Stat() "/var/www/html/index.php" failed (13: Permission denied)

ulpin · December 18, 2022, 9:29am

I’m getting an permission error after running this docker-compose file:

services:
  db:
    #image: mariadb:latest
    image: tobi312/rpi-mariadb:10.6-alpine
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW #--innodb-file-per-table=1 --skip-innodb-read-only-compressed
    restart: always
    volumes:
      - db-nextcl:/var/lib/mysql
    env_file:
      - db.env

  redis:
    image: redis:alpine
    restart: always

  app:
    #image: nextcloud:fpm-alpine
    build: ./app
    restart: always
    #ports:
    #  - 9000:9000
    volumes:
      - nextcloud:/var/www/html
      - ./app/config:/var/www/html/config:rw
      - ./app/custom_apps:/var/www/html/custom_apps
      - ./app/data:/var/www/html/data
      - ./app/themes:/var/www/html/themes
      - /etc/localtime:/etc/localtime:ro
    environment:
      - MYSQL_HOST=db
      - REDIS_HOST=redis
    env_file:
      - db.env
    depends_on:
      - db
      - redis

  web:
    build: ./web
    restart: always
    volumes:
      - nextcloud:/var/www/html:rw
    environment:
      - VIRTUAL_HOST=<mydomain>
      - LETSENCRYPT_HOST=<mydomain>
      - LETSENCRYPT_EMAIL=<myail>
    depends_on:
      - app
    networks:
      - proxy-tier
      - default

  cron:
    build:  ./app
    restart: always
    volumes:
      - nextcloud:/var/www/html
    entrypoint: /cron.sh
    depends_on:
      - db
      - redis

  proxy:
    image: jwilder/nginx-proxy:alpine
    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
    container_name: nextcloud-proxy
    networks:
      - proxy-tier
    dns:
    - 192.168.178.15
    ports:
      - 443:443
      - 80:80
    volumes:
      - ./proxy/conf.d:/etc/nginx/conf.d:rw
      - ./proxy/vhost.d:/etc/nginx/vhost.d:rw
      - ./proxy/html:/usr/share/nginx/html:rw
      - ./proxy/certs:/etc/nginx/certs:rw
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped

    letsencrypt-companion:
      image: jrcs/letsencrypt-nginx-proxy-companion
      restart: always
      dns:
        - 192.168.178.15
      volumes:
        - ./proxy/conf.d:/etc/nginx/conf.d:rw
        - ./proxy/vhost.d:/etc/nginx/vhost.d:rw
        - ./proxy/html:/usr/share/nginx/html:rw
        - ./proxy/certs:/etc/nginx/certs:rw
        - /var/run/docker.sock:/var/run/docker.sock:ro
      networks:
        - proxy-tier
      depends_on:
        - proxy


volumes:
  db-nextcl:
  nextcloud:
  newlive_certs:
  newlive_vhost.d:
  html:

networks:
  proxy-tier:
    driver: bridge

The logs for the running containers seem all to be fine, except the ‘web’ container which throws permission denied. This should be easily fixable, but everything I’ve tried did fail so far.

So first question: Is this error originating in web or app container?

I tried setting permission for www-data user in both container and for the path
/var/www/html

First creating www-data user:
 docker-compose exec --user root web adduser -D -H -u 1000 -s /bin/bash www-data -G www-data
 docker-compose exec --user root app adduser -D -H -u 1000 -s /bin/bash www-data -G www-data

Make owner
 docker-compose exec --user root  web chown -R www-data:www-data /var/www/html
 docker-compose exec --user root  app  chown -R www-data:www-data /var/www/html

Set 0775 permissions:
 docker-compose exec --user root web chmod -R 0775 var/www
 docker-compose exec --user root app chmod -R 0775 var/www

And this is the current state:

