Last year we moved from a traditional Samba based network to a Nextcloud based one. Despite having some more space taken on the local disk we have the advantage of being able to work everywhere, having files backed up immediately (or at least as soon as there’s a network connection) and still being able to limit file access through groups selection.
With the old Samba configuration we had ssh access to the main server where we hold the office ssh key, and from which we start most of our remote sessions. When the file was on the filesystem it was rather easy to adapt permissions to allow unprivileged user to read the key, but now with Nextcloud the files are not accessible anymore (because the storage is encrypted! Otherwise you can access it in Nextcloud data dir).
But we still have the chance to mount Nextcloud via webdav. This is easily achievable by following Nextcloud user manual about mounting from command line.
But in the past, at least with Ubuntu 12.04, davfs mounts weren’t very much stable… Also it’s annoying to remember to mount the share when you need, but most of all remembering to unmount it before logging out (or when your session terminates unexpectedly). So I had the goal to use autofs to mount user’s Nextcloud share automatically, and of course leave them unmounted when not needed.
AutoFS is pretty easy to configure. But there’s a privacy issue when using it with DavFS with user credentials: according to the manual they must be stored either into user’s ~/.davfs2/secrets or into /etc/davfs2/secrets. But with autofs the mounting user is the user the daemon is running with, which is root. This means all users credentials should have been placed in the same file. I didn’t want this, I didn’t want to know everyone’s password. Changing mounting user from autofs is not possible, so I dug into mount.davfs2 manual and I found you can specify a custom davfs config, where you can indicate a custom secrets file! Gotcha!
So, to sum everything up (on Ubuntu 16):
apt install autofs davfs2
Append to /etc/auto.master something like this
/- /etc/auto.yetopen --timeout=60 --ghost
and into /etc/auto.yetopen add user’s own mountpoints:
/home/lorenzo.milesi/Nextcloud -fstype=davfs,uid=10001,file_mode=600,dir_mode=700,conf=/home/$USER/.davfs2/davfs2.conf,rw :https\://your.nextcloud.host.com/remote.php/webdav/
- uid: must be the id of the user, in this case lorenzo.milesi‘s
- file_mode and dir_mode: restrict file access to prevent other users on the system from accessing someone else’s data
- conf: this is our customized davfs configuration, where we tell about the secrets file
Note the usage of autofs’ $USER variable. It’s probably possible to have a single autofs line for all the users on the system, that means you can have a single config line for everyone. Maybe I’ll check it later. 🙂
Let’s create user’s configuration. As the unprivileged user, in this case lorenzo.milesi:
mkdir ~/Nextcloud mkdir ~/.davfs2 echo "secrets /home/lorenzo.milesi/.davfs/secrets" > ~/.davfs2/davfs2.conf echo "/home/lorenzo.milesi/Nextcloud/ lorenzo.milesi YOUR_PASSWORD_HERE" > ~/.davfs2/secrets
Unfortunately, per a davfs2 requirements, the secrets file must be owned by the user mounting the share. Being it root, the file into user’s home must be root owned. So, as root:
chown root /home/lorenzo.milesi/.davfs2/secrets
Now restart autofs and you’re done!
The setup is not perfect, but satisfy me enough for now. I’ll see if I can improve it in the future.