Bug 239249

Summary: www/nextcloud pkg installs with wrong permissions
Product: Ports & Packages Reporter: tech-lists
Component: Individual Port(s)Assignee: Bernard Spil <brnrd>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: ports
Priority: --- Flags: bugzilla: maintainer-feedback? (brnrd)
Version: Latest   
Hardware: Any   
OS: Any   

Description tech-lists 2019-07-16 12:56:30 UTC 
Hello,

If nextcloud is installed from the pkg repo, it installs into /usr/local/www/nextcloud. The ownership of files in this directory as installed is wrong. Some files are root:www. In order for nextcloud to function correctly, owner needs to be set to www.

here is ownership when pkg installs it:

 # ls -lah nextcloud/
total 168
drwxr-xr-x  16 www   www     1.5K Jul 16 13:38 .
drwxr-xr-x   6 root  wheel   512B Jul 16 13:35 ..
-rw-r--r--   1 root  www     2.3K Jul  4 08:17 .htaccess
-rw-rw-r--   1 www   www     101B Jul  4 08:17 .user.ini
drwxr-xr-x  32 www   www     1.0K Jul 16 13:38 3rdparty
-rw-r--r--   1 root  wheel    12K Jul  4 08:17 AUTHORS
-rw-r--r--   1 root  wheel    34K Jul  4 08:17 COPYING
drwxr-xr-x   2 www   www     512B Jul 14 02:28 apps
drwxr-xr-x  42 root  wheel   1.0K Jul  4 08:18 apps-pkg
drwxr-xr-x   2 www   www     512B Jul 16 13:38 config
-rw-r--r--   1 root  wheel   3.7K Jul  4 08:17 console.php
drwxr-xr-x  23 www   www     1.0K Jul 16 13:38 core
-rw-r--r--   1 root  wheel   4.9K Jul  4 08:17 cron.php
drwxr-xr-x   2 www   www     512B Jul 14 02:28 data
-rw-r--r--   1 root  wheel   156B Jul  4 08:17 index.html
-rw-r--r--   1 root  wheel   3.1K Jul  4 08:17 index.php
drwxr-xr-x   6 www   www     512B Jul 16 13:38 lib
-rw-r--r--   1 root  wheel   283B Jul  4 08:17 occ
drwxr-xr-x   2 www   www     512B Jul 16 13:38 ocm-provider
drwxr-xr-x   2 www   www     512B Jul 16 13:38 ocs
drwxr-xr-x   2 www   www     512B Jul 16 13:38 ocs-provider
-rw-r--r--   1 root  wheel   2.9K Jul  4 08:17 public.php
-rw-r--r--   1 root  wheel   5.0K Jul  4 08:17 remote.php
drwxr-xr-x   4 www   www     512B Jul 16 13:38 resources
-rw-r--r--   1 root  wheel    26B Jul  4 08:17 robots.txt
drwxr-xr-x  12 www   www     512B Jul 16 13:38 settings
-rw-r--r--   1 root  wheel   2.2K Jul  4 08:17 status.php
drwxr-xr-x   3 www   www     512B Jul 16 13:38 themes
drwxr-xr-x   2 www   www     512B Jul 16 13:38 updater
-rw-r--r--   1 root  wheel   362B Jul  4 08:21 version.php

One has to chown -R www:www /usr/local/www/nextcloud in order to get it working properly. Nextcloud has the requirement of the occ command having to be run as user www or it will error.
Comment 1 Sascha Biberhofer 2019-12-01 13:29:51 UTC 
I'm kinda curious about the choice of permissions here. Owncloud seems to work fine with these permissions for me, except for the .htaccess file, which needs to be modified for the htaccess.RewriteBase option in the nextcloud configuration to work properly (as sudo -u www php occ maintenance:update:htacces can't modify the htaccess file otherwise).
Comment 2 Bernard Spil freebsd_committer freebsd_triage 2019-12-01 13:59:15 UTC 
(In reply to tech-lists from comment #0)

Hi zyxst,

What errors are you getting?

The port is purposefully set up in this way. Updating via Nextcloud's self-update mechanism is not supported by the port. To allow packaged apps next to apps installed from within Nextcloud, the packaged apps install into a separate apps folder.
Comment 3 Bernard Spil freebsd_committer freebsd_triage 2019-12-01 14:06:16 UTC 
(In reply to Sascha Biberhofer from comment #1)

Hi Sascha,

See comments above. Does that satisfy your query?

