Resetting admin password without email or OCC access

Soeren · June 4, 2020, 10:05pm

Nextcloud version: 18.0.3
Operating system and version: Debian 8 (Jessie)
Apache version: 2.0
PHP version: 7.2.31

Hi there,

I was smart enough to lock myself out of my own Nextcloud installation by changing my password.
It runs on a managed hosting account and I do not have any root privileges.
I was the only admin, but there is a second, non-admin user, that I can still use to get in via the web UI.

Of course, I tried sending an email to myself, but did not provide one within my account.
I also tried resetting it by following these instructions but got the following message:

Sorry, user xxxxxxx is not allowed to execute '/usr/local/bin/php /var/www/nextcloud/occ user:resetpassword admin' as www-data on xxxxx.xxxxxxx.xxxxxxxx.de.

I contacted my hosting provider, but neither are they able to run this command for me, nor are they able to grant me higher permissions.

I then found this article (in German) which basically says, that you could copy the password of a different, existing user to the admin user via phpMyAdmin within the user table oc_users.
I tried that, but for some reason that table does not contain the two users I created months ago and have been using ever since. It only holds one user that I created initially, when installing Nextcloud in the first place.

Does anybody know…

why I am not allowed to run the command stated above (is it actually a matter of permissions),
where the users’ data is stored or why I am not able to see them in the table (I did install the App End-to-end Encryption, though; maybe that’s got something to do with it) or
anything else I could try to get back into my account?

Any help is greatly appreciated!

Thanks in advance!

Soeren

Heracles31 · June 4, 2020, 11:56pm

Oups… That does not look good…

And now it looks even worst…

You can see Nextcloud as an application. Within itself, it has its own structure for right management. There is also the operating system under it that Nextcloud, as an application, is dependent from. That layer being more fundamental than Nextcloud, it is also more powerful and can force Nextcloud in many different ways.

Now, you says that you are 0 in 2.

So the usual password recovery mechanism from within Nextcloud is disabled too. You really did it here…

Normal. To use SUDO requires root privilege which you says you don’t have.

Normal : should they do it, they would become admins in your system, would have interfere with your data and application and more. That would expose them to professional responsibility (what if that command goes wrong ?) and also to a lot of pain by having to support their user beyond what they planned for (after doing that for you, they will have to do it for others, do more, and more, and more and more…)

Also, they can not grant you higher privilege because it would compromise every other client they are supporting.

Are you still in full control of the database ? If you are, this is your only hope…

Here, I do complete backups of my Nextcloud every day (actually, many times per day but only once while turning Nextcloud to maintenance mode, so only that one I guarantee as perfect). Whenever I need, I just restore the complete database and data directory and voilà : a brand new Nextcloud server identical to whatever it was back then. That includes the passwords.

If you are in full control of your database, you can do the same. Because you were using End-to-End encryption, you were not using the server-side encryption. That means it will be easier to restore.

This is where you are happy to have your backups.

devnull · June 5, 2020, 5:23am

No real idea. Can you download the (encrypted) data and dump the database from your provider? Then you can install it locally on a linux system and reset the password with “sudo” and “occ”.

https://docs.nextcloud.com/server/18/admin_manual/maintenance/backup.html

https://docs.nextcloud.com/server/18/admin_manual/maintenance/restore.html

Bernie_O · June 5, 2020, 6:47am

Have you tried to run the comman without sudo?

Also, depending on the settings of your provider, there might be a slight chance that you can run the occ command from within a php-script:

<?php
/*
   move this file to webroot and open it in a browser.
   output will be stored in result.txt to where the script
   redirects after it is run.
*/
  exec("export OC_PASS='PASSWORD'  /usr/local/bin/php -d memory_limit=1024M /var/www/nextcloud/occ -n user:resetpassword --password-from-env USERNAME >> result.txt 2>&1");
  exec("echo \"done\" >> result.txt 2>&1");
  header('Location: result.txt');
?>

If it doesn’t work with exec, give shell_exec a shot.

devnull · June 5, 2020, 7:25am

Oh yes. You have access to the shell?

Then try without sudo:
php /var/www/nextcloud/occ user:resetpassword admin
(set the path to your nextcloud-path)

Soeren · June 5, 2020, 8:02am

@devnull, @Bernie_O, @Heracles31:

You guys are truly nothing but amazing! I did as you said and tried it without sudo and it really worked!
I navigated to my Nextcloud path with cd and then only ran

php occ user:resetpassword admin

and got the prompt to “enter a new password” as described here.

Thank you very much for investing your time into my issue!