Summary: | www/nextcloud pkg installs with wrong permissions | ||
---|---|---|---|
Product: | Ports & Packages | Reporter: | tech-lists |
Component: | Individual Port(s) | Assignee: | Bernard Spil <brnrd> |
Status: | Closed Works As Intended | ||
Severity: | Affects Only Me | CC: | ports |
Priority: | --- | Flags: | bugzilla:
maintainer-feedback?
(brnrd) |
Version: | Latest | ||
Hardware: | Any | ||
OS: | Any |
Description
tech-lists
2019-07-16 12:56:30 UTC
I'm kinda curious about the choice of permissions here. Owncloud seems to work fine with these permissions for me, except for the .htaccess file, which needs to be modified for the htaccess.RewriteBase option in the nextcloud configuration to work properly (as sudo -u www php occ maintenance:update:htacces can't modify the htaccess file otherwise). (In reply to tech-lists from comment #0) Hi zyxst, What errors are you getting? The port is purposefully set up in this way. Updating via Nextcloud's self-update mechanism is not supported by the port. To allow packaged apps next to apps installed from within Nextcloud, the packaged apps install into a separate apps folder. (In reply to Sascha Biberhofer from comment #1) Hi Sascha, See comments above. Does that satisfy your query? As for .htaccess, the port tries to be very specific about what non-root can modify. If you need to only update htaccess with occ, this will hurt but is only a chmod away. Updates to the pkg probably clobber your changes. I've not had to update .htaccess ever, in what scenarios is this required? (In reply to Bernard Spil from comment #2) If ownership is not www:www for everything under nextcloud, some things won't run, most notably occ which runs internal maintenance. Some things occ won't be able to modify because it's a php script running as www:www user:group. I have since solved the issue by doing the following: 1. install nextcloud from the port 2. rename the nextcloud directory to nextcloud-1 3. ran pkg delete nextcloud (to remove nextcloud info from the pkg database) 4. mv nextcloud-1 nextcloud 5. chmod -R www:www nextcloud/ from there on, use nextclouds' own mechanisms for updating itself and its add-ons. (In reply to Bernard Spil from comment #3) Thank you for your reply. :D I'm generally fine with this split and the permissions set by the package. Upgrading works fine for me too. :) The .htaccess access is required if you set 'htaccess.RewriteBase' in your config.php to remove the otherwise omnipresent "index.php" from nextcloud urls, see rewriteBase in [1]. And I am generally fine w/ chown-ing the file prior to running the updater, but it did cause some initial confusion and it needs to be kept in mind on upgrades. I'm not sure if there's a nice(r) way to do this. [1] https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html (In reply to tech-lists from comment #4) I don't really see the point here - if you want to update nextcloud w/o relying on the packagemanager, why do you want to install nextcloud via the package anyway? I haven't encountered any internal commands that were required for nextcloud that didn't work w/ these permissions, aside from the one I mentioned above. (In reply to Sascha Biberhofer from comment #6) Hi, The initial install was via pkg is for convenience, and the presumption that as it's a pkg, it'd be expected to work [1] Nextcloud itself has a lot of moving parts, development within it is relatively rapid, it has an entire ecosystem, there are a lot of eyes on it. So I'd rather use the tools within it that were developed for it, instead of having them report that they can't function because ownership of either the tool or of what it's trying to modify is wrong, i.e not uid:gid of the web server, and then having to manually intervene each time an update becomes available. Not having its maintenance tool being able to make the changes it wants is broken behaviour IMO unless there's some overriding reason. I can't see the reason and that's why I raised this ticket. [1] right place installed, and with correct permissions I should mention also that I don't understand why: "Updating via Nextcloud's self-update mechanism is not supported by the port." If this was in pkg-message or similar I'd not have raised the ticket. (In reply to tech-lists from comment #8) Hi zyxst, Sorry if this caught you out! I don't think any port uses the shipped auto-upgrade features, that kind of defeats the point of using packages. Running `pkg check` on the package would result in numerous checksum-errors. If you want a self-updating version, just untar Nextcloud's tarball and use that. (In reply to Sascha Biberhofer from comment #6) Thanks for that heads-up! Makes sense to add this to the port in some way, I'll give it a try. I'm sure I've looked for this feature somewhere in the past, but hadn't found