Run local instance with less strict / modified permissions

u900x600 · July 20, 2023, 7:08am

Hello Everybody,

I am developing some Javascript that uses Nextcloud as Backend. So in order to develop that, I am running a local nextcloud instance via docker compose. In order to keep control over the stored files and configuration I need to mount certain volumes like that:

# docker-compose.yml
# shortened
version: "3.9"

networks:
  nextcloud: {}
  
services:
  nextcloud:
    image: nextcloud:25.0.3-apache
    ports:
      - 8443:443
      - 8080:80
    volumes: 
    - ./.nextcloud/config/:/var/www/html/config/
    - ./.nextcloud/data/:/var/www/html/data/
    networks:
    - nextcloud
  
  # basically a node container
  cli: {}

To run it I have created that script:

# cli.sh

PWD=$(pwd)

permissions () {
  sudo chown -R 33:33 .nextcloud/*
  sudo chmod -R o+rwx  .nextcloud/*
}

permissions 
NC_ID=$(docker compose up -d)

sleep 2

docker compose exec -u www-data nextcloud /bin/sh -c "php occ app:install guests; php occ app:install webapppassword"

# enter an interactive shell
docker compose exec -u node cli /bin/bash

# clean up on exit
docker compose down
permissions

Basically that is doing well, but there is one thing that really bothers me: That is fixing the permissions. I requires me to enter my admin password and each time I want to commit changes I need to exit the container, such that git gains enough permissions to scan all the files.

Is there any way to run the container such that the permissions of all the mounted data is more »permissive«, such that I can get rid of fixing them each time?

christianlupus · July 20, 2023, 7:20am

I suspect, you are running as a normal user, right?

I would create a custom docker image (can be registered in the docker-compose file) that just changes the uid of www-data (the user inside the container that runs the instance!) to have the same numeric value as your main user outside. You will have to change the permissions eventually once to get everything running but from there on, all files should be owned by you and no sudo is needed anymore.

A few points to consider, though:

Be careful with CSRF and CORS. A am not sure what the final solution should look like. But you might shoot yourself in the foot. Just be sure you know what you are doing before you invest too much time that might be lost.
Accessing the NC data externally is not the best idea. NC has a cache in the DB that will not be updated. It assumes it has exclusive write permission to the files. You can trigger a rescan using occ files:scan -p <user>/files/<path> but this needs to be handled separately and explicitly.

u900x600 · July 20, 2023, 7:47am

Thanks for your reply!

just changes the uid of www-data

You mean tweaking /etc/passwd?

About your thing to consider:

I am using the Webpassword App to deal with CORS, so requests will only be allowed from origins I want to. Additionally guests to create truely readonly accounts. Additionally an app-password is used for the API - so no direct login to the Backend possible. You think this to be secure enough?

christianlupus · July 20, 2023, 7:55am

Yes, inside the container.

I have no idea about the various apps you mentioned. You mean this one? At least the first glance it is decalred as temporary but I am not sure what this is referring to.

I am not so much concerned about security in general but my comment just was aiming at the fact that without these apps CORS might be in your way. If you find a way around that, all right. If not you might have needed to take additional steps.

u900x600 · July 20, 2023, 8:01am

You mean this one?

Exactly! With it, CORS is out of the Way.

Btw. Could CORS Headers be addded from the configuration, or is this app necessary?

christianlupus · July 20, 2023, 8:47am

No, its not possible to disable CORS globally. In fact, it is enforced by your browser. The apps must mark an HTTP endpoint to be CORS-aware.

All you could do (and I do not know if this is what you have in mind) is to create a minimal app yourself and use the web frontend to deploy your application. Then, you would not access from a foreign domain hence no CORS involved.

u900x600 · July 20, 2023, 9:15am

Thanks!

I’m pretty familiar with CORS and I want to access the Nextcloud API from (at least) one other Origin. But as it seams, there is no way around the app, since nextcloud by itself cannot be configured to respond to OPTION Requests with proper headers.

christianlupus · July 20, 2023, 10:04am

BTW this is a feature not a bug . The default is to not have CORS enabled as there are some measurements to be taken into account. Sorry.

kesselb · July 20, 2023, 4:41pm

We are using a different image for developing: GitHub - juliushaertl/nextcloud-docker-dev: Nextcloud development environment using docker-compose

u900x600 · August 1, 2023, 6:38am

Thanks a lot for that one! I’ve been looking into the repo and I find it pretty impressive - not to say a little overwhelming … As far as I have been searching I couldn’t find any dedicated setting for the UID which runs the php process. Do you probably know how this is meant to work with that image?

christianlupus · August 1, 2023, 7:04am

Yes, I know. It is not intended to be used as you describe. Julius uses docker volumes to “hide” the files from the normal file system (the files are located somewhere in /var/lib/docker. The idea is to mount the app files (PHP codes) into the appropriate location in the server. The app files can be read-only as the server will not change these. So, you can use your own uid without changing the permissions while developing as regular user. All data belonging to a NC (dummy) user is stored in a volume and belongs to the web server’s user’s uid.

So, maybe you should be a bit more precise on what you want to achieve:

You want to develop your app without been affected by the UID differences and still have full access to the source code? Go with the out-of-the-box solution of Julius. Thus handles these sort of things if you stick with the default documentation.
You want to access the files stored on the test instance and interact with these in some way (bad practice unless you really know what you are doing)? You need to change the runtime UID of the server to simplify the access. It is sort of unrelated to the first point, so Julius solution will not help here.

Once this is fixed/clear, feel free to ask back. I can try to help you with questions but I refuse to “explain the world”, aka, write a zillion lines without any benefit for anyone.

u900x600 · August 1, 2023, 7:17am

I want to develop a web app (technically static html and js content) - not a nextcloud app - that uses nextcloud as a backend. In order to run this webapp, and especially the tests, I need:

webapppassword and guests installed and enabled on the nextcloud instance
a known guest user with a known App Password
some known files which are shared with that guest user
some tweaks/additions to config/config.php of the nextcloud configuration

I want to keep the number of files in my repo as small as possible, in best case only:

the sqllite database file
the data directory
the config directory

In a nutshell: I need to track files and configuration in order to create predictable tests. Right now, the setup is doing fine - except for the permissions.

u900x600 · August 1, 2023, 7:55am

Finally I have something working what seams to work and is pretty simple to setup. It save from changing the uid and or gid of www-data, which turned out to be a huzzle. Thus I have created a Dockerfile with this content:

# upgrade comes with the next steps
FROM nextcloud:25.0.3-apache

RUN useradd \
  --system \
  --uid 1000 \
  www

and then tweaked docker-compose.yml to look like that:

services:
  nextcloud:
    build:
      dockerfile: …
    environment:
      APACHE_RUN_USER: www
    …

This way one overrides the defaults of /etc/apache/envars.

THANKS for Help and Patience! Without the directions from here I would not have made it.