External storage (Local) NC (snap) -- user www-data or root?

ℹ️ Support
,
1
Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 22.2.3): 22.2.3snap1
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04.3 LTS
Apache or nginx version (eg, Apache 2.4.25): Don't know how to find the version number of apache in this snap.
PHP version (eg, 7.4): Don't know how to find the version of php in this snap.

The issue you are facing:
Can’t access some folders in External storage, and discrepancy between documentation and reality.

Is this the first time you’ve seen this error? (Y/N): Y

Steps to replicate it:

  1. Prepare a tree of files in /media/LTSync to access from NC via External storage (Local) and run the sudo chown -R www-data /media/LTSync command in the documentation.
  2. Log in as the administrative account for NC and create the External storage (Local) link to the folder. The link fails completely.
  3. Repeat the command as sudo chown -R root /media/LTSync as stated by @szaimen : “The ownership needs to be root:root in case of the snap” in this conversation.
  4. This time the link is made properly.
  5. Open Files within NC. Some folders within /media/LTSync show full contents (up to 18.1 GB) but others show zero.

(I didn’t do root:root because the files need to be writable by the adm group, so other programs can update them, and then NC can share them.)

Can anyone tell me why the snap version of NC needs the files to belong to root, while the standard version needs them to belong to the user that runs the web server, www-data.

And why is this requirement not documented anywhere? Is the documentation broken, or did I read the wrong files?

And another thing – the documentation for the standard version suggests I can use External storage (Local) to access a folder tree anywhere in the system, but according to @szaimen , the snap version can only access folders in /mnt or /media. (And that matches my experience.) Can anyone tell us why this is the case?

Thanks for thinking about these things,
Jim

The output of your Nextcloud log in Admin > Logging:

Error	PHP	Error: opendir(/media/LTSync/Spanish_win): Failed to open directory: Permission denied at /snap/nextcloud/28654/htdocs/lib/private/Files/Storage/Local.php#135

    <<closure>>

    OC\Log\ErrorHandler::onError()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Storage/Local.php - line 135:

    opendir()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Storage/Common.php - line 879:

    OC\Files\Storage\Local->opendir()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Storage/Wrapper/PermissionsMask.php - line 157:

    OC\Files\Storage\Common->getDirectoryContent()

    <<closure>>

    OC\Files\Storage\Wrapper\PermissionsMask->getDirectoryContent()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Cache/Scanner.php - line 408:

    iterator_to_array()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Cache/Scanner.php - line 388:

    OC\Files\Cache\Scanner->handleChildren()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Cache/Scanner.php - line 340:

    OC\Files\Cache\Scanner->scanChildren()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Cache/Scanner.php - line 510:

    OC\Files\Cache\Scanner->scan()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Cache/Scanner.php - line 521:

    OC\Files\Cache\Scanner->OC\Files\Cache\{closure}("*** sensiti ... *")

    /snap/nextcloud/28654/htdocs/lib/private/Files/Cache/Scanner.php - line 509:

    OC\Files\Cache\Scanner->runBackgroundScanJob()

    /snap/nextcloud/28654/htdocs/lib/private/Files/Utils/Scanner.php - line 185:

    OC\Files\Cache\Scanner->backgroundScan()

    /snap/nextcloud/28654/htdocs/apps/files/lib/BackgroundJob/ScanFiles.php - line 89:

    OC\Files\Utils\Scanner->backgroundScan()

    /snap/nextcloud/28654/htdocs/apps/files/lib/BackgroundJob/ScanFiles.php - line 125:

    OCA\Files\BackgroundJob\ScanFiles->runScanner()

    /snap/nextcloud/28654/htdocs/lib/private/BackgroundJob/Job.php - line 51:

    OCA\Files\BackgroundJob\ScanFiles->run()

    /snap/nextcloud/28654/htdocs/lib/private/BackgroundJob/TimedJob.php - line 58:

    OC\BackgroundJob\Job->execute()

    /snap/nextcloud/28654/htdocs/cron.php - line 127:

    OC\BackgroundJob\TimedJob->execute()

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php

$snap_current = getenv('SNAP_CURRENT');
$snap_data_current = getenv('SNAP_DATA_CURRENT');

$CONFIG = array(
/**
 * Use the ``apps_paths`` parameter to set the location of the Apps directory,
 * which should be scanned for available apps, and where user-specific apps
 * should be installed from the Apps store. The ``path`` defines the absolute
 * file system path to the app folder. The key ``url`` defines the HTTP web path
 * to that folder, starting from the Nextcloud web root. The key ``writable``
 * indicates if a web server can write files to that folder.
 */
'apps_paths' => array(
        /**
         * These are the default apps shipped with Nextcloud. They are read-only.
         */
        array(
                'path'=> $snap_current.'/htdocs/apps',
                'url' => '/apps',
                'writable' => false,
        ),

        /**
         * This directory is writable, meant for apps installed by the user.
         */
        array(
                'path'=> $snap_data_current.'/nextcloud/extra-apps',
                'url' => '/extra-apps',
                'writable' => true,
        ),
),