As for .htaccess, the port tries to be very specific about what non-root can modify. If you need to only update htaccess with occ, this will hurt but is only a chmod away. Updates to the pkg probably clobber your changes.
I've not had to update .htaccess ever, in what scenarios is this required?
Comment 4 tech-lists 2019-12-01 14:19:02 UTC 
(In reply to Bernard Spil from comment #2)

If ownership is not www:www for everything under nextcloud, some things won't 
run, most notably occ which runs internal maintenance. Some things occ won't 
be able to modify because it's a php script running as www:www user:group. 
I have since solved the issue by doing the following:

1. install nextcloud from the port
2. rename the nextcloud directory to nextcloud-1
3. ran pkg delete nextcloud (to remove nextcloud info from the pkg database)
4. mv nextcloud-1 nextcloud
5. chmod -R www:www nextcloud/

from there on, use nextclouds' own mechanisms for updating itself and its add-ons.
Comment 5 Sascha Biberhofer 2019-12-01 14:30:06 UTC 
(In reply to Bernard Spil from comment #3)
Thank you for your reply. :D I'm generally fine with this split and the permissions set by the package. Upgrading works fine for me too. :)

The .htaccess access is required if you set 'htaccess.RewriteBase' in your config.php to remove the otherwise omnipresent "index.php" from nextcloud urls, see rewriteBase in [1]. And I am generally fine w/ chown-ing the file prior to running the updater, but it did cause some initial confusion and it needs to be kept in mind on upgrades. I'm not sure if there's a nice(r) way to do this. 

[1] https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html
Comment 6 Sascha Biberhofer 2019-12-01 14:31:41 UTC 
(In reply to tech-lists from comment #4)
I don't really see the point here - if you want to update nextcloud w/o relying on the packagemanager, why do you want to install nextcloud via the package anyway? I haven't encountered any internal commands that were required for nextcloud that didn't work w/ these permissions, aside from the one I mentioned above.
Comment 7 tech-lists 2019-12-01 14:59:05 UTC 
(In reply to Sascha Biberhofer from comment #6)

Hi,

The initial install was via pkg is for convenience, and the presumption that as it's a pkg, it'd be expected to work [1]

Nextcloud itself has a lot of moving parts, development within it is relatively rapid, it has an entire ecosystem, there are a lot of eyes on it. So I'd rather use the tools within it that were developed for it, instead of having them report that they can't function because ownership of either the tool or of what it's trying to modify is wrong, i.e not uid:gid of the web server, and then having to manually intervene each time an update becomes available. 

Not having its maintenance tool being able to make the changes it wants is broken behaviour IMO unless there's some overriding reason. I can't see the reason and that's why I raised this ticket.

[1] right place installed, and with correct permissions
Comment 8 tech-lists 2019-12-01 15:08:31 UTC 
I should mention also that I don't understand why:

"Updating via Nextcloud's self-update mechanism is not supported by the port."

If this was in pkg-message or similar I'd not have raised the ticket.
Comment 9 Bernard Spil freebsd_committer freebsd_triage 2019-12-01 15:26:57 UTC 
(In reply to tech-lists from comment #8)

Hi zyxst,

Sorry if this caught you out! I don't think any port uses the shipped auto-upgrade features, that kind of defeats the point of using packages. Running `pkg check` on the package would result in numerous checksum-errors.
If you want a self-updating version, just untar Nextcloud's tarball and use that.

(In reply to Sascha Biberhofer from comment #6)

Thanks for that heads-up! Makes sense to add this to the port in some way, I'll give it a try. I'm sure I've looked for this feature somewhere in the past, but hadn't found it then.
Comment 10 tech-lists 2019-12-01 16:16:29 UTC 
(In reply to Bernard Spil from comment #9)

Hi Bernard,

My issue was not just about updating. It's maintenance. Because internal maintencance can't do its job if perms are greater than the www id. [1]

I get where you're coming from wrt updating, and I agree, and the reason I like to use packages at least initially is because stuff gets installed the FreeBSD way, hopefully avoiding Linuxisms.

Would (at least my issue) be fixed if nextcloud as a pkg updated, setting file perms in the dir it modifies (/usr/local/www/nextcloud) as www:www ? [2]

[1] I'm not qualified enough to determine *all* of what occ modifies, only to say that it modifies a lot of things in operations that to the end user would appear routine, or invisible. 