App-Container:

nuc:/Nextcloud 2.0/new_live # docker-compose exec --user www-data app ls -al /var/www/html
total 112
drwxrwxr-x 1      775 www-data   412 Dec 17 17:07 .
drwxr-xr-x 1 www-data www-data    16 Dec 22  2021 ..
-rwxrwxr-x 1      775 www-data  3296 Dec 26  2021 .htaccess
-rwxrwxr-x 1      775 www-data   101 Dec 26  2021 .user.ini
drwxrwxr-x 1      775 www-data   840 Dec 26  2021 3rdparty
-rwxrwxr-x 1      775 www-data 19327 Dec 26  2021 AUTHORS
-rwxrwxr-x 1      775 www-data 34520 Dec 26  2021 COPYING
drwxrwxr-x 1      775 www-data  1112 Dec 26  2021 apps
drwxrwxr-x 1 www-data www-data   300 Dec 26  2021 config
-rwxrwxr-x 1      775 www-data  3924 Dec 26  2021 console.php
drwxrwxr-x 1      775 www-data   428 Dec 26  2021 core
-rwxrwxr-x 1      775 www-data  5226 Dec 26  2021 cron.php
drwxrwxr-x 1 www-data www-data     0 Dec 26  2021 custom_apps
drwxrwxr-x 1 www-data www-data   136 Dec 26  2021 data
-rwxrwxr-x 1      775 www-data   156 Dec 26  2021 index.html
-rwxrwxr-x 1      775 www-data  3455 Dec 26  2021 index.php
drwxrwxr-x 1      775 www-data   126 Dec 26  2021 lib
-rwxrwxr-x 1      775 www-data   283 Dec 26  2021 occ
drwxrwxr-x 1      775 www-data    18 Dec 26  2021 ocm-provider
drwxrwxr-x 1      775 www-data    50 Dec 26  2021 ocs
drwxrwxr-x 1      775 www-data    18 Dec 26  2021 ocs-provider
-rwxrwxr-x 1      775 www-data  3139 Dec 26  2021 public.php
-rwxrwxr-x 1      775 www-data  5340 Dec 26  2021 remote.php
drwxrwxr-x 1      775 www-data   158 Dec 26  2021 resources
-rwxrwxr-x 1      775 www-data    26 Dec 26  2021 robots.txt
-rwxrwxr-x 1      775 www-data  2452 Dec 26  2021 status.php
drwxrwxr-x 1 www-data www-data    26 Dec 26  2021 themes
-rwxrwxr-x 1      775 www-data   383 Dec 26  2021 version.php

Web-Container:

nuc:/Nextcloud 2.0/new_live # docker-compose exec --user www-data web ls -al /var/www/html
total 112
drwxrwxr-x    1 775      xfs            412 Dec 17 16:07 .
drwxr-xr-x    1 www-data www-data         8 Dec 17 18:48 ..
-rwxrwxr-x    1 775      xfs           3296 Dec 26  2021 .htaccess
-rwxrwxr-x    1 775      xfs            101 Dec 26  2021 .user.ini
drwxrwxr-x    1 775      xfs            840 Dec 26  2021 3rdparty
-rwxrwxr-x    1 775      xfs          19327 Dec 26  2021 AUTHORS
-rwxrwxr-x    1 775      xfs          34520 Dec 26  2021 COPYING
drwxrwxr-x    1 775      xfs           1112 Dec 26  2021 apps
drwxrwxr-x    1 775      www-data         0 Dec 26  2021 config
-rwxrwxr-x    1 775      xfs           3924 Dec 26  2021 console.php
drwxrwxr-x    1 775      xfs            428 Dec 26  2021 core
-rwxrwxr-x    1 775      xfs           5226 Dec 26  2021 cron.php
drwxrwxr-x    1 775      www-data         0 Dec 26  2021 custom_apps
drwxrwxr-x    1 775      www-data         0 Dec 26  2021 data
-rwxrwxr-x    1 775      xfs            156 Dec 26  2021 index.html
-rwxrwxr-x    1 775      xfs           3455 Dec 26  2021 index.php
drwxrwxr-x    1 775      xfs            126 Dec 26  2021 lib
-rwxrwxr-x    1 775      xfs            283 Dec 26  2021 occ
drwxrwxr-x    1 775      xfs             18 Dec 26  2021 ocm-provider
drwxrwxr-x    1 775      xfs             50 Dec 26  2021 ocs
drwxrwxr-x    1 775      xfs             18 Dec 26  2021 ocs-provider
-rwxrwxr-x    1 775      xfs           3139 Dec 26  2021 public.php
-rwxrwxr-x    1 775      xfs           5340 Dec 26  2021 remote.php
drwxrwxr-x    1 775      xfs            158 Dec 26  2021 resources
-rwxrwxr-x    1 775      xfs             26 Dec 26  2021 robots.txt
-rwxrwxr-x    1 775      xfs           2452 Dec 26  2021 status.php
drwxrwxr-x    1 775      www-data         0 Dec 26  2021 themes
-rwxrwxr-x    1 775      xfs            383 Dec 26  2021 version.php

