Permissions issues on local external folders

Found a couple of ServerFault questions, in the hopes it helps.

The first answer from this really similar question includes a way to test to make sure you’ve applied it correctly to the Apache server process. That could be handy in finding out if Nextcloud continues to ignore your umask even after it’s applied properly to Apache.

Yeah that’s the thread I was looking at but I don’t have an envars folder in apache etc. Also I’m running nginx anyway.

but I did find /etc/profile/nginx once I actually went to the command line. I couldn’t see profile even with hidden folders set to visible for some reason in nautilus, but once I tried in CLI I found it. I added umask there. and I’ve stopped and started the server and I’m fixing to check and see if it worked.

As for the script for checking if stuff works… uh… I actually don’t know how to run that script?EDIT…Figured out how to do the php script. Save it as a file and then run it using php- f script.php

Anyway I’m having to shift some stuff around because my folders got kind of messy in the process of trying to back stuff up. I don’t think I have the group shared permissions yet the way I want, but I’m going to wait till after this copy and sync process finishes.

I also found out how to remove the file types limitations that I was having trouble with. I edit the file sync-excluded.lst which was under the applications folder for the NextCloud Client, and on Windows was in the Program Files for NextCloud.

I removed a bunch of limitations for temp files and stuff like *_.* type stuff.

Hey @mactrent So I fiddled around with the umask thing, and I may have got it working, or may have not, but I think I’m running into a problem on the opposite end of the equation.

When I create a file on my Windows laptop, it can’t sync it up to the cloud, saying that it doesn’t have permission to create subfolders. I don’t know what that means though. But from what I can tell looking up that specific wording it seems to be an issue with the client, not an issue with the permissions set on the local external folders of my desktop server. If it were just that then the client should be able to at least push the folders up to the web GUI etc.

Hmm, and are you able to create files from the web GUI then? If there is (or was) an actual permissions issue on the server side, the web GUI will usually show a warning “you can’t create files and folders here” or similar. If you fixed the permissions recently, you might need to do an occ files:scan before Nextcloud realizes it’s fixed.

So I recreated all the folders from scratch and I think I figured out that issue though not sure how to fix it.

I can create a folder in Work on my desktop and it will be visible in the web interface and will sync down onto the laptop. But I can’t add any folders to that folder from the web interface, and if I put a folder in it on my laptop, the sync client will refuse to let it through saying I don’t have permission.

If I create a folder on web GUI, it will appear on my desktop folder, but it will have a little lock symbol on it. It’s owner will be www-data.

If I create a folder on my laptop it will sync up to the web GUI via the client, and then appear on my desktop but also be impossible for me to edit and the owner will be www-data.

My Resources folders etc are able to be accessed etc by webdav because I had previously chmod 775 them. But I imagine I would have the same problems that I’m having with the Work folder if I added folders to them through the Web GUI etc.

I can’t chmod things every single time I create a folder, obviously, so this really just brings us back to the original problem of umask etc. All these different variations of behavior are based on the default way that www-data grants permissions on new files it creates. So I need to fix that. I will try again with the instructions you linked and see if now that I have a better understanding of the process, if I can’t perhaps fix this. I just need to be more systematic.

Hey I think I got everything fixed. I’m fixing to do a reboot to double check but I wanted to log some quick notes here for anyone else who might have this or a similar problem in the future.

In order to do this I first added david to the www-data usegroup and added www-data to the david usergroup.
This might be a little bit of a security issue but I really don’t think it’s that major.

Secondly I needed to change the umask for www-data, so that when it created a new file in the folder it would do so with a 775 permission (meaning that user and groups would have full write, read, execute access).

This can be done on my nginx server by doing the thing describerd here: ubuntu - Nginx/php-fpm umask setting - Stack Overflow

if you use systemd [i.e. Ubuntu 16.04], then edit /lib/systemd/system/php5-fpm.service
And edit chapter “Service”:

[Service]
UMask=0002

In my case I edited php-fpm 7.2 because that’s the version I’m using.

Okay so now www-data will create new folders on the system that can be opened by the groups etc.

But the next thing to do is to make it so that files made by the user are editable to the www-data. The way to do that is to change the umask for david. It’s enough to just add the line umask 002 somewhere in your .bashrc or .profile file. If you want to you can also add it to your root user account in a similar way.

This still isnt’ enough though because as mactrent said, nautilus etc are going to have their own default umasks to use when you create folders etc with them. According to this post it is possible like this: gnome3 - How to set `umask` for the entire gnome session? - Unix & Linux Stack Exchange

up vote 2 down vote

The problem is that mentioned by Sebasth. I tried many things, but then i found a workaround which consists in overwriting the (per-user) UMask of dbus:

$ systemctl --user edit dbus

In the file that gets opened, just write:

[Service]
UMask=002 # This is the umask i want to use

The file gets saved in .config/systemd/user/dbus.service.d/override.conf and overrides the dbus default umask, which i presume is inherited from systemd --user, since dbus is launched by it. Just logout and login again and gnome applications should use the specified umask. It works form me.

I’m going to restart my machine and see if it works but I think it should.

Bad news, it does not seem that the changes meant to force nautlius to recognize the umask 0002 are working. I also tried going into /etc/login.defs which has some kind of setting for changing group umask defaults, though the wording of the instructions is a little hard to parse.

I’ve tried changing multiple different files and nothing seems to work.

Is there a way that I can make nextcloud write as the user david instead of www-data?

Okay so I might not be understanding the technology very well but it sounds like to use the bindfs technique I have to use the Fuse filesystem which means I can’t use my current NTFS (for my archive drive) or Ubuntu Logical Volume (for my SSD that the OS runs on) ?

To do that solution I’d basically need to reinstall linux etc right?

Not having the ability to copy in files to the directory with correct permissions would not be ideal, but I’m also so far along in this process I don’t know if I’m really up to restart everything and use a different filesystem that would be unreadable to my Windows partition. Maybe I’m misunderstanding the ideas though.

root@lovelace:~# systemctl --user cat dbus | grep UMask=002
Failed to connect to bus: No such file or directory

I can confirm that each time I’ve tried this stuff etc I’ve completely rebooted to make sure it restarted the stuff correctly.

Further results requested:

root@lovelace:~# eval “$(systemctl --user show -p MainPID dbus)”
Failed to connect to bus: No such file or directory
“”: command not found
root@lovelace:~# grep Umask /proc/$MainPID/status
grep: /proc//status: No such file or directory

and

root@lovelace:~# PID=pgrep -u “$USER” nautilus
-u: command not found
root@lovelace:~# grep Umask /proc/$PID/status
grep: /proc//status: No such file or directory

Okay so would I then basically just turn my Work directory into a bindfs filesystem? Sorry, I’m not clear on what the solution is with that then.

Maybe I’m doing something wrong here. I am only running my terminal as root user so that I don’t have to constantly be putting my very long password word in for sudo. Is that what you are referring to? Should I run those commands again as my normal login? Is that what you are saying?

Here is the new outputs from my normal log in with your corrected text.

david@lovelace:~$ PID=$(pgrep -u “$USER” nautilus)
pgrep: invalid user name: “david”
david@lovelace:~$ grep Umask /proc/$PID/status
grep: /proc//status: No such file or directory
david@lovelace:~$ eval “$(systemctl --user show -p MainPID dbus)”
“MainPID=1949”: command not found
david@lovelace:~$ grep Umask /proc/$MainPID/status
grep: /proc//status: No such file or directory


david@lovelace:~$ systemctl --user cat dbus | grep UMask=002
UMask=002 # This is the umask i want to use
david@lovelace:~$ 

```

you mean I should use the command:
PID=$(pgrep -u '$USER' nautilus) instead of PID=$(pgrep -u “$USER” nautilus)?

Oh yes! gotcha.

david@lovelace:~$ eval "$(systemctl --user show -p MainPID dbus)"
david@lovelace:~$ PID=$(pgrep -u "$USER" nautilus)
david@lovelace:~$ 

It doesn’t seem to do anything.

Oh wait I also need to run the second commands.

Here’s their output:

david@lovelace:~$ grep Umask /proc/$MainPID/status
Umask:	0022
david@lovelace:~$ eval “$(systemctl --user show -p MainPID dbus)”
“MainPID=1949”: command not found
david@lovelace:~$ 

david@lovelace:~$ grep Umask /proc/$MainPID/status
Umask: 0022
david@lovelace:~$ grep Umask /proc/$PID/status
Umask: 0022

That bindfs thing sounds like the best solution though. let me look at your link more and see how to do it and stuff.

Yeah I realized the curly quotes thing again so I checked back. Both are coming back 0022.

And heres’ the output you requested:
david@lovelace:~$ systemctl --user cat dbus | grep UMask=002
UMask=002 # This is the umask i want to use

With bindfs the command I could use would be:

 bindfs --mirror-only=www-data l ~/Work

Correct? And then I put it in fstab so it does that everytime it mounts the drives etc at start up.

I’m not quite clear what to do with those commands. But entered them in. When I tried killall strace it told me that there was no process.

Here’s a sampler of when I run the syscall.log. It was the only command that I ran that seemed to give me any meaningful output:

david@lovelace:~$ strace -p 1 -f >"syscall.log" 2>&1 &
[1] 1412
david@lovelace:~$ strace -p 1 -f >"syscall.log" 2>&1 &
[2] 1448
[1]   Exit 1                  strace -p 1 -f > "syscall.log" 2>&1
david@lovelace:~$ strace -p 1 -f >"syscall.log" 2>&1 &
[3] 1450
[2]   Exit 1                  strace -p 1 -f > "syscall.log" 2>&1

As stuff is acting wonky, do you think I should just instead try the bindfs solution etc? Is my bindfs command I linked earlier correct syntax? I read the page and that seems to be what I want to do, though when I ran it, I got an error.

BUT!!! It looks like now the umask is set correctly! When I ran systemd restart that must have restarted it correctly. I rebooted my computer a couple of times but hadn’t in the last ocuple of hours and maybe in the process I fixed my dbus setting to be more correct.

david@lovelace:~$ PID=$(pgrep -u “$USER” nautilus)
david@lovelace:~$ grep Umask /proc/$PID/status
Umask: 0002

Now, the question I guess I have is… do I need to do the bindfs stuff anyway because it would allow me to move files from other folders etc?

YES! I can confirm that Nautilus is now working! It’s umask is 0002 and new folders are accessible to www-data.

david@lovelace:~$ bindfs --force-group=www-data --perms=g+wX ~/Work ~/Work
fusermount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf

I’m guessing that means I should edit fuse.conf, though I’m not sure where that is.

And just to make sure do you think I should do the bindfs or no? I want to be able to move stuff but I also saw that link said that some people worry about it being slow or something?

Cool I’ll try it now.

Also is this process reversible? And to make it permanent I need to add it to fstab lik in the original link, correct?

Also just wanted to add, I tried it and so far stuff seems to be working fine.

Thanks Everything is synced up and is working great!