[2] why is anything under /usr/local/www not www:www ? Is there a technical reason?
Comment 11 Sascha Biberhofer 2019-12-01 17:31:37 UTC 
(In reply to tech-lists from comment #10)
Out of curiosity: *Which* occ commands fail for you? Because aside from the single htaccess hickup I've described above, the various occ subcommands I've used up to now have worked fine for me.

I really like Bernard's approach no this one and would like to see it kept that way. Depending on the specific occ subcommand there may be a way to incorporate this without giving nextcloud a carte blanche here.
Comment 12 tech-lists 2019-12-01 18:01:38 UTC 
Hi,

I don't remember exactly as I first reported then worked around the issue back in July. It was something to do with a mysql table IIRC. It might not have exclusively been that. But why isn't everything under /usr/local/www owned by www:www anyway? The issue goes away if that's the case. Why does the pkg system install some nextcloud stuff root:wheel ? Why doesn't it install it as www:www as everything installed is in /usr/local/www ?

anyway, here's a list of occ commands. Whatever command I ran, it tried to modify something with root:wheel perms, and failed.

www@cloud:/usr/local/www/nextcloud % php occ list
Nextcloud 17.0.1

Usage:
  command [options] [arguments]

Options:
  -h, --help            Display this help message
  -q, --quiet           Do not output any message
  -V, --version         Display this application version
      --ansi            Force ANSI output
      --no-ansi         Disable ANSI output
  -n, --no-interaction  Do not ask any interactive question
      --no-warnings     Skip global warnings, show command output only
  -v|vv|vvv, --verbose  Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug

