Running cron with read_only config

helmo · December 21, 2023, 3:38pm

Hi,

I’d like to keep the config and application code read-only for the webserver as an extra security measure.
We have the config_is_read_only config boolean for that, but still occ and cron complain about not being the config file owner.

Even if they do have write access, which I think atleast cron should be able to do without.

It looks like the code has been copied from occ to cron.php since both print Console has to be ....

$ php cron.php
Console has to be executed with the user that owns the file config/config.php
Current user id: 33
Owner id of config.php: 1003

Is there a cron task that needs to update the config file?

One solution might be to add a condition around the ownership check, e.g.:
if (!$config->getSystemValue('config_is_read_only', false)) {

tflidd · December 22, 2023, 11:53am

In theory no. I think it is more to check for users for some basic problems in their setup later (especially with updates). I suppose if the owner is read-only, the owner itself can easily change that back, so to avoid that the only way is to have a different owner?

Yes, this could be one way. I’m not sure where it is checked, if there is a basic check for all CLI commands, the occ command can change much more and might have problems with some files read-only.

helmo · December 22, 2023, 12:24pm

Thanks, I’ve created a pull request with the suggested change … Respect config_is_read_only config in in cron and console commands by helmo · Pull Request #42449 · nextcloud/server · GitHub