🔒 Hardened /tmp permissions in Nextcloud container

[Ven0m0]

🎯 What: Insecure directory permissions and lack of symlink verification for /tmp in the Nextcloud container.
⚠️ Risk: The previous chmod 1777 followed symlinks, potentially allowing an attacker in the container to make sensitive host-mapped files world-writable via a symlink attack. Additionally, 1777 provided unnecessary world-writable access in a specialized container environment.
🛡️ Solution: Modified fix_nextcloud in RaspberryPi/Scripts/Fix.sh to verify that /tmp is not a symbolic link before applying changes. The fix now restricts permissions to 1770 with root:www-data ownership if the www-data group is present, ensuring only the necessary web server user can access temporary files. It maintains a safe fallback to 1777 for non-standard environments and uses a single docker exec call for better atomicity.

---

PR created automatically by Jules for task 13751229634068302542 started by @Ven0m0

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the Nextcloud container by addressing insecure /tmp directory permissions and the risk of symlink attacks. The changes ensure that temporary files are handled with appropriate access controls, preventing potential privilege escalation or data exposure within the container environment.

Highlights

• Symlink Verification: Implemented a check to ensure that /tmp is not a symbolic link before applying any permission changes, mitigating potential symlink attacks.
• Hardened Permissions: Modified /tmp permissions to 1770 with root:www-data ownership if the www-data group is present, restricting access to only the necessary web server user.
• Atomic Execution: Refactored the permission fixing logic into a single docker exec command for improved atomicity and reliability.
• Fallback Mechanism: Maintained a safe fallback to 1777 permissions with root:root ownership for environments where the www-data group is not available.

Changelog

• RaspberryPi/Scripts/Fix.sh
  • Updated the fix_nextcloud function to harden /tmp permissions within the Nextcloud container.
  • Added logic to verify and remove /tmp if it is a symbolic link.
  • Implemented conditional ownership and permission settings for /tmp based on the presence of the www-data group.
  • Consolidated multiple docker exec calls into a single, more atomic command.

Activity

• No specific activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

❌ Lint/Format Check Failed

Please run ./lint-format.sh locally to fix formatting issues.

[gemini-code-assist]

Code Review

This pull request effectively hardens the /tmp directory permissions within the Nextcloud container, addressing a potential symlink vulnerability and overly permissive access rights. The change correctly consolidates multiple docker exec calls into a single, more atomic operation. My feedback includes minor suggestions to align the new script block with the repository's bash standards and to improve the readability of the conditional logic.

[gemini-code-assist]

This is a great security hardening improvement. I have a few suggestions to align it more closely with the repository's style guide and improve readability:

• Use [[ ... ]] for tests: The style guide (line 117) specifies using [[ ... ]] for tests. The check for the symbolic link should be updated from [ -L /tmp ] to [[ -L /tmp ]].
• Include pipefail: The style guide (line 108) recommends set -euo pipefail. The pipefail option is missing from the set -eu command within the docker exec script.
• Improve readability: The if ! ...; then [fail]; else [success]; fi logic is inverted and can be harder to read. It's more conventional to use if ...; then [success]; else [fail]; fi.

Here is a suggested implementation that incorporates these points:

Suggested change

	if ! sudo docker exec nextcloud sh -c '
	set -eu
	if [ -L /tmp ]; then
	rm /tmp
	fi
	if ! sudo docker exec nextcloud chmod 1777 /tmp; then
	warn "Failed to chmod /tmp in nextcloud"
	perms_ok=0
	fi
	if (( perms_ok )); then
	log "Nextcloud permissions fixed"
	mkdir -p /tmp
	if getent group www-data >/dev/null 2>&1; then
	chown root:www-data /tmp
	chmod 1770 /tmp
	else
	warn "Nextcloud permission fix incomplete"
	chown root:root /tmp
	chmod 1777 /tmp
	fi
	'; then
	warn "Failed to fix /tmp permissions in nextcloud"
	else
	warn "Failed to access /tmp in nextcloud container"
	log "Nextcloud permissions fixed"
	fi
	if sudo docker exec nextcloud sh -c '
	set -euo pipefail
	if [[ -L /tmp ]]; then
	rm /tmp
	fi
	mkdir -p /tmp
	if getent group www-data >/dev/null 2>&1; then
	chown root:www-data /tmp
	chmod 1770 /tmp
	else
	chown root:root /tmp
	chmod 1777 /tmp
	fi
	'; then
	log "Nextcloud permissions fixed"
	else
	warn "Failed to fix /tmp permissions in nextcloud"
	fi

References

1. The style guide mandates using [[ ... ]] for tests. (Line 117: Tests: [[ ... ]]) ^(link)
2. The style guide mandates set -euo pipefail for scripts. (Line 108: set -euo pipefail) ^(link)

[kilo-code-bot]

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Overview

Severity	Count
CRITICAL	0
WARNING	2
SUGGESTION	0

Issue Details (click to expand)

WARNING

File	Line	Issue
RaspberryPi/Scripts/Fix.sh	130	Symlink check doesn't catch symlinks pointing to directories
RaspberryPi/Scripts/Fix.sh	136	Unnecessary setgid bit (2770) in chmod

Analysis

This PR improves Nextcloud /tmp permissions by:

• Consolidating multiple docker exec calls into a single inline shell script
• Adding set -eu for proper error handling
• Adding check to remove /tmp if not a directory
• Using more restrictive permissions when www-data group exists

Issues Found:

1. Symlink detection incomplete (line 130): The check [ -e /tmp ] && [ ! -d /tmp ] doesn't detect symlinks pointing to directories, since [ -d /tmp ] follows the symlink and returns true. Use [ -L /tmp ] instead.

2. Unnecessary setgid bit (line 136): chmod 2770 includes the setgid bit which is unnecessary for /tmp. The PR description mentions 1770 but the code uses 2770.

Files Reviewed (1 files)

• RaspberryPi/Scripts/Fix.sh - 2 issues

---

_{Reviewed by minimax-m2.5-20260211 · 205,662 tokens}

[Copilot]

Pull request overview

Updates the Raspberry Pi Fix.sh script’s Nextcloud remediation to reset /tmp inside the running nextcloud container (including removing a /tmp symlink and recreating the directory) before applying ownership and permissions.

Changes:

• Replaces separate docker exec calls with a single in-container sh -c script to recreate /tmp safely.
• Applies different /tmp ownership/permission logic depending on whether www-data group exists.

---

You can also share your feedback on Copilot code review. Take the survey.

[aviator-app]

Current Aviator status

Aviator will automatically update this comment as the status of the PR changes.
Comment /aviator refresh to force Aviator to re-examine your PR (or learn about other /aviator commands).

This pull request is currently open (not queued).

How to merge

To merge this PR, comment /aviator merge or add the mergequeue label.

---

See the real-time status of this PR on the Aviator webapp.

Use the Aviator Chrome Extension to see the status of your PR within GitHub.

[github-actions]

❌ Lint/Format Check Failed

Please run ./lint-format.sh locally to fix formatting issues.

[kilo-code-bot]

WARNING: The symlink check [ -e /tmp ] && [ ! -d /tmp ] doesn't catch symlinks pointing to directories. If /tmp is a symlink to an existing directory, [ -d /tmp ] returns true and the symlink won't be removed. Consider using [ -L /tmp ] instead for explicit symlink detection.

[kilo-code-bot]

SUGGESTION: The setgid bit (2770) is unnecessary for /tmp. The setgid bit only affects newly created files within the directory, but /tmp files are typically owned by the process creating them. Consider using 1770 instead of 2770.