Keepass2Android: WebDAV has no permissions writing files

thomax · April 27, 2022, 7:51am

Nextcloud version:
Helm Chart version 2.14.2 with Docker Image tag 23.0.3-fpm running Nextcloud 23.0.3.2
Operating system and version:
Kubernetes Distro k3s in Version v1.23.5+k3s1
Apache or nginx version:
The Nextcloud Docker image includes version nginx/1.21.6
PHP version:
php --version
PHP 8.0.17 (cli) (built: Mar 29 2022 02:31:00) ( NTS )
Copyright (c) The PHP Group
Zend Engine v4.0.17, Copyright (c) Zend Technologies
    with Zend OPcache v8.0.17, Copyright (c), by Zend Technologies

The issue you are facing:

I recently upgraded from NC 21 to 22 and then 23. I don’t know really since when, but recently the Nextcloud logs complain about insufficient file permissions.

This error only occurs, when updating the file over WebDAV (with the Keepass2Android app). Within the Nextcloud WebGUI I can edit the file as usual.

The file permissions (including the whole path) looking fine:

$ ls -lah /var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx
-rwxrwx--- 1 www-data www-data 2.3M Apr 27 09:34 /var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx

The php-fpm config seems to be correct:

grep -E '^(user|group)' /usr/local/etc/php-fpm.d/www.conf
user = www-data
group = www-data

All php-fpm processes (despite the initial one) running as www-data user:

ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.2 266968 37564 ?        Ss   04:18   0:01 php-fpm: master process (/usr/local/etc/php-fpm.conf)
www-data      42  0.2  0.5 325976 90108 ?        S    04:18   0:57 php-fpm: pool www
www-data      43  0.2  0.5 323260 88352 ?        S    04:18   0:55 php-fpm: pool www
www-data      44  0.2  0.5 399280 89604 ?        S    04:18   0:56 php-fpm: pool www
...

Is this the first time you’ve seen this error?: Y

Steps to replicate it:

In Keepass2Android I configured to access the database file directly on Nextcloud over WebDAV
When making local changes and pushing updates to Nextcloud, Keepass2Android receives a HTTP 500 response.

The output of your Nextcloud log in Admin > Logging:

PHP	Error: file_put_contents(/var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx): Failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#282

The output of your config.php file

<?php
$CONFIG = array (
  'trusted_domains' =>
  array (
    0 => 'localhost',
    1 => 'nc.xxxxx.de',
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '23.0.3.2',
  'dbname' => 'nextcloud',
  'dbhost' => 'nextcloud-mariadb',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'xxxxx',
  'dbpassword' => 'xxxxx',
  'installed' => true,
  'maintenance' => false,
  'data-fingerprint' => 'xxxxx',
  'loglevel' => 0,
  'theme' => '',
  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' =>
  array (
    0 =>
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 =>
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'passwordsalt' => 'xxxxx',
  'secret' => 'xxxxx',
  'instanceid' => 'xxxxx',
  'default_phone_region' => 'DE',
  'filesystem_check_changes' => 1,
  'overwriteprotocol' => 'https',
  'trusted_proxies' =>
  array (
    0 => 'traefik.svc.cluster.local',
  ),
  'overwrite.cli.url' => 'http://nc.xxxxx.de',
  'overwritehost' => 'nc.xxxxx.de',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => 'nextcloud-redis-master',
    'port' => '6379',
    'password' => 'xxxxx',
  ),
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'preview_max_x' => '3840',
  'preview_max_y' => '2160',
  'jpeg_quality' => '60',
  'enabledPreviewProviders' =>
  array (
    0 => 'OC\\Preview\\PNG',
    1 => 'OC\\Preview\\JPEG',
    2 => 'OC\\Preview\\GIF',
    3 => 'OC\\Preview\\HEIC',
    4 => 'OC\\Preview\\BMP',
    5 => 'OC\\Preview\\XBitmap',
    6 => 'OC\\Preview\\MP3',
    7 => 'OC\\Preview\\TXT',
    8 => 'OC\\Preview\\MarkDown',
  ),
  'oidc_login_provider_url' => 'https://sso.xxxxx.de/auth/realms/default',
  'oidc_login_client_id' => 'xxxxx',
  'oidc_login_client_secret' => 'xxxxx',
  'oidc_login_auto_redirect' => true,
  'oidc_login_logout_url' => 'https://sso.xxxxx.de/auth/realms/default/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2Fnc.xxxxx.de%2F',
  'oidc_login_button_text' => 'Log in with Keycloak',
  'oidc_login_hide_password_form' => true,
  'oidc_login_attributes' =>
  array (
    'id' => 'preferred_username',
    'name' => 'name',
    'mail' => 'email',
    'groups' => 'nextcloudGroups',
    'is_admin' => 'nextcloudAdmin',
  ),
  'oidc_login_scope' => 'openid profile',
  'oidc_login_disable_registration' => false,
  'oidc_login_redir_fallback' => true,
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => false,
);

