Some app directories are owned by a different user than the web server one

I recently installed nextcloud 18.0.0 onto a raspberry pi 4. Everything went well except I am being told by nextcloud that Some app directories are owned by a different user than the web server one. Here is the entire posting from Security and Setup Warnings:

Some app directories are owned by a different user than the web server one. This may be the case if apps have been installed manually. Check the permissions of the following app directories:

/var/www/html/nextcloud/apps/accessibility
/var/www/html/nextcloud/apps/activity
/var/www/html/nextcloud/apps/admin_audit
/var/www/html/nextcloud/apps/cloud_federation_api
/var/www/html/nextcloud/apps/comments
/var/www/html/nextcloud/apps/dav
/var/www/html/nextcloud/apps/encryption
/var/www/html/nextcloud/apps/federatedfilesharing
/var/www/html/nextcloud/apps/federation
/var/www/html/nextcloud/apps/files
/var/www/html/nextcloud/apps/files_external
/var/www/html/nextcloud/apps/files_pdfviewer
/var/www/html/nextcloud/apps/files_rightclick
/var/www/html/nextcloud/apps/files_sharing
/var/www/html/nextcloud/apps/files_trashbin
/var/www/html/nextcloud/apps/files_versions
/var/www/html/nextcloud/apps/files_videoplayer
/var/www/html/nextcloud/apps/firstrunwizard
/var/www/html/nextcloud/apps/logreader
/var/www/html/nextcloud/apps/lookup_server_connector
/var/www/html/nextcloud/apps/nextcloud_announcements
/var/www/html/nextcloud/apps/notifications
/var/www/html/nextcloud/apps/oauth2
/var/www/html/nextcloud/apps/password_policy
/var/www/html/nextcloud/apps/photos
/var/www/html/nextcloud/apps/privacy
/var/www/html/nextcloud/apps/provisioning_api
/var/www/html/nextcloud/apps/recommendations
/var/www/html/nextcloud/apps/serverinfo
/var/www/html/nextcloud/apps/settings
/var/www/html/nextcloud/apps/sharebymail
/var/www/html/nextcloud/apps/support
/var/www/html/nextcloud/apps/survey_client
/var/www/html/nextcloud/apps/systemtags
/var/www/html/nextcloud/apps/text
/var/www/html/nextcloud/apps/theming
/var/www/html/nextcloud/apps/twofactor_backupcodes
/var/www/html/nextcloud/apps/updatenotification
/var/www/html/nextcloud/apps/user_ldap
/var/www/html/nextcloud/apps/viewer
/var/www/html/nextcloud/apps/workflowengine

During the install I did execute:

sudo chown www-data:www-data config apps

Any information to help me solve this wopuld be very appriciated.

You can lookup the (wrong) user/group by executing:

  • cd /var/www/html/nextcloud/apps
  • ls -l

If you just want to fix it, execute:
chown -R www-data:www-data /var/www/html/nextcloud/apps

If necessary replace www-data by the webserver user on your system (“www-data”, “http”, “apache”, …), although www-data should be the right choice on Raspbian.

2 Likes

Thanks. The majority of the app directories were owned by root. Now the proper user owns them!

I’m using docker to run NC, how I change the permission throw the CLI ?
My error:

Some app directories are owned by a different user than the web server one. This may be the case if apps have been installed manually. Check the permissions of the following app directories:
/var/www/html/custom_apps/bruteforcesettings
/var/www/html/custom_apps/occweb
So I try to change them using: chown 400 bruteforcesettings, but it didn’t remove the error.

hello, I come to you in particular on this post because I have a similar concern I am a beginner in the Unix world, I installed nextcloud under docker, nextcloud tells me this

  • Some app directories are owned by a different user than the web server one. This may be the case if apps have been installed manually. Check the permissions of the following app directories:
    • /config/www/nextcloud/apps/activity
    • /config/www/nextcloud/apps/admin_audit
    • /config/www/nextcloud/apps/backup

you were talking about the web user but I don’t know if you are talking about the server admin user or another user, if it is another user or find it. Could you please help me

This is a bit unfortunate warning from Nextcloud.

Those files/directories really don’t need to be owned by the process running the code, it’s enough if they are readable.

AND I’d argue they should not be owned by the process running nextcloud, since in that way any exploit of the nextcloud or server code is exploited, the exploit can gain permanence.

I see it a little differently. Normally, the installation takes place with the web server/Nextcloud user mostly user www-data and group www-data. There may be problems at the latest when updating. Other features are actually used for hardening.

Hardening and security guidance