Group Folders don't accept read conditions

Hi Community,

I’m facing a strange behavior with Group Folders, which I recently installed. Here’s the context:

• I used to have an external storage accessible to the whole team (DATA), but now that our repository is filling up, I’d like to have protected areas for sensitive files.
• Therefore, I created group folders such as C-R&D, C-HR, C-OPERATIONS, etc. (C is for Common), user groups for the same domains and would like to grant particular rights for each user group to the group folders. I.e. group “Engineering” has fill rights on C-R&D, but only read rights on C-HR or C-OPERATIONS. Nothing disruptive here
• One extra folder is dedicated to exchanging files with external users, such as customers or partners. This folder is named SHARED and is supposed in the future to host a dedicated folder for each entity: i.e. I’ll create an Acme folder for our customer ‘ACME’ who will be authorized to read/write/delete/share in (and only in) the SHARED/Acme sub-folder. I then suppose ACME users should at least be allowed to read the SHARED group folder…
• I’ve then created a new user group: Guests, which is given full rights on SHARED through the Group Folders settings: Write/Share/Delete.
• I will also create a new group for every entity who’s been granted access to SHARED: i.e. user “AcmeDirector” will be part of Guests and ACME groups. This way I could allow AcmeDirector to tweak access rights to other members of ACME organization.
• My take is: AcmeDirector will be granted access to the top SHARED folder as a member of Guests group, won’t be able to open any sub-folder in SHARED but the SHARED/Acme sub-folder. My understanding is that I’ll then need to:
  ** grant full rights to Guests on SHARED --> AcmeDirector will then be able to open SHARED.
  ** deny all rights to AcmeDirector on all sub-folders (SHARED/*)
  ** grant full rights to AcmeDirector on SHARED/Acme sub-folder

Now the weird issues:

1. When I log as AcmeDirector, I can’t delete my own files! Ex: I just cannot delete the default ‘nextCloud.png’ file which is added by default in the user folder.
2. nextCloud prevents me from entering the SHARED folder, indicating “operation is forbidden”, although AcmeDirector user is part of the Guests group.

Doesanyone please have a clue on what happens here? Is this a bug of Group Folders? Could be for point #2, but what about point #1?

In the meantime, I’m forced to grant all rights to Guests, which is a huge security breach!

Thanks in advance for any help!

Any help, please ?

Quick query, how are you applying the permissions? Using occ or the web interface ? For whatever reason, the gui version of advanced permissions doesn’t appear in my group folders, so I’ve used occ to set mine up. If you’re not already using occ directly let me know and I’ll happily post up a few commands that might help get to the bottom of your problem.

Hi @expert-geeks, thanks for the answer! I’ve tried so far to apply all permissions using the dedicated GUI, which should work as well as the occ command line. However, I could try occ and will let you know of the result. Please indicate which commands I should enter in this case.

Thanks again fro your help!

No problem. First you need to find out where your occ file is (it’s in the root of your web folder). You’ll need to amend the commands below with the path to your occ if it’s different.

sudo -u www-data php /var/www/nextcloud/occ groupfolders:list

This will give your folder list. Note the folder number you need. If the folder is number 2, check the advanced permissions;

sudo -u www-data php /var/www/nextcloud/occ groupfolders:permissions 2

if they’re not already enabled;

sudo -u www-data php /var/www/nextcloud/occ groupfolders:permissions 2 --enable

You can set permissions on the folder for ‘username’ like so;

sudo -u www-data php /var/www/nextcloud/occ groupfolders:permissions 2 --user username / -- +read +create +write +delete +share

just change the permissions with + to allow and - to deny e.g. allow read, create, write, and deny delete & share;

sudo -u www-data php /var/www/nextcloud/occ groupfolders:permissions 2 --user username / -- +read +create +write -delete -share

substitute --user for --group to set group based permissions. Substitute / for the subfolder path to set subfolder permissions.

You can test the generated permissions with;

sudo -u www-data php /var/www/nextcloud/occ groupfolders:permissions 2 --user username Subfolder --test

this will output the permissions set e.g.

-read, -write, -create, -delete, -share

If I’ve read your use case correctly, I suspect that the problem may reside here;

** deny all rights to AcmeDirector on all sub-folders (SHARED/*)

Instead of denying access to subfolders, I suspect this is denying read access to SHARED which is essential to get a directory listing, hence operation forbidden. At least with occ you can have a poke about ‘under the hood’ and test that the permissions are being correctly applied.

In my setup, I have given a group full permission to access the equivalent of your SHARED folder (In Group Folders in the GUI) and then explicitly denied access to individual subfolders using the same group. You then set allow permissions on the subfolders on either a group or user basis. That way all users can get a directory listing in SHARED (and could create files/folders if you allow +create +write) but there’s fine grained permissions on the folders they can view/edit.

I hope that’s helpful. Please let me know how you get on.

FYI: Group Folders Advanced Permissions not working
& ACL not working with group folders

Hi @expert-geeks and thanks for the detailed information!

I’ve tinkered a bit with occ commands to find out that everything’s fine with the setup. I then think the truth lies in your last paragraph:>

Instead of denying access to subfolders, I suspect this is denying read access to SHARED which is essential to get a directory listing, hence operation forbidden. At least with occ you can have a poke about ‘under the hood’ and test that the permissions are being correctly applied.

In my setup, I have given a group full permission to access the equivalent of your SHARED folder (In Group Folders in the GUI) and then explicitly denied access to individual subfolders using the same group. You then set allow permissions on the subfolders on either a group or user basis. That way all users can get a directory listing in SHARED (and could create files/folders if you allow +create +write) but there’s fine grained permissions on the folders they can view/edit.

I’ll check that SHARED/* thing but this could also hide a bug in GroupFolders… By the way, granting ALL rights to the Guests members then denying rights to guests one by one could rapidly become a mess when you have tens of subfolders! This is why I’ve tried the other way around: denying all rights (but READ) to guests, then granting all rights to a guest on his dedicated subfolder… Seems it’s not supported…

Thanks again for your help!

hi @jlgarnier, yes I agree that the way the advanced group permissions should follow the way that standard linux file permissions work. That would be less confusing for all concerned.