/**
 * Database types that are supported for installation.
 *
 * Available:
 *      - sqlite (SQLite3 - Not in Enterprise Edition)
 *      - mysql (MySQL)
 *      - pgsql (PostgreSQL)
 *      - oci (Oracle - Enterprise Edition Only)
 */
'supportedDatabases' => array(
        'mysql',
),

'memcache.locking' => '\OC\Memcache\Redis',
'memcache.local' => '\OC\Memcache\Redis',
'redis' => array(
    'host' => getenv('REDIS_SOCKET'),
    'port' => 0,
),

'log_type' => 'file',
'logfile' => $snap_data_current.'/logs/nextcloud.log',
'logfilemode' => 0640,
);

The output of your Apache/nginx/system log in /var/log/____:

PASTE HERE
2

cc @kyrofa

3

Because services in snaps run as (confined) root, not www-data.

It’s documented here. You were referring to docs written for a traditional install is all.

@szaimen is spot on. It’s because the snap is confined. Snaps do this by way of interfaces. One of the interfaces is called removable-media, which grants access to the host’s /media and /mnt directories. That’s how the snap can support access other disks. Without that interface it can only read/write in a few very specific places.

4

For snap it is not root, but your user instead.

5

I’m afraid that everything in your comment is wrong :stuck_out_tongue: . Yes, snaps can access user-owned files in a particular area, but that area is ~/snap, not ~/.snap. Also, since snap daemons run as root, in this case that “user” is root. When we’re talking about file ownership for the Nextcloud snap, files should be owned by root, not some other user.

6

Thankyou @kyrofa , your responses have been so helpful :slight_smile: Thanks too to @szaimen for your responses in the other post and for doing the cc to get us connected. All is now clear!

I could have saved a lot of time and frustration if the documentation of Local had mentioned that the details for a snap installation are different. Could I suggest an addition near the top of that page of something like
If your NextCloud was installed as a snap, the details are different. Please see this document as well.

Also, all the documents seem to suggest that the file ownership needs to have the group membership the same as the owner (ie. www-data:www-data or root:root), but that is not necessary and would not be appropriate for my application.

I plan to use NextCloud as a way for people I don’t know to be able to sync free software installers to their computers using a read-only share of External storage (Local) to a guest account. I don’t mind having the files served by this system be owned by root, but their group membership needs to be something else, currently adm, so other programs can update them. I don’t think it would be wise for those other programs to have to run as root.

From my experiments so far it seems I can do
sudo chown -R root:adm folder
and NC can still access the files in the tree rooted at folder.
Is there a reason that the examples set the group to the same user as the owner of the files to be accessed? It seems to me one of the purposes of using External storage (Local) is so that users accessing the system through NC and other users of the system can all have access to the files in the External storage.

Thanks again for thinking about these things and for your very helpful responses.

7

We’re all community members here. I wrote the snap docs, but I didn’t write the docs for external storage. I’m not involved in that project at all. If you’d like to propose an update, by all means go for it!

Because it’s the most locked-down option available and generally works. The attack surface is a bit wider when the group is something else. Beyond that, what group would you use when you’re writing documentation that includes examples? Of course, it’s perfectly acceptable to have the group be something else if your use-case calls for it and you realize the risks. Just remember that Nextcloud is running as root. As long as root has r/w permissions on the files, regardless of the ownership of the files, things should work fine.

8

Hello Jim,
I got the same error when I try to mount a local path that I mounted using cifs.
Failed to open directory: Permission denied at /snap/nextcloud/28654/htdocs/lib/private/Files/Storage/Local.php
I mounted using [,dir_mode=0777,file_mode=0777,uid=1000,gid=33] and I still can’t mount on Nextcloud.
Which permission you set ?

9

@Canhobix , you may have used the wrong user ID as the owner of the files you want to access using External storage (Local).

I have successfully mounted /media/data/LT/BTSync on my local system, pointing to it with a folder in NC that I called LTSync. I had to locate the External folder inside /media because I am using the snap version of NextCloud, and for that version the External folder has to be within /media or /mnt.
Even though the documentation says the External files must belong to root for the snap installation, I have found that is not necessary in my case – perhaps because the External storage (Local) link is read-only. Here are the permissions and ownership of my External storage:

drwxr-xr-x jim adm /media/data/
drwxrwxr-x ltadmin adm /media/data/LT/
drwsrwsr-x ltadmin adm /media/data/LT/BTSync/

Here is a screenshot of the link to my External storage (Local):

NC External storage (Local) read-only
NC External storage (Local) read-only1905×766 135 KB

If your installation of NextCloud is the snap one, and if you want NC to be able to write to those files, I suggest you make them belong to root, and you will need to locate them within /media or /tmp. You also need to add the app for removable media to your NC.

If your NC installation is done the more difficult manual way, the documentation says the files should belong to the user who runs the web server on your system, www-data. For that installation I think you can locate the External storage anywhere in the file system. I have not tried this installation.