it then. (In reply to Bernard Spil from comment #9) Hi Bernard, My issue was not just about updating. It's maintenance. Because internal maintencance can't do its job if perms are greater than the www id. [1] I get where you're coming from wrt updating, and I agree, and the reason I like to use packages at least initially is because stuff gets installed the FreeBSD way, hopefully avoiding Linuxisms. Would (at least my issue) be fixed if nextcloud as a pkg updated, setting file perms in the dir it modifies (/usr/local/www/nextcloud) as www:www ? [2] [1] I'm not qualified enough to determine *all* of what occ modifies, only to say that it modifies a lot of things in operations that to the end user would appear routine, or invisible. [2] why is anything under /usr/local/www not www:www ? Is there a technical reason? (In reply to tech-lists from comment #10) Out of curiosity: *Which* occ commands fail for you? Because aside from the single htaccess hickup I've described above, the various occ subcommands I've used up to now have worked fine for me. I really like Bernard's approach no this one and would like to see it kept that way. Depending on the specific occ subcommand there may be a way to incorporate this without giving nextcloud a carte blanche here. Hi, I don't remember exactly as I first reported then worked around the issue back in July. It was something to do with a mysql table IIRC. It might not have exclusively been that. But why isn't everything under /usr/local/www owned by www:www anyway? The issue goes away if that's the case. Why does the pkg system install some nextcloud stuff root:wheel ? Why doesn't it install it as www:www as everything installed is in /usr/local/www ? anyway, here's a list of occ commands. Whatever command I ran, it tried to modify something with root:wheel perms, and failed. www@cloud:/usr/local/www/nextcloud % php occ list Nextcloud 17.0.1 Usage: command [options] [arguments] Options: -h, --help Display this help message -q, --quiet Do not output any message -V, --version Display this application version --ansi Force ANSI output --no-ansi Disable ANSI output -n, --no-interaction Do not ask any interactive question --no-warnings Skip global warnings, show command output only -v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug Available commands: check check dependencies of the server environment help Displays help for a command list Lists commands status show some status information upgrade run upgrade routines after installation of a new release. The release has to be installed before. activity activity:send-mails Sends the activity notification mails app app:check-code check code to be compliant app:disable disable an app app:enable enable an app app:getpath Get an absolute path to the app directory app:install install an app app:list List all available apps app:remove remove an app app:update update an app or all apps audioplayer audioplayer:reset reset audio player library audioplayer:scan scan for new audio files; use -v for debugging background background:ajax Use ajax to run background jobs background:cron Use cron to run background jobs background:webcron Use webcron to run background jobs config config:app:delete Delete an app config value config:app:get Get an app config value config:app:set Set an app config value config:import Import a list of configs config:list List all configs config:system:delete Delete a system config value config:system:get Get a system config value config:system:set Set a system config value dav dav:create-addressbook Create a dav addressbook dav:create-calendar Create a dav calendar dav:list-calendars List all calendars of a user dav:move-calendar Move a calendar from an user to another dav:remove-invalid-shares Remove invalid dav shares dav:send-event-reminders Sends event reminders dav:sync-birthday-calendar Synchronizes the birthday calendar dav:sync-system-addressbook Synchronizes users to the system addressbook db db:add-missing-indices Add missing indices to the database tables db:convert-filecache-bigint Convert the ID columns of the filecache to BigInt db:convert-mysql-charset Convert charset of MySQL/MariaDB to use utf8mb4 db:convert-type Convert the Nextcloud database to the newly configured one encryption encryption:change-key-storage-root Change key storage root encryption:decrypt-all Disable server-side encryption and decrypt all files encryption:disable Disable encryption encryption:enable Enable encryption encryption:encrypt-all Encrypt all files for all users encryption:list-modules List all available encryption modules encryption:set-default-module Set the encryption default module encryption:show-key-storage-root Show current key storage root encryption:status Lists the current status of encryption federation federation:sync-addressbooks Synchronizes addressbooks of all federated clouds files files:cleanup cleanup filecache files:recommendations:recommend files:scan rescan filesystem files:scan-app-data rescan the AppData folder files:transfer-ownership All files and folders are moved to another user - shares are moved as well. group group:add Add a group group:adduser add a user to a group group:delete Remove a group group:list list configured groups group:removeuser remove a user from a group groupfolders groupfolders:create Create a new group folder groupfolders:delete Delete group folder groupfolders:expire Trigger expiry of versions for files stored in group folders groupfolders:group Edit the groups that have access to a group folder groupfolders:list List the configured group folders groupfolders:permissions Configure advanced permissions for a configured group folder groupfolders:quota Edit the quota of a configured group folder groupfolders:rename Rename group folder groupfolders:scan Scan a group folder for outside changes integrity integrity:check-app Check integrity of an app using a signature. integrity:check-core Check integrity of core code using a signature. integrity:sign-app Signs an app using a private key. integrity:sign-core Sign core using a private key. l10n l10n:createjs Create javascript translation files for a given app ldap ldap:check-user checks whether a user exists on LDAP. ldap:create-empty-config creates an empty LDAP configuration ldap:delete-config deletes an existing LDAP configuration ldap:search executes a user or group search ldap:set-config modifies an LDAP configuration ldap:show-config shows the LDAP configuration ldap:show-remnants shows which users are not available on LDAP anymore, but have remnants in Nextcloud. ldap:test-config tests an LDAP configuration log log:file manipulate logging backend log:manage manage logging configuration log:tail Tail the nextcloud logfile log:watch Watch the nextcloud logfile mail mail:account:create creates IMAP account mail:account:export Exports a user's IMAP account(s) maintenance maintenance:data-fingerprint update the systems data-fingerprint after a backup is restored maintenance:mimetype:update-db Update database mimetypes and update filecache maintenance:mimetype:update-js Update mimetypelist.js maintenance:mode set maintenance mode maintenance:repair repair this installation maintenance:theme:update Apply custom theme changes maintenance:update:htaccess Updates the .htaccess file maps maps:scan-photos Rescan photos GPS exif data maps:scan-tracks Rescan track files migrations migrations:execute Execute a single migration version manually. migrations:generate migrations:generate-from-schema migrations:migrate Execute a migration to a specified version or the latest available version. migrations:status View the status of a set of migrations. music music:cleanup clean up orphaned DB entries (this happens also periodically on the background) music:reset-cache drop data cached by the music app for performance reasons music:reset-database drop metadata indexed by the music app (artists, albums, tracks, playlists) music:scan scan and index any unindexed audio files notification notification:generate Generate a notification for the given user security security:certificates list trusted certificates security:certificates:import import trusted certificate security:certificates:remove remove trusted certificate sharing sharing:cleanup-remote-storages Cleanup shared storage entries that have no matching entry in the shares_external table trashbin trashbin:cleanup Remove deleted files trashbin:expire Expires the users trashbin twofactorauth twofactorauth:cleanup Clean up the two-factor user-provider association of an uninstalled/removed provider twofactorauth:disable Disable two-factor authentication for a user twofactorauth:enable Enable two-factor authentication for a user twofactorauth:enforce Enabled/disable enforced two-factor authentication twofactorauth:state Get the two-factor authentication (2FA) state of a user update update:check Check for server and app updates usage-report usage-report:generate Prints a CVS entry with some usage information of the user: userId,date,assignedQuota,usedQuota,numFiles,numShares,numUploads,numDownloads "admin","2017-09-18T09:00:01+00:00",5368709120,786432000,1024,23,1400,5678 user user:add adds a user user:delete deletes the specified user user:disable disables the specified user user:enable enables the specified user user:info show user info user:lastseen shows when the user was logged in last time user:list list configured users user:report shows how many users have access user:resetpassword Resets the password of the named user user:setting Read and modify user settings versions versions:cleanup Delete versions versions:expire Expires the users file versions |