Proper permissions after upgrade/migration?

I have Nextcloud running via apache/postgres in Docker, and recently upgraded from 12 to 21. I’m now migrating from apache to php-fpm/nginx. The volumes are mapped from the host, so once I understood how it was supposed to work, it went pretty well and performance is great.

The problem I ran into was that some of the files apparently didn’t have the correct permissions.

web_1 | 2021/03/11 19:44:31 [crit] 28#28: *40 stat() "/var/www/html/custom_apps/mail/img/mail.svg" failed (13: Permission denied), client:, server: , request: "GET /custom_apps/mail/img/mail.svg HTTP/1.0", host: ""

web_1 | 2021/03/11 20:00:57 [error] 26#26: *187 "/var/www/html/ocs-provider/index.php" is forbidden (13: Permission denied), client:, server: , request: "GET /ocs-provider/ HTTP/1.0", host: ""

This was without declaring a user in my docker-compose file, which I’m now accomplishing by using nginx-unprivileged. Before I bring this into production, I’d really like to know:

What should be the permissions, owner, and group of files in /var/www/html/?

Is there an occ command I can run? A bash script? Or just a recursive chmod/chown like my current kludge?


You can use this script:

It uses occ to find the the PATH to NC’s data directory, and chmod to set ownership and r+w permissions.

Sorry for the delay, I’ve finally had a chance to get back to this upgrade task.

I tried the script, and it doesn’t seem to help. I noticed two problems right away:

  1. /var/www/nextcloud doesn’t exist, probably because this is a docker install.
  2. sudo doesn’t exist, also because this is docker

Also, this changes owner and group of the data files, which are all already www-data:www-data. The files that are giving me permission issues are in apps/, core/, etc.

It looks like all of my install’s “app” directories currently have group root. Changing their group to www-data doesn’t resolve the problem. The directories also need to be world-executable, and the files inside them need to be world-readable. This suggests that the problem is probably related to the user being used for each container, so I tried changing the group to 101 for every directory in apps/. (101 is the gid of nginx in my nginx container serving the static files.) This appears to have resolved the permission errors for apps/, and the same change resolves the permission errors for core/.

nginx is the default user for the standard non-root nginx container, and www-data doesn’t already exist. Is it okay to assign the group for all directories (besides the data directory) to 101? Could this break NextCloud? Could it introduce security problems?

I can’t be the only person trying to run NextCloud using nginx and php-fpm docker containers without running the containers as root. Is there an official way I’ve not yet discovered? How is everyone else doing this?


1 Like