Directory permission for /var/www/nextcloud constanly change

hi all,

i have Nextcloud v17 installed, following this guide

  • nginx
  • mariaDB
  • php7.3
  • redis

First i was wondering why i got “Access Denied” when browsed the url, so i checked for permissions.
When i recognized that directory permission were wrong i changed them:
#chmod 750 /var/www/nextcloud

Back in browser, i was able to log in, but after login again “Access Denied”.
So i checked again for permissions and realized, something changed the permission to 640 for /var/www/nextcloud

Now i observe that the permissions change a few seconds after I modify them.

Has anybody an idea what process might do that and how i can stop that.

Most probably a cron job of some kind. What Linux distro are you running on? Is it debian 9 as in the howto? What other software do you have on it ?

no, its debian 10
what exactly do you mean by?

“What other software do you have on it ?”

There is a lot of other stuff running on that system:

  • homebridge
  • kodi
  • checkMK

but only nextcloud directory is affected.

With auditctl I tried to watch who/what changes directory permissions:

root@upi:~# auditctl -w /var/www/nextcloud -p wax -k nextcloud
root@upi:~# ls -ld /var/www/nextcloud
drw-r----- 15 www-data www-data 4096 Oct  2 22:21 /var/www/nextcloud
root@upi:~# ausearch -f nextcloud
\<no matches>
root@upi:~# chmod 750 /var/www/nextcloud
root@upi:~# ausearch -f nextcloud
----
time->Thu Oct  3 16:17:44 2019
type=PROCTITLE msg=audit(1570112264.464:14366): proctitle=63686D6F6400373530002F7661722F7777772F6E657874636C6F7564
type=PATH msg=audit(1570112264.464:14366): item=0 name="/var/www/nextcloud" inode=933891 dev=b3:03 mode=040640 ouid=33 ogid=33 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1570112264.464:14366):  cwd="/root"
type=SYSCALL msg=audit(1570112264.464:14366): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55f79fca44c0 a2=1e8 a3=7f312893cc80 items=1 ppid=23364 pid=25355 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3117 comm="chmod" exe="/bin/chmod" key="nextcloud"

my auditd registered my chmod above exe="/bin/chmod"

Only a few seconds later:

root@upi:~# stat /var/www/nextcloud
  File: /var/www/nextcloud
  Size: 4096      	Blocks: 8          IO Block: 4096   directory
Device: b303h/45827d	Inode: 933891      Links: 15
Access: (0640/drw-r-----)  Uid: (   33/www-data)   Gid: (   33/www-data)
Access: 2019-10-03 00:33:21.750177718 +0200
Modify: 2019-10-02 22:21:45.590652276 +0200
Change: 2019-10-03 16:18:05.403308234 +0200
 Birth: -
root@upi:~# ausearch -f nextcloud
----
time->Thu Oct  3 16:17:44 2019
type=PROCTITLE msg=audit(1570112264.464:14366): proctitle=63686D6F6400373530002F7661722F7777772F6E657874636C6F7564
type=PATH msg=audit(1570112264.464:14366): item=0 name="/var/www/nextcloud" inode=933891 dev=b3:03 mode=040640 ouid=33 ogid=33 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1570112264.464:14366):  cwd="/root"
type=SYSCALL msg=audit(1570112264.464:14366): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55f79fca44c0 a2=1e8 a3=7f312893cc80 items=1 ppid=23364 pid=25355 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3117 comm="chmod" exe="/bin/chmod" key="nextcloud"
root@upi:~#

I can see in stat-output the timestamp of permission change, but I can’t see(audit didn’t register) by who/what it was changed