hi all,
i have Nextcloud v17 installed, following this guide
- nginx
- mariaDB
- php7.3
- redis
First i was wondering why i got “Access Denied” when browsed the url, so i checked for permissions.
When i recognized that directory permission were wrong i changed them:
#chmod 750 /var/www/nextcloud
Back in browser, i was able to log in, but after login again “Access Denied”.
So i checked again for permissions and realized, something changed the permission to 640 for /var/www/nextcloud
Now i observe that the permissions change a few seconds after I modify them.
Has anybody an idea what process might do that and how i can stop that.
Most probably a cron job of some kind. What Linux distro are you running on? Is it debian 9 as in the howto? What other software do you have on it ?
no, its debian 10
what exactly do you mean by?
“What other software do you have on it ?”
There is a lot of other stuff running on that system:
but only nextcloud directory is affected.
With auditctl I tried to watch who/what changes directory permissions:
root@upi:~# auditctl -w /var/www/nextcloud -p wax -k nextcloud
root@upi:~# ls -ld /var/www/nextcloud
drw-r----- 15 www-data www-data 4096 Oct 2 22:21 /var/www/nextcloud
root@upi:~# ausearch -f nextcloud
\<no matches>
root@upi:~# chmod 750 /var/www/nextcloud
root@upi:~# ausearch -f nextcloud
----
time->Thu Oct 3 16:17:44 2019
type=PROCTITLE msg=audit(1570112264.464:14366): proctitle=63686D6F6400373530002F7661722F7777772F6E657874636C6F7564
type=PATH msg=audit(1570112264.464:14366): item=0 name="/var/www/nextcloud" inode=933891 dev=b3:03 mode=040640 ouid=33 ogid=33 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1570112264.464:14366): cwd="/root"
type=SYSCALL msg=audit(1570112264.464:14366): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55f79fca44c0 a2=1e8 a3=7f312893cc80 items=1 ppid=23364 pid=25355 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3117 comm="chmod" exe="/bin/chmod" key="nextcloud"
my auditd registered my chmod above exe=“/bin/chmod”
Only a few seconds later:
root@upi:~# stat /var/www/nextcloud
File: /var/www/nextcloud
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: b303h/45827d Inode: 933891 Links: 15
Access: (0640/drw-r-----) Uid: ( 33/www-data) Gid: ( 33/www-data)
Access: 2019-10-03 00:33:21.750177718 +0200
Modify: 2019-10-02 22:21:45.590652276 +0200
Change: 2019-10-03 16:18:05.403308234 +0200
Birth: -
root@upi:~# ausearch -f nextcloud
----
time->Thu Oct 3 16:17:44 2019
type=PROCTITLE msg=audit(1570112264.464:14366): proctitle=63686D6F6400373530002F7661722F7777772F6E657874636C6F7564
type=PATH msg=audit(1570112264.464:14366): item=0 name="/var/www/nextcloud" inode=933891 dev=b3:03 mode=040640 ouid=33 ogid=33 rdev=00:00 nametype=NORMAL
type=CWD msg=audit(1570112264.464:14366): cwd="/root"
type=SYSCALL msg=audit(1570112264.464:14366): arch=c000003e syscall=268 success=yes exit=0 a0=ffffff9c a1=55f79fca44c0 a2=1e8 a3=7f312893cc80 items=1 ppid=23364 pid=25355 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3117 comm="chmod" exe="/bin/chmod" key="nextcloud"
root@upi:~#
I can see in stat-output the timestamp of permission change, but I can’t see(audit didn’t register) by who/what it was changed