Community Packages

Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#69911 - [nextcloud] user creation and correct permissions set for resources

Attached to Project: Community Packages
Opened by Łukasz Buśko (str0gg) - Monday, 08 March 2021, 06:41 GMT
Last edited by David Runge (dvzrv) - Sunday, 28 March 2021, 10:46 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 8
Private No

Details

Package is missing critical configuration files so we do not need to create user and adjust permissions on every installation.

file
nextcloud.sysuser -> "$pkgdir/usr/lib/sysusers.d/nextcloud.conf"
u nextcloud - - /var/lib/nextcloud

file
nextcloud.tmpfiles -> "$pkgdir/usr/lib/tmpfiles.d/nextcloud.conf"
d /var/lib/nextcloud 0750 nextcloud nextcloud - -
d /usr/share/webapps/nextcloud 0750 nextcloud root - -
d /usr/share/webapps/nextcloud/data 0750 nextcloud nextcloud - -
d /usr/share/webapps/nextcloud/tmp 0750 nextcloud nextcloud - -
d /etc/webapps/nextcloud 0750 nextcloud root - -
This task depends upon

Closed by  David Runge (dvzrv)
Sunday, 28 March 2021, 10:46 GMT
Reason for closing:  Not a bug
Additional comments about closing:  Please read the nextcloud wiki article.
If data is placed correctly and the web application is properly configured, no changes to the file system are required.
Comment by David Runge (dvzrv) - Friday, 26 March 2021, 18:45 GMT
@str0gg: Thanks for the report.

What would be the benefit of assigning a home directory to the nextcloud user though?

The other changes you propose weaken the integrity of /etc/webapps/nextcloud and /usr/share/webapps/nextcloud by giving ownership to the nextcloud user, which effectively enables a defective or compromised app to modify its own core components).

The data directory should be located in /var/lib/nextcloud/data, not in /usr/share/nextcloud/data as the latter neither exists nor should be a writable. This is configurable in the configuration file (see the wiki article: https://wiki.archlinux.org/index.php/Nextcloud#Data_directory).
The mode change of /var/lib/nextcloud does not make much sense, as no private data is located directly below it. The user data is stored below /var/lib/nextcloud/data which has a sufficient mode set to guard against other users accessing it.

What is the directory /usr/share/webapps/nextcloud/tmp used for in your use-case?
Comment by Łukasz Buśko (str0gg) - Saturday, 27 March 2021, 16:43 GMT
For user creation part

Please read https://www.systutorials.com/docs/linux/man/5-sysusers.d/


Its up to package maintainer to setup permissions i pass only proof of concept. What have to be taken care of is that most users whats to have permissions "write" to apps, data and config.

tmp folder is require for some nextcloud apps and operations so its need to be create in directory accessible by nextcloud.

Its really annoying that after each nextcloud update i same as other community members have to adjust permissions. Currently we have forum topic 5 pages long with 3 pages only on permissions issue. What i just propose going to solve it once and for all. If I had pull/merge request instruction i would fix it my self and send for review.
Comment by Bjoern Bidar (Thaodan) - Sunday, 28 March 2021, 04:08 GMT
Apps should never write to /usr/share, nextcloud is broken for requiring this.
Comment by David Runge (dvzrv) - Sunday, 28 March 2021, 10:45 GMT
> Please read https://www.systutorials.com/docs/linux/man/5-sysusers.d/
That did not answer my question as to why the user requires a home directory in this use case.

> What have to be taken care of is that most users whats to have permissions "write" to apps, data and config.
I am not really sure what you mean by that. All of this is already implemented.

> tmp folder is require for some nextcloud apps and operations so its need to be create in directory accessible by nextcloud.
I have not come across that being a requirement and it should definitely not be created below /usr/share/webapps/nextcloud.
Additionally, the general temporary directory used by the application is configurable: https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#all-other-configuration-options (see the `tempdirectory` parameter for the configuration file).

> Its really annoying that after each nextcloud update i same as other community members have to adjust permissions. Currently we have forum topic 5 pages long with 3 pages only on permissions issue.

I suggest to read the wiki article, especially the configuration section (https://wiki.archlinux.org/index.php/Nextcloud#Configuration) and the troubleshooting section for upgrades from 20.0.x to 21.0.0 (https://wiki.archlinux.org/index.php/Nextcloud#Issues_with_permissions_and_setup_after_upgrade_to_%3E=_21.0.0) and to make sure to also read relevant sections of the upstream documentation, such as installation (https://docs.nextcloud.com/server/latest/admin_manual/installation/index.html) and configuration (https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/index.html) (which partly of course targets a different kind of setup).

> What i just propose going to solve it once and for all. If I had pull/merge request instruction i would fix it my self and send for review.

No. Your changes will in fact not solve *anything* besides fixing your specific use-case, that you refuse to adapt to changes in packaging.

If you would like to continue to change the permissions in your file system after the installation of the package, because you strongly believe that it is necessary, you are of course free to do so.
Please note, that if configured correctly *no changes* to the file system permissions/ownerships are necessary and that the information on where things are supposed to go and how to configure those basic things are all in the wiki article.

Whatever you are trying to achieve is not a supported use-case and I will now close this issue, which seems to be rooted in a user ignoring the documentation and being unwilling to properly configure the web application.

Loading...