If nextcloud is installed from the pkg repo, it installs into /usr/local/www/nextcloud. The ownership of files in this directory as installed is wrong. Some files are root:www. In order for nextcloud to function correctly, owner needs to be set to www.
here is ownership when pkg installs it:
# ls -lah nextcloud/
drwxr-xr-x 16 www www 1.5K Jul 16 13:38 .
drwxr-xr-x 6 root wheel 512B Jul 16 13:35 ..
-rw-r--r-- 1 root www 2.3K Jul 4 08:17 .htaccess
-rw-rw-r-- 1 www www 101B Jul 4 08:17 .user.ini
drwxr-xr-x 32 www www 1.0K Jul 16 13:38 3rdparty
-rw-r--r-- 1 root wheel 12K Jul 4 08:17 AUTHORS
-rw-r--r-- 1 root wheel 34K Jul 4 08:17 COPYING
drwxr-xr-x 2 www www 512B Jul 14 02:28 apps
drwxr-xr-x 42 root wheel 1.0K Jul 4 08:18 apps-pkg
drwxr-xr-x 2 www www 512B Jul 16 13:38 config
-rw-r--r-- 1 root wheel 3.7K Jul 4 08:17 console.php
drwxr-xr-x 23 www www 1.0K Jul 16 13:38 core
-rw-r--r-- 1 root wheel 4.9K Jul 4 08:17 cron.php
drwxr-xr-x 2 www www 512B Jul 14 02:28 data
-rw-r--r-- 1 root wheel 156B Jul 4 08:17 index.html
-rw-r--r-- 1 root wheel 3.1K Jul 4 08:17 index.php
drwxr-xr-x 6 www www 512B Jul 16 13:38 lib
-rw-r--r-- 1 root wheel 283B Jul 4 08:17 occ
drwxr-xr-x 2 www www 512B Jul 16 13:38 ocm-provider
drwxr-xr-x 2 www www 512B Jul 16 13:38 ocs
drwxr-xr-x 2 www www 512B Jul 16 13:38 ocs-provider
-rw-r--r-- 1 root wheel 2.9K Jul 4 08:17 public.php
-rw-r--r-- 1 root wheel 5.0K Jul 4 08:17 remote.php
drwxr-xr-x 4 www www 512B Jul 16 13:38 resources
-rw-r--r-- 1 root wheel 26B Jul 4 08:17 robots.txt
drwxr-xr-x 12 www www 512B Jul 16 13:38 settings
-rw-r--r-- 1 root wheel 2.2K Jul 4 08:17 status.php
drwxr-xr-x 3 www www 512B Jul 16 13:38 themes
drwxr-xr-x 2 www www 512B Jul 16 13:38 updater
-rw-r--r-- 1 root wheel 362B Jul 4 08:21 version.php
One has to chown -R www:www /usr/local/www/nextcloud in order to get it working properly. Nextcloud has the requirement of the occ command having to be run as user www or it will error.
I'm kinda curious about the choice of permissions here. Owncloud seems to work fine with these permissions for me, except for the .htaccess file, which needs to be modified for the htaccess.RewriteBase option in the nextcloud configuration to work properly (as sudo -u www php occ maintenance:update:htacces can't modify the htaccess file otherwise).
(In reply to tech-lists from comment #0)
What errors are you getting?
The port is purposefully set up in this way. Updating via Nextcloud's self-update mechanism is not supported by the port. To allow packaged apps next to apps installed from within Nextcloud, the packaged apps install into a separate apps folder.
(In reply to Sascha Biberhofer from comment #1)
See comments above. Does that satisfy your query?
As for .htaccess, the port tries to be very specific about what non-root can modify. If you need to only update htaccess with occ, this will hurt but is only a chmod away. Updates to the pkg probably clobber your changes.
I've not had to update .htaccess ever, in what scenarios is this required?
(In reply to Bernard Spil from comment #2)
If ownership is not www:www for everything under nextcloud, some things won't
run, most notably occ which runs internal maintenance. Some things occ won't
be able to modify because it's a php script running as www:www user:group.
I have since solved the issue by doing the following:
1. install nextcloud from the port
2. rename the nextcloud directory to nextcloud-1
3. ran pkg delete nextcloud (to remove nextcloud info from the pkg database)
4. mv nextcloud-1 nextcloud
5. chmod -R www:www nextcloud/
from there on, use nextclouds' own mechanisms for updating itself and its add-ons.
(In reply to Bernard Spil from comment #3)
Thank you for your reply. :D I'm generally fine with this split and the permissions set by the package. Upgrading works fine for me too. :)
The .htaccess access is required if you set 'htaccess.RewriteBase' in your config.php to remove the otherwise omnipresent "index.php" from nextcloud urls, see rewriteBase in . And I am generally fine w/ chown-ing the file prior to running the updater, but it did cause some initial confusion and it needs to be kept in mind on upgrades. I'm not sure if there's a nice(r) way to do this.
