It all started so simply
We, the Computer Science Student Council, have been running our own cloud instance for years and have used it to share not only data for committee work, for example, but also past exam papers provided by lecturers with students. Recently, we decided to switch to the university-wide Nextcloud. As the server admin and deputy spokesperson, I was tasked with transferring the data to its new destination.
This worked for the most part, but then I wanted to set up access to the exam folder and failed to set the password we had been using, which was intended to ensure that no one outside the university could access the documents.
The password apparently didn’t meet the cloud’s criteria for a strong password; everyone’s probably familiar with messages like that. It was missing an uppercase or lowercase letter, a number or some special character needed to be added, so you just tack on any character from that category to keep the system happy. But in this situation, that would probably have caused confusion if the cloud suddenly had a different password. I would have preferred to set up a redirect so that the difference wouldn’t be noticed at all during the transition phase.
So I decided to make the most of the benefits of a cloud linked to university accounts and look for a way – definitely there must be one – to restrict access rights to university members. Surely that should be easy, right?
You’ve seen the result for yourselves
I contacted support and received an immediate reply with specific instructions; after a few follow-up questions, I knew how to create a user group and use it for sharing in Nextcloud. The example given by KIM support was something like: “Share with everyone who is in the Students group and the Computer Science group.” However, as I also had to consider students of other subjects taking some of our courses, lecturers (and who knows how teacher training students are counted), I changed it to: “Share with everyone who is in the Students group or the Computer Science group.”
What could possibly go wrong?
(Note that if you ask yourself this question at any point whilst configuring a system, you’re in for a very interesting time.) All users would be granted permission to open the folder and would find it via the link to the collection, just as before. After all, it’s no problem if other students could access it too; the mere right to read a folder shouldn’t necessarily make it visible.
How naive one can be…
So I saved the group assignment and waited… and waited, and waited a little longer. Then the process was complete and I received a message saying that there were currently 9,699 users in the group – so far, so good. That seemed quite promising. I then created a shared folder in Nextcloud and shared it with this group. That worked too, sort of. Because when I tried it, I couldn’t access it and couldn’t see the folder either. I asked a lecturer to test it and here too, no folder was visible or accessible.
I fiddled around for a while longer, refreshed the share, tweaked the group settings, and when that didn’t help either, I considered the attempt a failed experiment with no effect, wrote to support again, and gave up for the time being.
But the fun had only just begun.
What on earth is going on?
At 6.52 pm, I was pinged in the student council chat: sociology students had suddenly gained access to our mock exams, and shortly afterwards the same message came through for philosophy. 🫣
So, with a bit of a delay, I had achieved my goal after all 🎉, at least in a way.
Perhaps Nextcloud needed a while to transfer the permissions. The result, however, was that (presumably) all students at the university received an email stating that the Computer Science Student Council had shared a cloud folder with them.
Not quite as subtle as I’d hoped, but definitely effective!
Just as the first enquiries from confused students started arriving in the Student Council’s inbox, I desperately tried to undo everything as quickly as possible. 😭 However, the long wait times for group management proved problematic once again, so I tried to delete the group, the share and the exam folder itself at the same time, but Nextcloud seemed a bit overwhelmed, which may (I know, it sounds far-fetched) have had something to do with the fact that over 9,000 emails had been sent and the same number of user accounts had to be processed. After a while, the nightmare was finally over. (We’re still just getting messages with questions, though)
To be on the safe side, I reported the incident to KIM Support and the KIM staff member responsible for cyber security. It remains to be seen what their assessment of the situation will be.
So what about the exams? I think we’ll simply change the password for the collection to avoid further confusion. Or we might start a new experiment, but in that case, I’m sure you’ll hear about it 😉.
As this incident will likely be the subject of jokes for a while, I’d like to kick off the banter and list a few suggestions, most of which – albeit in a modified form – come from the Student Council chat:
- Marcel, if he accidentally launches a DDoS attack
- In future, we’ll send the StuVe newsletter via Nextcloud
- The page says that groups with more than 200 members can’t be displayed. So I’ve got a pretty good idea of how big this one is
- Looks like the status will have to be changed individually for each of the 9,000 users
- Why is this folder still there?
- When you consider that all this happened because passwords are supposed to contain certain characters…
- Just look at this subject line: “Accidental sharing of a Nextcloud folder with the entire student body”
At this point, I’d like to give the cloud a big shout-out, as it was able to handle and cope with this… let’s say, unusual load.