Summary
Several services have broader filesystem access than they need.
Evidence
compose.yaml:338-339 mounts the main Nextcloud and user-data volumes into nginx as read-write.compose.yaml:452 mounts the main Nextcloud volume into notifypush as read-write.
Risk
If nginx or notifypush is compromised, an attacker can modify application code or configuration on host-backed volumes and persist changes beyond the compromised container.
Suggested Remediation
- Mount application code and config read-only wherever possible.
- Split code/config mounts from writable data mounts if a service only needs a subset.
- Re-evaluate whether
nginx needs access to user data at all.
Summary
Several services have broader filesystem access than they need.
Evidence
compose.yaml:338-339mounts the main Nextcloud and user-data volumes intonginxas read-write.compose.yaml:452mounts the main Nextcloud volume intonotifypushas read-write.Risk
If
nginxornotifypushis compromised, an attacker can modify application code or configuration on host-backed volumes and persist changes beyond the compromised container.Suggested Remediation
nginxneeds access to user data at all.