Available commands:
  check                               check dependencies of the server environment
  help                                Displays help for a command
  list                                Lists commands
  status                              show some status information
  upgrade                             run upgrade routines after installation of a new release. The release has to be installed before.
 activity
  activity:send-mails                 Sends the activity notification mails
 app
  app:check-code                      check code to be compliant
  app:disable                         disable an app
  app:enable                          enable an app
  app:getpath                         Get an absolute path to the app directory
  app:install                         install an app
  app:list                            List all available apps
  app:remove                          remove an app
  app:update                          update an app or all apps
 audioplayer
  audioplayer:reset                   reset audio player library
  audioplayer:scan                    scan for new audio files; use -v for debugging
 background
  background:ajax                     Use ajax to run background jobs
  background:cron                     Use cron to run background jobs
  background:webcron                  Use webcron to run background jobs
 config
  config:app:delete                   Delete an app config value
  config:app:get                      Get an app config value
  config:app:set                      Set an app config value
  config:import                       Import a list of configs
  config:list                         List all configs
  config:system:delete                Delete a system config value
  config:system:get                   Get a system config value
  config:system:set                   Set a system config value
 dav
  dav:create-addressbook              Create a dav addressbook
  dav:create-calendar                 Create a dav calendar
  dav:list-calendars                  List all calendars of a user
  dav:move-calendar                   Move a calendar from an user to another
  dav:remove-invalid-shares           Remove invalid dav shares
  dav:send-event-reminders            Sends event reminders
  dav:sync-birthday-calendar          Synchronizes the birthday calendar
  dav:sync-system-addressbook         Synchronizes users to the system addressbook
 db
  db:add-missing-indices              Add missing indices to the database tables
  db:convert-filecache-bigint         Convert the ID columns of the filecache to BigInt
  db:convert-mysql-charset            Convert charset of MySQL/MariaDB to use utf8mb4
  db:convert-type                     Convert the Nextcloud database to the newly configured one
 encryption
  encryption:change-key-storage-root  Change key storage root
  encryption:decrypt-all              Disable server-side encryption and decrypt all files
  encryption:disable                  Disable encryption
  encryption:enable                   Enable encryption
  encryption:encrypt-all              Encrypt all files for all users
  encryption:list-modules             List all available encryption modules
  encryption:set-default-module       Set the encryption default module
  encryption:show-key-storage-root    Show current key storage root
  encryption:status                   Lists the current status of encryption
 federation
  federation:sync-addressbooks        Synchronizes addressbooks of all federated clouds
 files
  files:cleanup                       cleanup filecache
  files:recommendations:recommend     
  files:scan                          rescan filesystem
  files:scan-app-data                 rescan the AppData folder
  files:transfer-ownership            All files and folders are moved to another user - shares are moved as well.
 group
  group:add                           Add a group
  group:adduser                       add a user to a group
  group:delete                        Remove a group
  group:list                          list configured groups
  group:removeuser                    remove a user from a group
 groupfolders
  groupfolders:create                 Create a new group folder
  groupfolders:delete                 Delete group folder
  groupfolders:expire                 Trigger expiry of versions for files stored in group folders
  groupfolders:group                  Edit the groups that have access to a group folder
  groupfolders:list                   List the configured group folders
  groupfolders:permissions            Configure advanced permissions for a configured group folder
  groupfolders:quota                  Edit the quota of a configured group folder
  groupfolders:rename                 Rename group folder
  groupfolders:scan                   Scan a group folder for outside changes
 integrity
  integrity:check-app                 Check integrity of an app using a signature.
  integrity:check-core                Check integrity of core code using a signature.
  integrity:sign-app                  Signs an app using a private key.
  integrity:sign-core                 Sign core using a private key.
 l10n
  l10n:createjs                       Create javascript translation files for a given app
 ldap
  ldap:check-user                     checks whether a user exists on LDAP.
  ldap:create-empty-config            creates an empty LDAP configuration
  ldap:delete-config                  deletes an existing LDAP configuration
  ldap:search                         executes a user or group search
  ldap:set-config                     modifies an LDAP configuration
  ldap:show-config                    shows the LDAP configuration
  ldap:show-remnants                  shows which users are not available on LDAP anymore, but have remnants in Nextcloud.
  ldap:test-config                    tests an LDAP configuration
 log
  log:file                            manipulate logging backend
  log:manage                          manage logging configuration
  log:tail                            Tail the nextcloud logfile
  log:watch                           Watch the nextcloud logfile
 mail
  mail:account:create                 creates IMAP account
  mail:account:export                 Exports a user's IMAP account(s)
 maintenance
  maintenance:data-fingerprint        update the systems data-fingerprint after a backup is restored
  maintenance:mimetype:update-db      Update database mimetypes and update filecache
  maintenance:mimetype:update-js      Update mimetypelist.js
  maintenance:mode                    set maintenance mode
  maintenance:repair                  repair this installation
  maintenance:theme:update            Apply custom theme changes
  maintenance:update:htaccess         Updates the .htaccess file
 maps
  maps:scan-photos                    Rescan photos GPS exif data
  maps:scan-tracks                    Rescan track files
 migrations
  migrations:execute                  Execute a single migration version manually.
  migrations:generate                 
  migrations:generate-from-schema     
  migrations:migrate                  Execute a migration to a specified version or the latest available version.
  migrations:status                   View the status of a set of migrations.
 music
  music:cleanup                       clean up orphaned DB entries (this happens also periodically on the background)
  music:reset-cache                   drop data cached by the music app for performance reasons
  music:reset-database                drop metadata indexed by the music app (artists, albums, tracks, playlists)
  music:scan                          scan and index any unindexed audio files
 notification
  notification:generate               Generate a notification for the given user
 security
  security:certificates               list trusted certificates
  security:certificates:import        import trusted certificate
  security:certificates:remove        remove trusted certificate
 sharing
  sharing:cleanup-remote-storages     Cleanup shared storage entries that have no matching entry in the shares_external table
 trashbin
  trashbin:cleanup                    Remove deleted files
  trashbin:expire                     Expires the users trashbin
 twofactorauth
  twofactorauth:cleanup               Clean up the two-factor user-provider association of an uninstalled/removed provider
  twofactorauth:disable               Disable two-factor authentication for a user
  twofactorauth:enable                Enable two-factor authentication for a user
  twofactorauth:enforce               Enabled/disable enforced two-factor authentication
  twofactorauth:state                 Get the two-factor authentication (2FA) state of a user
 update
  update:check                        Check for server and app updates
 usage-report
  usage-report:generate               Prints a CVS entry with some usage information of the user:
userId,date,assignedQuota,usedQuota,numFiles,numShares,numUploads,numDownloads
"admin","2017-09-18T09:00:01+00:00",5368709120,786432000,1024,23,1400,5678
 user
  user:add                            adds a user
  user:delete                         deletes the specified user
  user:disable                        disables the specified user
  user:enable                         enables the specified user
  user:info                           show user info
  user:lastseen                       shows when the user was logged in last time
  user:list                           list configured users
  user:report                         shows how many users have access
  user:resetpassword                  Resets the password of the named user
  user:setting                        Read and modify user settings
 versions
  versions:cleanup                    Delete versions
  versions:expire                     Expires the users file versions