How to run occ without sudo in shared hosting

Hi,
I am running nextcloud in a shared hosting environment, and reorganized some files from the bash when i connect to my folder with putty. Now I want to reindex them with the command occ files:scan. But I don’t have access to sudo. Is there another way to do it? For example is there an app that allows me to run occ commands?
Br,
jk.

Which user owns the file occ? And which user are you, when logged in on the shared hosting environment?
Could you post the output of the following commands?
ls -l /path/to/nextcloud/occ
and
id

Difficult, the occ command only runs with the same users that runs the webserver. Usually that user is a system user that you can’t login with. Thus sudo is, AFAIK, the only way to run a command as webserver user. And of course on a shared hosting you won’t be allowed to run sudo or login as shared webserver user, as this would allow your to access the whole system or all users web data respectively.

So the shared hosting does not allow to login as webserver user or use it via sudo, and Nextcloud does not allow you to run occ without the first, even that your user has full permissions on the occ file.

I don’t see any other way than either asking your hosting provider do run the command or do all Nextcloud internal file/folder work via Nextcloud web ui, clients or webdav.

It was already asked for an app or feature to run occ commands via web interface admin panel, but so far this is not available, AFAIK :thinking:.

This is actually not true for all shared hosting environments out there. At least at uberspace.de running just (without sudo) php /path/to/nextcloud/occ --version (Or any other occ command) from the regular user account works without any issues.

1 Like

Perhaps in those cases the users unix user is as well used as separate webserver user, running an own webserver instance?

But yeah, actually I am not sure, how Nextcloud (occ) evaluates, if the user is allowed to run the command or not. Perhaps there is a trick to allow other users via PHP configuration. Would be nice to know actually, as I so far never saw/found a solution without sudo.

Edit:
A bid research: https://github.com/nextcloud/server/blob/master/console.php#L64-L72
So actually, if I followed the exec tail correctly, then the executing user is matched against the owner of /path/to/nextcloud/config/config.php? Hmm I guess someone who uses a shared hosting will know better, how actually permissions and ownership is handled there usually if end user can login SSH via one unix user and needs ones webroot owned by webserver user. Do all web accessible files need to be uploaded via some web interface? Perhaps it is possible to (re)create config.php with the own unix user and grant (chmod) full permissions to webserver user. But this would be needed for all via occ (php) command created files then, as those will be created with own unix user ownership as well :thinking:.

Now I am caught by this and will play a bid around later on my VMs :laughing:.

1 Like

I have no idea how this is done internally at uberspace. All I know is that all files belong the the users unix user - also the files which need to be accessed by the webserver. I doubt that they have a running webserver instance for every single user of the 150-300 users sharing a KVM host. More likely would be that the webserver has read/write access to the files owned by all users. Would that make sense? Maybe security risk?
Well… all I know is that I know nothing…

BUT: it is definitely worth trying to run occ like described above: php /path/to/nextcloud/occ files:scan, if the the file occ belongs to the unix user.

Have fun :smiley:

Jep, that would be a solution, actually the most reasonable one. But this is just a good solution if the shared hosting is really just intended for HTTP(S) access. If you e.g. want to save files/data via SFTP or other protocols, then you most likely don’t want the webserver to have full permissions on them as well. Of course there are ways to limit web access to certain directories etc., but at least if opens another attack vector.

But yeah, in the end it’s features/comfort vs security here and when using Nextcloud as your personal data solution, you anyway have the webserver user with full permissions on all those data. Highly important/private data then are better not saved on any cloud anyway, but just locally, backed up on local drives :wink:.

1 Like

Hello,

please see

Do you have access to the ‘su’ command? If so, this will work:

su -s /bin/bash www-data

(type exit to leave the session). If you don’t have su or sudo then MAYBE you can run a command via the web server, but that’s a security issue at least: Create a script that contains your occ command and place it in webroot as something like script7397.php and then access it via https as https:mynextcloud.com/script7397.php.

GOOD LUCK

W.

These scripts already run with the webserver user, so you don’t need the sudo or su command. There probably is a higher risk, that other code could be executed with webserver-permissions … and the script-runtime limit is still an issue (make larger database changes etc).

1 Like

Great, used this OCC Web app also to fix the indexes on the database after upgrading to 15 with the command db:add-missing-indices and to update the indexes with files:scan --path=/username/files/Photos/2014/
Not sure if i can use it to upgrade the database to mysql. Maybe somebody else have tried that?