The output of your Apache/nginx/system log

10.42.x.x - - [27/Apr/2022:22:06:01 +0200] "PUT /remote.php/webdav/works/keepass/databases/crucial.kdbx HTTP/1.1" 401 426 "-" "okhttp/4.10.0-RC1" "10.42.0.1"
10.42.x.x - userx [27/Apr/2022:22:06:02 +0200] "PUT /remote.php/webdav/works/keepass/databases/crucial.kdbx HTTP/1.1" 500 306 "-" "okhttp/4.10.0-RC1" "10.42.0.1"

Output errors in nextcloud.log in /var/www/

{
    "reqId": "7f8Q6y7ON9mpA2Ww3epR",
    "level": 3,
    "time": "2022-04-27T06:02:46+00:00",
    "remoteAddr": "10.42.0.119",
    "user": "thomass",
    "app": "PHP",
    "method": "PUT",
    "url": "/remote.php/webdav/works/keepass/databases/crucial.kdbx",
    "message": "file_put_contents(/var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx): Failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#282",
    "userAgent": "okhttp/4.10.0-RC1",
    "version": "23.0.3.2",
    "exception": {
        "Exception": "Error",
        "Message": "file_put_contents(/var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx): Failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#282",
        "Code": 0,
        "Trace": [
            {
                "function": "onError",
                "class": "OC\\Log\\ErrorHandler",
                "type": "::",
                "args": [
                    2,
                    "file_put_contents(/var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx): Failed to open stream: Permission denied",
                    "/var/www/html/lib/private/Files/Storage/Local.php",
                    282
                ]
            },
            {
                "file": "/var/www/html/lib/private/Files/Storage/Local.php",
                "line": 282,
                "function": "file_put_contents",
                "args": [
                    "/var/www/html/data/thomass/files/works/keepass/databases/crucial.kdbx",
                    null
                ]
            },
            {
                "file": "/var/www/html/lib/private/Files/Storage/Local.php",
                "line": 573,
                "function": "file_put_contents",
                "class": "OC\\Files\\Storage\\Local",
                "type": "->",
                "args": [
                    "files/works/keepass/databases/crucial.kdbx",
                    null
                ]
            },
            {
                "file": "/var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php",
                "line": 647,
                "function": "writeStream",
                "class": "OC\\Files\\Storage\\Local",
                "type": "->",
                "args": [
                    "files/works/keepass/databases/crucial.kdbx",
                    null,
                    "*** sensitive parameter replaced ***"
                ]
            },
            {
                "file": "/var/www/html/apps/dav/lib/Connector/Sabre/File.php",
                "line": 218,
                "function": "writeStream",
                "class": "OC\\Files\\Storage\\Wrapper\\Wrapper",
                "type": "->",
                "args": [
                    "files/works/keepass/databases/crucial.kdbx",
                    null
                ]
            },
            {
                "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
                "line": 1137,
                "function": "put",
                "class": "OCA\\DAV\\Connector\\Sabre\\File",
                "type": "->",
                "args": [
                    null
                ]
            },
            {
                "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
                "line": 492,
                "function": "updateFile",
                "class": "Sabre\\DAV\\Server",
                "type": "->",
                "args": [
                    "*** sensitive parameters replaced ***"
                ]
            },
            {
                "file": "/var/www/html/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
                "line": 89,
                "function": "httpPut",
                "class": "Sabre\\DAV\\CorePlugin",
                "type": "->",
                "args": [
                    {
                        "__class__": "Sabre\\HTTP\\Request"
                    },
                    {
                        "__class__": "Sabre\\HTTP\\Response"
                    }
                ]
            },
            {
                "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
                "line": 472,
                "function": "emit",
                "class": "Sabre\\DAV\\Server",
                "type": "->",
                "args": [
                    "method:PUT",
                    [
                        {
                            "__class__": "Sabre\\HTTP\\Request"
                        },
                        {
                            "__class__": "Sabre\\HTTP\\Response"
                        }
                    ]
                ]
            },
            {
                "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
                "line": 253,
                "function": "invokeMethod",
                "class": "Sabre\\DAV\\Server",
                "type": "->",
                "args": [
                    {
                        "__class__": "Sabre\\HTTP\\Request"
                    },
                    {
                        "__class__": "Sabre\\HTTP\\Response"
                    }
                ]
            },
            {
                "file": "/var/www/html/3rdparty/sabre/dav/lib/DAV/Server.php",
                "line": 321,
                "function": "start",
                "class": "Sabre\\DAV\\Server",
                "type": "->",
                "args": []
            },
            {
                "file": "/var/www/html/apps/dav/appinfo/v1/webdav.php",
                "line": 83,
                "function": "exec",
                "class": "Sabre\\DAV\\Server",
                "type": "->",
                "args": []
            },
            {
                "file": "/var/www/html/remote.php",
                "line": 166,
                "args": [
                    "/var/www/html/apps/dav/appinfo/v1/webdav.php"
                ],
                "function": "require_once"
            }
        ],
        "File": "/var/www/html/lib/private/Log/ErrorHandler.php",
        "Line": 92,
        "CustomMessage": "--"
    }
}

Thanks in advance for any help or advices.

just · April 27, 2022, 4:58pm

Hi @thomax,
You are missing the required support template. Please fill this form out and edit into your post so we can better understand your setup.

I found this related permission error post, which might prove helpful while searching the forum for Permission denied at /var/www/html/lib/private/Files/Storage/Local.php.
Check your Nextcloud ownershp and permissions as well for other files and folders.
Here are some duckduckgo results for this permission error.

Giving us more technical info and logs will make it easier to help you! Thanks.

thomax · April 27, 2022, 8:38pm

Hi @just ,

thank you for your interest in my issue. I updated the description according your request.

I have also read the issue you mentioned. Like @misacek007 I have also mounted an external storage via SMB to the /var/www/html/data mount point (with a Kubernetes SMB CSI driver). However my Nextcloud instance is running fine and I have no further permission issues, despite the WebDAV request. I have double checked all the permissions. I mount the SMB share with following options:

  - dir_mode=0770
  - file_mode=0770
  - uid=33
  - gid=33

That means that the whole directory structure stick to that dir/file mode and uid/gid. The uid/gid matches to the www-data user/group used inside the container. There is one change I made to the default Helm chart: Within the Deployment for nextcloud, the volumes are mounted with the securityContext.fsGroup=82. I changed that to fsGroup=33, matching the uid/gid used in the container.

I am able to modify the relevant file within the Nextcloud GUI. Everything works fine but the WebDAV upload.

thomax · April 27, 2022, 10:27pm

After further investigation I figured out, that the problem just occurs for this single file and the Keepass2Android scenario. When opening/changing other Keepass databases with the same procedure, everything works as expected.

Thus I startet syncing this single file to my local phone with syncthing, I am already using for 2-way-sync of my photos.

As such no further help or assistance is required. However if I can provide more information to figure out, what the problem really was, please let me know.

just · April 28, 2022, 10:10pm

Sounds like you should search for this issue with the Keepass2Android devs and see what they think. If you find an open issue already exists, or file a new one, please link it here.