Permissions issue attempting to update to Nextcloud to 19.0.3 (and updating apps)

Software Version
Nextcloud version (eg, 18.0.2): 19.0.1
Operating system and version (eg, Ubuntu 20.04): CentOS 8
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.37
PHP version (eg, 7.1): 7.4.9

The issue you are facing:
I get an error when I’m trying to update Nextcloud from 19.0.1 to 19.0.2. The updater says:

Check for write permissions
The following places can not be written to:

    /var/www/html/nextcloud/updater/../console.php
    /var/www/html/nextcloud/updater/../version.php
    /var/www/html/nextcloud/updater/../COPYING
    /var/www/html/nextcloud/updater/../AUTHORS
    /var/www/html/nextcloud/updater/../index.php
    /var/www/html/nextcloud/updater/../status.php
    /var/www/html/nextcloud/updater/../robots.txt
    /var/www/html/nextcloud/updater/../occ
    /var/www/html/nextcloud/updater/../remote.php
    /var/www/html/nextcloud/updater/../cron.php
    /var/www/html/nextcloud/updater/../index.html
    /var/www/html/nextcloud/updater/../public.php

This is especially strange because apache, my web server user, has full rwx to all directories, and rw- to all files, recursively, in the/var/www/ directory. Nextcloud lives in /var/www/html/nextcloud/. It would be nice if we could get some official permissions guidance in the Nextcloud documentation - and a nice script would be helpful. Point me in the right direction and I’ll happily write it, if it makes adoption and troubleshooting easier.

Is this the first time you’ve seen this error? (Y/N): Yes

Steps to replicate it:

  1. Left-click my user circle in the top right corner
  2. Left-click “Settings”
  3. Left-click “Overview” in the Apps Information field
  4. Wait for Nextcloud’s security checks to complete (the only one it flags me on is that I have not yet set up HSTS)
  5. Left-click the “Open updater” button
  6. Left-click the “Start update” button

The output of your Nextcloud log in Admin > Logging:

Error	PHP	Module 'pdo_mysql' already loaded at Unknown#0	2020-09-14T12:50:10-0600
Error	PHP	Module 'pdo_mysql' already loaded at Unknown#0	2020-09-14T12:45:10-0600
Error	PHP	Module 'pdo_mysql' already loaded at Unknown#0	2020-09-14T12:40:10-0600
Error	PHP	Module 'pdo_mysql' already loaded at Unknown#0	2020-09-14T12:35:10-0600
Error	PHP	Module 'pdo_mysql' already loaded at Unknown#0	2020-09-14T12:30:11-0600
Error	PHP	Module 'pdo_mysql' already loaded at Unknown#0	2020-09-14T12:25:10-0600

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '$instanceid',
  'overwrite.cli.url' => 'https://nextcloud.example.com/',
  'htaccess.RewriteBase' => '/',
  'passwordsalt' => '$passwordsalt',
  'secret' => '$secret',
  'trusted_domains' => 
  array (
    0 => 'nextcloud.example.com',
  ),
  'datadirectory' => '/var/www/html/nextcloud/data',
  'dbtype' => 'mysql',
  'version' => '19.0.1.1',
  'dbname' => '$dbname',
  'dbhost' => '$dbhost',
  'dbport' => '',
  'dbtableprefix' => '$dbtableprefix',
  'mysql.utf8mb4' => true,
  'dbuser' => '$dbuser',
  'dbpassword' => '$dbpassword',
  'installed' => true,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'ldapIgnoreNamingRules' => false,
  'ldapProviderFactory' => 'OCA\\User_LDAP\\LDAPProviderFactory',
  'mail_from_address' => 'cloud',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'mail.com',
  'mail_smtphost' => 'smtp.mail.com',
  'mail_smtpport' => '587',
  'mail_smtpdebug' => true,
  'maintenance' => false,
  'updater.secret' => '$updater.secret',
);

The output of your Apache/nginx/system log in /var/log/____:

/var/log/httpd/access_log

/var/log/httpd/error_log:
[Mon Sep 14 12:27:01.334796 2020] [access_compat:error] [pid 1073:tid 140543510165248] [client a.b.c.d:efghi] AH01797: client denied by server configuration: /var/www/html/nextcloud/data/.ocdata

Other Notes:

I specifically get this error:

However, when I look at my /var/www/html/nextcloud/updater directory, I only see the following:

$ ls -laFh /var/www/html/nextcloud/updater/
total 656K
drwxr-xr-x.  2 apache apache   43 Jul 15 14:24 ./
drwxr-xr-x. 14 apache apache 4.0K Aug 28 16:36 ../
-rw-r--r--.  1 apache apache  62K Jul 15 14:24 index.php
-rw-r--r--.  1 apache apache 586K Jul 15 14:24 updater.phar

This is turning out sufficiently difficult that I’m suspecting SELinux in some way, just because obnoxious problems like this almost always turn out to be SELinux’s fault somehow.

You could try to update with occ command

sudo -u www-data php occ upgrade

I could, but I’d like it to work via the administrative GUI, but even doing so, I get the following (bear in mind, the www-data user in Ubuntu corresponds to the apache user on CentOS):

$ sudo -u apache php occ upgrade
PHP Warning:  Module 'pdo_mysql' already loaded in Unknown on line 0
Nextcloud is already latest version

Please can you try :
ls -al /var/www/html/nextcloud

Yes I can:

$ ls -al /var/www/html/nextcloud
total 136
drwxr-xr-x. 14 apache apache  4096 Aug 28 16:36 .
drwxr-xr-x.  3 apache apache    40 Aug 28 11:50 ..
drwxr-xr-x. 41 apache apache  4096 Jul 15 14:29 3rdparty
drwxr-xr-x. 60 apache apache  4096 Sep 14 12:48 apps
-rw-r--r--.  1 apache apache 16522 Jul 15 14:22 AUTHORS
drwxr-xr-x.  2 apache apache    82 Aug 11 17:55 config
-rw-r--r--.  1 apache apache  3967 Jul 15 14:22 console.php
-rw-r--r--.  1 apache apache 34520 Jul 15 14:22 COPYING
drwxr-xr-x. 23 apache apache  4096 Jul 15 14:29 core
-rw-r--r--.  1 apache apache  5140 Jul 15 14:22 cron.php
drwxrwx---. 18 apache apache  4096 Aug 28 16:35 data
-rw-r--r--.  1 apache apache  4402 Aug  7 19:52 .htaccess
-rw-r--r--.  1 apache apache   156 Jul 15 14:22 index.html
-rw-r--r--.  1 apache apache  2960 Jul 15 14:22 index.php
drwxr-xr-x.  6 apache apache   125 Jul 15 14:22 lib
-rw-r--r--.  1 apache apache   283 Jul 15 14:22 occ
drwxr-xr-x.  2 apache apache    23 Jul 15 14:22 ocm-provider
drwxr-xr-x.  2 apache apache    55 Jul 15 14:22 ocs
drwxr-xr-x.  2 apache apache    23 Jul 15 14:22 ocs-provider
-rw-r--r--.  1 apache apache  3102 Jul 15 14:22 public.php
-rw-r--r--.  1 apache apache  5332 Jul 15 14:22 remote.php
drwxr-xr-x.  4 apache apache   133 Jul 15 14:22 resources
-rw-r--r--.  1 apache apache    26 Jul 15 14:22 robots.txt
-rw-r--r--.  1 apache apache  2379 Jul 15 14:22 status.php
drwxr-xr-x.  3 apache apache    35 Jul 15 14:22 themes
drwxr-xr-x.  2 apache apache    43 Jul 15 14:24 updater
-rw-r--r--.  1 apache apache   101 Jul 15 14:22 .user.ini
-rw-r--r--.  1 apache apache   362 Jul 15 14:29 version.php

Thank you.
My 2 cents : try to remove .htaccess only for the update duration ?
Sorry if it doesn’t work, I’m just trying to help but I must confess I’m not an expert.
Good luck !
Bruno

This was 100% an SELinux issue. I simply tried the following command (as root, if you are not logged in as root prepend a sudo to this and be ready to type your password):

$ setenforce 0

This sets SELinux to “permissive” mode, where it (I think) logs everything it WOULD HAVE blocked had it been in “enforcing” mode, thus helping you tailor your SELinux policies in the event someone breaches your system.

I am lazy and do not know SELinux as well as I would like to, so in lieu of a rule, I am simply going to set SELinux to “permissive” to do Nextcloud updates, and then put it back in “enforcing” mode until I can write an appropriate rule.

1 Like

I just wanted to inform you, that you would need to manually enable updates over the gui.:
SELinux configuration — Nextcloud latest Administration Manual latest documentation