Turns out it’s been nearly a year since I’ve posted. Whoops.
Currently I’m running NextCloud in Kubernetes, and in an effort to secure it a bit better, I had need of disabling the default admin user, along with a piece of enabling MFA for all other users. For obvious reasons, if you’re going to disable the default break-glass admin user, you really need a way of re-enabling it again.
This can be done through the occ NextCloud configuration utility. However, that utility must run as the www-data user, and when running under Kubernetes, it’s not entirely clear how one can do that. So here’s how you can do exactly that.
We assume that your NextCloud deployment is in the namespace nextcloud and you are only running one replica.
# Get the name of your NextCloud pod
kubectl -n nextcloud get pods -o name
# Jump into the pod, become the www-data user and change into the install folder
# Replace the text below with your actual pod name
kubectl -n nextcloud exec -it nextcloud-664f28882-fiajn -- su -s /bin/bash - www-data
cd /var/www/html
# Disable the default admin user, allowing 512Mb of memory for the occ command to run in
PHP_MEMORY_LIMIT=512M php occ user:disable admin
# Exit out of the pod
exit
And there you have it. Obviously to re-enable the user you just do the same but with occ user:enable admin.