From 5584f8a13a2b036111ede6a3374df60c26739a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Domeradzki?= Date: Thu, 4 Jun 2026 18:07:03 +0200 Subject: [PATCH 1/2] Suggest optional security hardening in systemd service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Łukasz Domeradzki --- .../background_jobs_configuration.rst | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/admin_manual/configuration_server/background_jobs_configuration.rst b/admin_manual/configuration_server/background_jobs_configuration.rst index dcce976cc56..95c2b5783bb 100644 --- a/admin_manual/configuration_server/background_jobs_configuration.rst +++ b/admin_manual/configuration_server/background_jobs_configuration.rst @@ -139,6 +139,38 @@ This approach requires two files: **nextcloudcron.service** and **nextcloudcron. ExecStart=/usr/bin/php -f /var/www/nextcloud/cron.php KillMode=process + # Optional security hardening + CapabilityBoundingSet= + DevicePolicy=closed + LockPersonality=yes + NoNewPrivileges=yes + PrivateDevices=yes + PrivateIPC=yes + PrivateMounts=yes + PrivateTmp=yes + PrivateUsers=yes + ProcSubset=pid + ProtectClock=yes + ProtectControlGroups=yes + ProtectHome=read-only + ProtectHostname=yes + ProtectKernelLogs=yes + ProtectKernelModules=yes + ProtectKernelTunables=yes + ProtectProc=invisible + ProtectSystem=strict + RemoveIPC=yes + RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + RestrictNamespaces=yes + RestrictRealtime=yes + RestrictSUIDSGID=yes + SecureBits=noroot-locked + SystemCallArchitectures=native + SystemCallFilter=@system-service + SystemCallFilter=~@privileged + SystemCallFilter=~@resources + UMask=0077 + Replace the user ``www-data`` with the user of your http server and ``/var/www/nextcloud/cron.php`` with the location of **cron.php** in your nextcloud directory. The `ExecCondition` checks that the nextcloud instance is operating normally before running the background job, and skips it if otherwise. From 2ace607c52c0e5a0317ed0f1710c52b02b537c3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Domeradzki?= Date: Fri, 5 Jun 2026 15:45:45 +0200 Subject: [PATCH 2/2] Remove ProtectHome from recommendations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In edge case, if user put nextcloud files under home of the selected user, this setting would cause them to be read-only. Normally for such cases we could use ReadWritePaths, but then we'd need to hardcode placement of the nextcloud files, which is unwanted. Better to remove this setting and it leave it up to the system administrators if they want to add further protection, the setting is not as critical as other anyway. Signed-off-by: Łukasz Domeradzki --- .../configuration_server/background_jobs_configuration.rst | 1 - 1 file changed, 1 deletion(-) diff --git a/admin_manual/configuration_server/background_jobs_configuration.rst b/admin_manual/configuration_server/background_jobs_configuration.rst index 95c2b5783bb..3f6a691df2c 100644 --- a/admin_manual/configuration_server/background_jobs_configuration.rst +++ b/admin_manual/configuration_server/background_jobs_configuration.rst @@ -152,7 +152,6 @@ This approach requires two files: **nextcloudcron.service** and **nextcloudcron. ProcSubset=pid ProtectClock=yes ProtectControlGroups=yes - ProtectHome=read-only ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes