Proper permissions after upgrade/migration?

imneedham · March 18, 2021, 3:21pm

I have Nextcloud running via apache/postgres in Docker, and recently upgraded from 12 to 21. I’m now migrating from apache to php-fpm/nginx. The volumes are mapped from the host, so once I understood how it was supposed to work, it went pretty well and performance is great.

The problem I ran into was that some of the files apparently didn’t have the correct permissions.

web_1 | 2021/03/11 19:44:31 [crit] 28#28: *40 stat() "/var/www/html/custom_apps/mail/img/mail.svg" failed (13: Permission denied), client: 10.0.30.4, server: , request: "GET /custom_apps/mail/img/mail.svg HTTP/1.0", host: "10.0.30.4"

web_1 | 2021/03/11 20:00:57 [error] 26#26: *187 "/var/www/html/ocs-provider/index.php" is forbidden (13: Permission denied), client: 10.0.30.4, server: , request: "GET /ocs-provider/ HTTP/1.0", host: "10.0.30.4"

This was without declaring a user in my docker-compose file, which I’m now accomplishing by using nginx-unprivileged. Before I bring this into production, I’d really like to know:

What should be the permissions, owner, and group of files in /var/www/html/?

Is there an occ command I can run? A bash script? Or just a recursive chmod/chown like my current kludge?

Thanks.

OliverV · March 23, 2021, 6:58am

You can use this script:

github.com

nextcloud/nextcloudpi/blob/master/bin/ncp/TOOLS/nc-fix-permissions.sh

#!/bin/bash

# Fix permissions of the data files, in case they were copied externally
#
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
#
# More at: https://ownyourbits.com
#


configure() 
{
  local DATADIR
  DATADIR=$( cd /var/www/nextcloud; sudo -u www-data php occ config:system:get datadirectory ) || {
    echo "data directory not found";
    return 1;
  }
  echo -ne "fixing permissions in $DATADIR... "
  chown -R www-data:www-data "$DATADIR"/*/files

This file has been truncated. show original

It uses occ to find the the PATH to NC’s data directory, and chmod to set ownership and r+w permissions.

imneedham · April 15, 2021, 4:43pm

Sorry for the delay, I’ve finally had a chance to get back to this upgrade task.

I tried the script, and it doesn’t seem to help. I noticed two problems right away:

/var/www/nextcloud doesn’t exist, probably because this is a docker install.
sudo doesn’t exist, also because this is docker

Also, this changes owner and group of the data files, which are all already www-data:www-data. The files that are giving me permission issues are in apps/, core/, etc.

It looks like all of my install’s “app” directories currently have group root. Changing their group to www-data doesn’t resolve the problem. The directories also need to be world-executable, and the files inside them need to be world-readable. This suggests that the problem is probably related to the user being used for each container, so I tried changing the group to 101 for every directory in apps/. (101 is the gid of nginx in my nginx container serving the static files.) This appears to have resolved the permission errors for apps/, and the same change resolves the permission errors for core/.

nginx is the default user for the standard non-root nginx container, and www-data doesn’t already exist. Is it okay to assign the group for all directories (besides the data directory) to 101? Could this break NextCloud? Could it introduce security problems?

I can’t be the only person trying to run NextCloud using nginx and php-fpm docker containers without running the containers as root. Is there an official way I’ve not yet discovered? How is everyone else doing this?

Thanks.