(In reply to tech-lists from comment #4)
I don't really see the point here - if you want to update nextcloud w/o relying on the packagemanager, why do you want to install nextcloud via the package anyway? I haven't encountered any internal commands that were required for nextcloud that didn't work w/ these permissions, aside from the one I mentioned above.
(In reply to Sascha Biberhofer from comment #6)
The initial install was via pkg is for convenience, and the presumption that as it's a pkg, it'd be expected to work 
Nextcloud itself has a lot of moving parts, development within it is relatively rapid, it has an entire ecosystem, there are a lot of eyes on it. So I'd rather use the tools within it that were developed for it, instead of having them report that they can't function because ownership of either the tool or of what it's trying to modify is wrong, i.e not uid:gid of the web server, and then having to manually intervene each time an update becomes available.
Not having its maintenance tool being able to make the changes it wants is broken behaviour IMO unless there's some overriding reason. I can't see the reason and that's why I raised this ticket.
 right place installed, and with correct permissions
I should mention also that I don't understand why:
"Updating via Nextcloud's self-update mechanism is not supported by the port."
If this was in pkg-message or similar I'd not have raised the ticket.
(In reply to tech-lists from comment #8)
Sorry if this caught you out! I don't think any port uses the shipped auto-upgrade features, that kind of defeats the point of using packages. Running `pkg check` on the package would result in numerous checksum-errors.
If you want a self-updating version, just untar Nextcloud's tarball and use that.
(In reply to Sascha Biberhofer from comment #6)
Thanks for that heads-up! Makes sense to add this to the port in some way, I'll give it a try. I'm sure I've looked for this feature somewhere in the past, but hadn't found it then.
(In reply to Bernard Spil from comment #9)
My issue was not just about updating. It's maintenance. Because internal maintencance can't do its job if perms are greater than the www id. 
I get where you're coming from wrt updating, and I agree, and the reason I like to use packages at least initially is because stuff gets installed the FreeBSD way, hopefully avoiding Linuxisms.
Would (at least my issue) be fixed if nextcloud as a pkg updated, setting file perms in the dir it modifies (/usr/local/www/nextcloud) as www:www ? 
 I'm not qualified enough to determine *all* of what occ modifies, only to say that it modifies a lot of things in operations that to the end user would appear routine, or invisible.
 why is anything under /usr/local/www not www:www ? Is there a technical reason?
(In reply to tech-lists from comment #10)
Out of curiosity: *Which* occ commands fail for you? Because aside from the single htaccess hickup I've described above, the various occ subcommands I've used up to now have worked fine for me.
I really like Bernard's approach no this one and would like to see it kept that way. Depending on the specific occ subcommand there may be a way to incorporate this without giving nextcloud a carte blanche here.
I don't remember exactly as I first reported then worked around the issue back in July. It was something to do with a mysql table IIRC. It might not have exclusively been that. But why isn't everything under /usr/local/www owned by www:www anyway? The issue goes away if that's the case. Why does the pkg system install some nextcloud stuff root:wheel ? Why doesn't it install it as www:www as everything installed is in /usr/local/www ?
anyway, here's a list of occ commands. Whatever command I ran, it tried to modify something with root:wheel perms, and failed.
www@cloud:/usr/local/www/nextcloud % php occ list
command [options] [arguments]
-h, --help Display this help message
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi Force ANSI output
--no-ansi Disable ANSI output
-n, --no-interaction Do not ask any interactive question
--no-warnings Skip global warnings, show command output only
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
check check dependencies of the server environment
help Displays help for a command
list Lists commands
status show some status information
upgrade run upgrade routines after installation of a new release. The release has to be installed before.
