Nextcloud VM updater shows permissions error

When trying to update your Nextcloud VM using the updater in the GUI the following error might be shown: 

Nextcloud updater fails Check for write permissions

  • Check for write permissions

    The following places can not be written to:
    • /var/www/nextcloud/updater/../cron.php
    • /var/www/nextcloud/updater/../version.php
    • /var/www/nextcloud/updater/../console.php
    • /var/www/nextcloud/updater/../public.php
    • /var/www/nextcloud/updater/../robots.txt
    • /var/www/nextcloud/updater/../status.php
    • /var/www/nextcloud/updater/../.htaccess
    • /var/www/nextcloud/updater/../COPYING
    • /var/www/nextcloud/updater/../occ
    • /var/www/nextcloud/updater/../remote.php
    • /var/www/nextcloud/updater/../index.php
    • /var/www/nextcloud/updater/../index.html
    • /var/www/nextcloud/updater/../AUTHORS
    • /var/www/nextcloud/updater/../.user.ini

That might be due to the usage of the "set strong permissions" script, which sets permissions to root:www-data instead of www-data:www-data. You can check that using:

root@lin:~#
root@lin:~# ll /var/www/nextcloud/
total 172
drwxr-x--- 14 root     www-data  4096 Sep 21 14:07 ./
drwxr-xr-x  4 root     root      4096 Sep 21 14:07 ../
drwxr-x--- 41 root     www-data  4096 Sep  9 13:44 3rdparty/
drwxr-x--- 46 www-data www-data  4096 Sep 21 14:07 apps/
-rw-r-----  1 root     www-data 16522 Sep  9 13:41 AUTHORS
drwxr-x---  2 www-data www-data  4096 Sep 21 14:07 config/
-rw-r-----  1 root     www-data  3967 Sep  9 13:41 console.php
-rw-r-----  1 root     www-data 34520 Sep  9 13:41 COPYING
drwxr-x--- 23 root     www-data  4096 Sep  9 13:44 core/
-rw-r-----  1 root     www-data  5140 Sep  9 13:41 cron.php
drwxr-x---  2 root     www-data  4096 Sep 21 14:07 data/
-rw-r--r--  1 root     www-data  4400 Sep 21 14:08 .htaccess
-rw-r-----  1 root     www-data   156 Sep  9 13:41 index.html
-rw-r-----  1 root     www-data  2960 Sep  9 13:41 index.php
drwxr-x---  6 root     www-data  4096 Sep  9 13:41 lib/
-rwxr-x--x  1 root     www-data   283 Sep  9 13:41 occ*
drwxr-x---  2 root     www-data  4096 Sep  9 13:41 ocm-provider/
drwxr-x---  2 root     www-data  4096 Sep  9 13:41 ocs/
drwxr-x---  2 root     www-data  4096 Sep  9 13:41 ocs-provider/
-rw-r-----  1 root     www-data  3102 Sep  9 13:41 public.php
-rw-r-----  1 root     www-data  5332 Sep  9 13:41 remote.php
drwxr-x---  4 root     www-data  4096 Sep  9 13:41 resources/
-rw-r-----  1 root     www-data    26 Sep  9 13:41 robots.txt
-rw-r-----  1 root     www-data  2379 Sep  9 13:41 status.php
drwxr-x---  3 www-data www-data  4096 Sep  9 13:41 themes/
drwxr-x---  2 www-data www-data  4096 Sep  9 13:42 updater/
-rw-r-----  1 root     www-data   101 Sep  9 13:41 .user.ini
-rw-r-----  1 root     www-data   362 Sep  9 13:44 version.php
root@lin:~#
root@lin:~#

Cause and solution

That is why the GUI updater of nextcloud is blocked because the permissions isn’t as safe as with root:www-data. In the Nextcloud VM this is solved that using an own script for it: https://github.com/nextcloud/vm/blob/master/nextcloud_update.sh

đŸ‘‰Instead of using that script, run sudo bash /var/scripts/update.sh instead.


PIP in Anaconda3 on Windows for Python

If you are using Anaconda3 on Windows for python development you may want to know, which version of pip is installed:

Start Anaconda Shell (Anaconda Powershell Prompt) or (Anaconda Prompt) and enter: 

pip --version

(base) PS C:\>
(base) PS C:\> pip --version
pip 20.0.2 from C:\ProgramData\Anaconda3\lib\site-packages\pip (python 3.7)
(base) PS C:\>


If you want to check if requests is installed or want to install it:

(base) PS C:\>
(base) PS C:\> pip install requests
Requirement already satisfied: requests in c:\programdata\anaconda3\lib\site-packages (2.22.0)
Requirement already satisfied: certifi>=2017.4.17 in c:\programdata\anaconda3\lib\site-packages (from requests) (2019.11.28)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in c:\programdata\anaconda3\lib\site-packages (from requests) (3.0.4)
Requirement already satisfied: idna<2.9,>=2.5 in c:\programdata\anaconda3\lib\site-packages (from requests) (2.8)
Requirement already satisfied: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in c:\programdata\anaconda3\lib\site-packages (from requests) (1.25.8)
(base) PS C:\>


How to increase IT security of a company using quick wins

How to increase my companys IT security? Of course there are many, many, many topics, processes, systems, parameters, awareness and a lot more to implement, adjust, train, improve or get rid of. Following the different available frameworks like MITREs Att&ck, the recommendations from NIST or BSI etc will get you there. However they require a lot of time and some companys want to implement some 'quick wins', before they do they adopt a whole framework (which they should).

So some of those 'quick wins' are:
  • Implement Multi-Factor-Auth or 2FA. Trying to balance security with comfort will let you win your users, for example by implementing MFA or 2FA using PushTokens. 
  • Raising awareness by regularly sending internal phishing mails will make them learn and understand, not to open or click on everything. 
  • Implementing zero trust or microsegmentation will make lateral movement hard. 
  • Regularly scanning your whole environment for vulnerabilities and configurations issues with regular patching and improving hardening will dramatically reduce your attack surface.
  • Restrict administrative permissions, regularly checking if they are still necessary, implementing JIT and securing your directory services using special jump servers with MFA/2FA will help further. Also don't use Microsofts AD Built-in default groups because very often the have to many unnecessary permissions

Some more are described in an article from Microsoft security blog. I personally don't agree on all of them, but it is a possible approach:

Picture from https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
(Picture from Microsoft security blog)
 
 
Keeping in mind the point of view from an attacker might help:
Picture from https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
 (Picture from Microsoft security blog)

Azure Managed Identities (technical service accounts)

Explaination Azure Managed Identities = technical service accounts Password is automatically managed, as it was the case in managed service ...