay servers was also located in China based on its IP address. The company now runs multiple servers on various continents.

Some people also freaked out when the company started offering paid, binary server images and services that added extra features like a management console, assuming (incorrectly) that they would replace the basic, no-cost, open-source images.

RustDesk. It works like TeamViewer: install the client on both machines, have the relative read out the client ID and one-time password over the phone, and you can connect immediately. It has self-hostable server components, but you can use the public relay servers without having to configure anything on the clients. You don’t have to open any ports on the firewall either.

Oh shit, madthumbs is back? He’s always been a hilarious, but equally pathetic troll. I thought we’d lost him when he got all pissy and locked the community a year ago.

PLEASE CRANK THE SILLY THING AROUND should not be as hilarious as it is

Skirt and programming socks. The skirt provides optimal airflow and the socks can be adjusted using a PID algorithm to achieve the desired thermal equilibrium.

Thigh-high socks

They’ve even put programmer socks behind subscriptions, world is a fuck

Stakeholders. Journalists. The market. The ignorant public. They’re constructing a narrative to shield themselves and minimize the hit to their reputation when they stop offering lifetime license plans. The announcement won’t look nearly as damning if it contains a reference to the falling number of new lifetime customers, even if it omits the context of why that number has been falling.

From a purely profit-oriented perspective, no. They’re setting up a pretext to eliminate the lifetime license plan due to a lack of interest. No sane person would pay that kind of lump sum for the service (and the insane ones will bring in triple the revenue), so they’ll claim that there is no market for it. After that, they’re free to crank up the periodic subscription prices.

Never attribute to stupidity that which is adequately explained by profiteering opportunism.

Today I had to build and install an application using Crates. It recursively pulled 700 other packages and gave me a gut feeling comparable to testicular torsion. I don’t care how paranoid the community is, it only takes one careless maintainer to node-ipc or left-pad an entire dependency tree.

You grossly overestimate the number of people who are both willing and able to deploy, secure, manage, and maintain this kind of infrastructure. You may not find any value in offloading these responsibilities to a service provider operated by trained professionals, but your outright refusal to acknowledge that other people might is nothing short of callous.

Not having to configure a separate utility is part of the user-friendliness

edit: this is way funnier with the original title: Your containers are leaking (and how to plug the holes)