18.0.1 to 18.0.3 update - write permission check

tidus · April 8, 2020, 10:30am

I am trying to update from 18.0.1 to 18.0.3.

The updater fails at the second step: write permission check.
Never had any issue with permissions, I have been updating since version 16. The files are all under nginx user “http” group “http”. I even tried setting permissions to 777 temporarily to see if it would have fixed the issue but it didn’t work.

The files are these:
The following places can not be written to:

/usr/share/webapps/nextcloud/updater/../occ
/usr/share/webapps/nextcloud/updater/../COPYING
/usr/share/webapps/nextcloud/updater/../.user.ini
/usr/share/webapps/nextcloud/updater/../index.html
/usr/share/webapps/nextcloud/updater/../version.php
/usr/share/webapps/nextcloud/updater/../cron.php
/usr/share/webapps/nextcloud/updater/../remote.php
/usr/share/webapps/nextcloud/updater/../robots.txt
/usr/share/webapps/nextcloud/updater/../console.php
/usr/share/webapps/nextcloud/updater/../.htaccess
/usr/share/webapps/nextcloud/updater/../public.php
/usr/share/webapps/nextcloud/updater/../status.php
/usr/share/webapps/nextcloud/updater/../index.php
/usr/share/webapps/nextcloud/updater/../AUTHORS

I am on Manjaro, nginx on the server.

devnull · April 8, 2020, 10:40am

Check the permissions. Post
ls -al /usr/share/webapps/nextcloud

tidus · April 8, 2020, 10:58am

drwxrwxr-x 12 http http 4096 26 feb 18.40 .
drwxrwxrwx 6 root root 4096 22 ago 2019 …
drwxrwxr-x 33 http http 4096 26 feb 18.40 3rdparty
drwxrwxr-x 55 http http 4096 8 apr 12.03 apps
-rwxrwxr-x 1 http http 15752 26 feb 18.40 AUTHORS
lrwxrwxrwx 1 http http 29 9 lug 2019 config -> /etc/webapps/nextcloud/config * -rwxrwxr-x 1 http http 3910 26 feb 18.40 console.php
-rwxrwxr-x 1 http http 34520 26 feb 18.40 COPYING
drwxrwxr-x 23 http http 4096 26 feb 18.40 core
-rwxrwxr-x 1 http http 5048 26 feb 18.40 cron.php
-rwxrwxr-x 1 http http 2647 26 feb 18.52 .htaccess
-rwxrwxr-x 1 http http 156 26 feb 18.40 index.html
-rwxrwxr-x 1 http http 2976 26 feb 18.40 index.php
drwxrwxr-x 6 http http 4096 26 feb 18.40 lib
-rwxrwxr-x 1 http http 283 26 feb 18.40 occ
drwxrwxr-x 2 http http 4096 26 feb 18.40 ocm-provider
drwxrwxr-x 2 http http 4096 26 feb 18.40 ocs
drwxrwxr-x 2 http http 4096 26 feb 18.40 ocs-provider
-rwxrwxr-x 1 http http 3056 26 feb 18.40 public.php
-rwxrwxr-x 1 http http 5235 26 feb 18.40 remote.php
drwxrwxr-x 4 http http 4096 26 feb 18.40 resources
-rwxrwxr-x 1 http http 26 26 feb 18.40 robots.txt
-rwxrwxr-x 1 http http 2381 26 feb 18.40 status.php
drwxrwxr-x 3 http http 4096 26 feb 18.40 themes
drwxrwxr-x 2 http http 4096 2 ago 2019 updater
-rwxrwxr-x 1 http http 101 26 feb 18.40 .user.ini
-rwxrwxr-x 1 http http 362 26 feb 18.40 version.php

devnull · April 8, 2020, 11:00am

And the user “http” is your nextcloud user?

devnull · April 8, 2020, 11:03am

And “http” can write /etc/webapps/nextcloud/config/config.php ?

lrwxrwxrwx 1 http http 29 9 lug 2019 config -> /etc/webapps/nextcloud/config

I do not know nextcloud config can use with symbolic link.
But it must be edited from nextcloud user “http”.

tidus · April 8, 2020, 11:05am

Yes, http is my nginx-php everything user.
Yes it can. permission is -rwxrwxr-x 1 http http 874 8 apr 12.56 config.php

tidus · April 8, 2020, 11:05am

I have been using this set up for almost a year now. Never had this issue with any updates before

devnull · April 8, 2020, 11:07am

Perhaps the write permission test was changed.
Perhaps you can move the configuration in the correct directory with the correct rights and test ist again.

tidus · April 8, 2020, 11:47am

I will try later. I just tried and this broke nextcloud, probably because of other permissions (php writing to config folder)

codiflow · April 27, 2020, 1:01pm

If you are using PHP 7.4 you need to enter the paths PHP is allowed to write to. Seems to be a new security feature:

systemctl edit php-fpm.service

Then enter something like this

[Service]
ReadWritePaths = /usr/share/webapps/nextcloud/apps
ReadWritePaths = /usr/share/webapps/nextcloud/apps2
ReadWritePaths = /etc/webapps/nextcloud/config/

And afterwards restart php.fpm: systemctl restart php-fpm.service

Source: [NC18] Problem to access data folder after upgrade to php 7.4

codiflow · April 27, 2020, 1:14pm

Because I got the following error message while upgrading to Nextcloud 18.0.4 I found a more convenient solution to this:

[error] POST request failed with UpdateException                                │
[error] Exception: UpdateException                                              │
│Message:                                                                                                            │
│Code:0                                                                                                              │
│Trace:                                                                                                              │
│#0 /usr/share/webapps/nextcloud/updater/index.php(1333): Updater->checkWritePermissions()                           │
│#1 {main}                                                                                                           │
│File:/usr/share/webapps/nextcloud/updater/index.php                                                                 │
│Line:417                                                                                                            │
│Data:                                                                                                               │
│Array                                                                                                               │
│(                                                                                                                   │
│    [0] => /usr/share/webapps/nextcloud/updater/../index.php                                                        │
│    [1] => /usr/share/webapps/nextcloud/updater/../console.php                                                      │
│    [2] => /usr/share/webapps/nextcloud/updater/../index.html                                                       │
│    [3] => /usr/share/webapps/nextcloud/updater/../COPYING                                                          │
│    [4] => /usr/share/webapps/nextcloud/updater/../cron.php                                                         │
│    [5] => /usr/share/webapps/nextcloud/updater/../AUTHORS                                                          │
│    [6] => /usr/share/webapps/nextcloud/updater/../version.php                                                      │
│    [7] => /usr/share/webapps/nextcloud/updater/../occ                                                              │
│    [8] => /usr/share/webapps/nextcloud/updater/../.htaccess                                                        │
│    [9] => /usr/share/webapps/nextcloud/updater/../.user.ini                                                        │
│    [10] => /usr/share/webapps/nextcloud/updater/../status.php                                                      │
│    [11] => /usr/share/webapps/nextcloud/updater/../public.php                                                      │
│    [12] => /usr/share/webapps/nextcloud/updater/../robots.txt                                                      │
│    [13] => /usr/share/webapps/nextcloud/updater/../remote.php                                                      │
│)

I’m working with PHP 7.4.5 and php-fpm using nginx under Arch linux.

Simple solution was adding this via systemctl edit php-fpm.service:

[Service]
ReadWritePaths = /usr/share/webapps/nextcloud/
ReadWritePaths = /etc/webapps/nextcloud/

And restarting the service with systemctl restart php-fpm.service

Probably this is not how this new security feature of PHP 7.4 works but its better than a non working Nextcloud Updater.