activity:send-mails Sends the activity notification mails
app:check-code check code to be compliant
app:disable disable an app
app:enable enable an app
app:getpath Get an absolute path to the app directory
app:install install an app
app:list List all available apps
app:remove remove an app
app:update update an app or all apps
audioplayer:reset reset audio player library
audioplayer:scan scan for new audio files; use -v for debugging
background:ajax Use ajax to run background jobs
background:cron Use cron to run background jobs
background:webcron Use webcron to run background jobs
config:app:delete Delete an app config value
config:app:get Get an app config value
config:app:set Set an app config value
config:import Import a list of configs
config:list List all configs
config:system:delete Delete a system config value
config:system:get Get a system config value
config:system:set Set a system config value
dav:create-addressbook Create a dav addressbook
dav:create-calendar Create a dav calendar
dav:list-calendars List all calendars of a user
dav:move-calendar Move a calendar from an user to another
dav:remove-invalid-shares Remove invalid dav shares
dav:send-event-reminders Sends event reminders
dav:sync-birthday-calendar Synchronizes the birthday calendar
dav:sync-system-addressbook Synchronizes users to the system addressbook
db:add-missing-indices Add missing indices to the database tables
db:convert-filecache-bigint Convert the ID columns of the filecache to BigInt
db:convert-mysql-charset Convert charset of MySQL/MariaDB to use utf8mb4
db:convert-type Convert the Nextcloud database to the newly configured one
encryption:change-key-storage-root Change key storage root
encryption:decrypt-all Disable server-side encryption and decrypt all files
encryption:disable Disable encryption
encryption:enable Enable encryption
encryption:encrypt-all Encrypt all files for all users
encryption:list-modules List all available encryption modules
encryption:set-default-module Set the encryption default module
encryption:show-key-storage-root Show current key storage root
encryption:status Lists the current status of encryption
federation:sync-addressbooks Synchronizes addressbooks of all federated clouds
files:cleanup cleanup filecache
files:scan rescan filesystem
files:scan-app-data rescan the AppData folder
files:transfer-ownership All files and folders are moved to another user - shares are moved as well.
group:add Add a group
group:adduser add a user to a group
group:delete Remove a group
group:list list configured groups
group:removeuser remove a user from a group
groupfolders:create Create a new group folder
groupfolders:delete Delete group folder
groupfolders:expire Trigger expiry of versions for files stored in group folders
groupfolders:group Edit the groups that have access to a group folder
groupfolders:list List the configured group folders
groupfolders:permissions Configure advanced permissions for a configured group folder
groupfolders:quota Edit the quota of a configured group folder
groupfolders:rename Rename group folder
groupfolders:scan Scan a group folder for outside changes
integrity:check-app Check integrity of an app using a signature.
integrity:check-core Check integrity of core code using a signature.
integrity:sign-app Signs an app using a private key.
integrity:sign-core Sign core using a private key.
ldap:check-user checks whether a user exists on LDAP.
ldap:create-empty-config creates an empty LDAP configuration
ldap:delete-config deletes an existing LDAP configuration
ldap:search executes a user or group search
ldap:set-config modifies an LDAP configuration
ldap:show-config shows the LDAP configuration
ldap:show-remnants shows which users are not available on LDAP anymore, but have remnants in Nextcloud.
ldap:test-config tests an LDAP configuration
log:file manipulate logging backend
log:manage manage logging configuration
log:tail Tail the nextcloud logfile
log:watch Watch the nextcloud logfile
mail:account:create creates IMAP account
mail:account:export Exports a user's IMAP account(s)
maintenance:data-fingerprint update the systems data-fingerprint after a backup is restored
maintenance:mimetype:update-db Update database mimetypes and update filecache
maintenance:mimetype:update-js Update mimetypelist.js
maintenance:mode set maintenance mode
maintenance:repair repair this installation
maintenance:theme:update Apply custom theme changes
maintenance:update:htaccess Updates the .htaccess file
maps:scan-photos Rescan photos GPS exif data
maps:scan-tracks Rescan track files
migrations:execute Execute a single migration version manually.
migrations:migrate Execute a migration to a specified version or the latest available version.
migrations:status View the status of a set of migrations.
music:cleanup clean up orphaned DB entries (this happens also periodically on the background)
music:reset-cache drop data cached by the music app for performance reasons
music:reset-database drop metadata indexed by the music app (artists, albums, tracks, playlists)
music:scan scan and index any unindexed audio files
notification:generate Generate a notification for the given user
security:certificates list trusted certificates
security:certificates:import import trusted certificate
security:certificates:remove remove trusted certificate
sharing:cleanup-remote-storages Cleanup shared storage entries that have no matching entry in the shares_external table
trashbin:cleanup Remove deleted files
trashbin:expire Expires the users trashbin
twofactorauth:cleanup Clean up the two-factor user-provider association of an uninstalled/removed provider
twofactorauth:disable Disable two-factor authentication for a user
twofactorauth:enable Enable two-factor authentication for a user
twofactorauth:enforce Enabled/disable enforced two-factor authentication
twofactorauth:state Get the two-factor authentication (2FA) state of a user
update:check Check for server and app updates
usage-report:generate Prints a CVS entry with some usage information of the user:
user:add adds a user
user:delete deletes the specified user
user:disable disables the specified user
user:enable enables the specified user
user:info show user info
user:lastseen shows when the user was logged in last time
user:list list configured users
user:report shows how many users have access
user:resetpassword Resets the password of the named user
user:setting Read and modify user settings
versions:cleanup Delete versions
versions:expire Expires the users file versions