FS#69730 - [nextcloud] Problems with writable apps directory

Attached to Project: Community Packages
Opened by Luca Weiss (z3ntu) - Sunday, 21 February 2021, 17:19 GMT
Last edited by David Runge (dvzrv) - Sunday, 21 February 2021, 18:13 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sergej Pupykin (sergej)
David Runge (dvzrv)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

I'm running apache httpd & php-fpm with the latest nextcloud package 21.0.0-6. Everything's running fine but apache can't access the contents of the extra installed apps, as apache is running with the http user and /var/lib/nextcloud/apps is owned by the nextcloud user.

1. Install e.g. bookmarks app from the store, everything works fine there.
2. See that most things with the app don't work because static assets are failing with HTTP 403, as those are served by apache

Accessing https://example.org/wapps/bookmarks/img/bookmarks.svg fails with a Apache Forbidden site;

$ sudo -u http ls /var/lib/nextcloud/apps/
ls: cannot access '/var/lib/nextcloud/apps/': Permission denied

I don't see anything on the wiki page about having to run apache as a different user or something. A user in the forum also writes about similar symptoms https://bbs.archlinux.org/viewtopic.php?pid=1957661#p1957661

Thanks for the work, I'm glad that Nextcloud is running as a separate user now :)
This task depends upon

Closed by  David Runge (dvzrv)
Sunday, 21 February 2021, 18:13 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with nextcloud 21.0.0-7
Comment by Mad Vr (madevr) - Sunday, 21 February 2021, 17:38 GMT
Same here.

I'm not sure how to fix this. Would it hurt to make /var/lib/nextcloud + /var/lib/nextcloud/apps readable by everyone? I mean, /usr/share/webapps/nextcloud/apps is also readable by everyone. This would include the http user and fix the problems.
/var/lib/nextcloud/data can stay as it is, of course.

When this gets fixed I think the package is finally working pretty much out of the box again.
Comment by David Runge (dvzrv) - Sunday, 21 February 2021, 17:45 GMT
@z3ntu: Thanks for the report!

I have the suspicion, that it is related to /var/lib/nextcloud/apps/ being installed 770.
For /var/lib/nextcloud/data/ this seems to be correct (the application itself changes it to that mode), but for the apps directory it is too restrictive.

You can try to adjust the ownership temporarily: chmod 755 /var/lib/nextcloud/apps
Comment by Luca Weiss (z3ntu) - Sunday, 21 February 2021, 17:48 GMT
That and chmod o+rx /var/lib/nextcloud makes it work (parent directories must also be allowed to access for to the user)

Maybe we can also do this with user: nextcloud, group: http ownership? Then we can keep the 'others' permissions to a minimum
Comment by Mad Vr (madevr) - Sunday, 21 February 2021, 17:48 GMT
chmod 755 /var/lib/nextcloud
chmod 755 /var/lib/nextcloud/apps

This fixes it for me, but I needed both.
Comment by David Runge (dvzrv) - Sunday, 21 February 2021, 18:01 GMT
Please check whether 21.0.0-7 in [community-testing] fixes this for you.
Comment by Luca Weiss (z3ntu) - Sunday, 21 February 2021, 18:06 GMT
I've installed -7 now; pacman didn't complain about any permissions not matching to the package (as I've done the chmod before already) and the apps still work, so it looks fine for me.
Comment by David Runge (dvzrv) - Sunday, 21 February 2021, 18:12 GMT
Thanks for testing! :)

btw: If you have any suggestions for https://bugs.archlinux.org/task/69726 I could imagine the reporter would be happy about any pointers!

Loading...