What is the potential damage of a compromised CODE server?


I’m thinking about installing Collabora CODE on a server whose security I don’t trust 100%. I don’t understand the mechanics behind Nextcloud and Collabora well enough to estimate the potential damage of such a setup. Let’s say an attacker has root acces to the server on which Collabora is installed. What would that mean for the files on the Nextcloud server? Would the attacker be able to gain access to all of them? Or just the ones that are currently edited?

Thanks a lot!

An attacker with root access has access to everything on your server and can control it completely. So the answer is yes, the attacker has access to all your Nextcloud/Collabora documents.

Thanks for you answer! I realize now that I left out an important detail, sorry about that: Nextcloud and CODE would be installed on different servers.

The situation I am worried about is this: Nextcloud is installed on server A. CODE is installed on server B. Server B gets hacked. Can the hacker now gain access to Nextcloud documents/some of them?

I suppose that Nextcloud somehow transfers documents to the CODE server when a users are editing them, and that’s what makes me suspicious.

If they are not encrypted sure, if the attacker can gain access to your nextcloud server from collabora. Or visa versa. Best bet is to set up your firewalls and trusted domains.

The hacker can definitely get access to the documents that are currently edited, because those are retrieved from Nextcloud, and stored locally while the editing session is active. They also get access to the document for a while after editing, because the access token Nextcloud gives has a certain validity period (I haven’t checked what that is, maybe an hour or so), and until that’s up, the file can be retrieved from Nextcloud with the same URL COOL got. Apart from that case, the files on the Nextcloud host are safe.


In general - the question of: “can I protect myself from root” is ‘no’; we spend most of our time and concern in our threat model defending ourselves from external bad actors, and internal bad actors / documents inside our locked down per-document containers. It is important if someone can run arbitrary code inside a document jail that they have very little scope to do anything bad through several layers of good design there.

Maybe you find following references for WOPI protocol useful

this one from Microsoft
another good drawing - don’t worry it’s about Sharepoint, the process is exactly the same.

assuming COOL and Nextcloud are separated compromised COOL system should be no general threat to Nextcloud (only to files users edit using compromised COOL instance)… but if the separation is not good enough definitely attacker can do everything according to the access rights…