But If I set the permissions fro the ‘web’ container side:
the result is this:

docker-compose exec --user root  web chown -R www-data:www-data /var/www/html
nuc:/Nextcloud 2.0/new_live # docker-compose exec --user www-data web ls -al /var/www/html
total 112
drwxrwxr-x    1 www-data www-data       412 Dec 17 16:07 .
drwxr-xr-x    1 www-data www-data         8 Dec 17 18:48 ..
-rwxrwxr-x    1 www-data www-data      3296 Dec 26  2021 .htaccess
-rwxrwxr-x    1 www-data www-data       101 Dec 26  2021 .user.ini
drwxrwxr-x    1 www-data www-data       840 Dec 26  2021 3rdparty
-rwxrwxr-x    1 www-data www-data     19327 Dec 26  2021 AUTHORS
-rwxrwxr-x    1 www-data www-data     34520 Dec 26  2021 COPYING
drwxrwxr-x    1 www-data www-data      1112 Dec 26  2021 apps
drwxrwxr-x    1 www-data www-data         0 Dec 26  2021 config
-rwxrwxr-x    1 www-data www-data      3924 Dec 26  2021 console.php
drwxrwxr-x    1 www-data www-data       428 Dec 26  2021 core
-rwxrwxr-x    1 www-data www-data      5226 Dec 26  2021 cron.php
drwxrwxr-x    1 www-data www-data         0 Dec 26  2021 custom_apps
drwxrwxr-x    1 www-data www-data         0 Dec 26  2021 data
-rwxrwxr-x    1 www-data www-data       156 Dec 26  2021 index.html
-rwxrwxr-x    1 www-data www-data      3455 Dec 26  2021 index.php
drwxrwxr-x    1 www-data www-data       126 Dec 26  2021 lib
-rwxrwxr-x    1 www-data www-data       283 Dec 26  2021 occ
drwxrwxr-x    1 www-data www-data        18 Dec 26  2021 ocm-provider
drwxrwxr-x    1 www-data www-data        50 Dec 26  2021 ocs
drwxrwxr-x    1 www-data www-data        18 Dec 26  2021 ocs-provider
-rwxrwxr-x    1 www-data www-data      3139 Dec 26  2021 public.php
-rwxrwxr-x    1 www-data www-data      5340 Dec 26  2021 remote.php
drwxrwxr-x    1 www-data www-data       158 Dec 26  2021 resources
-rwxrwxr-x    1 www-data www-data        26 Dec 26  2021 robots.txt
-rwxrwxr-x    1 www-data www-data      2452 Dec 26  2021 status.php
drwxrwxr-x    1 www-data www-data         0 Dec 26  2021 themes
-rwxrwxr-x    1 www-data www-data       383 Dec 26  2021 version.php
nuc:/Nextcloud 2.0/new_live # docker-compose exec --user www-data app ls -al /var/www/html
total 112
drwxrwxr-x 1     1000       82   412 Dec 17 17:07 .
drwxr-xr-x 1 www-data www-data    16 Dec 22  2021 ..
-rwxrwxr-x 1     1000       82  3296 Dec 26  2021 .htaccess
-rwxrwxr-x 1     1000       82   101 Dec 26  2021 .user.ini
drwxrwxr-x 1     1000       82   840 Dec 26  2021 3rdparty
-rwxrwxr-x 1     1000       82 19327 Dec 26  2021 AUTHORS
-rwxrwxr-x 1     1000       82 34520 Dec 26  2021 COPYING
drwxrwxr-x 1     1000       82  1112 Dec 26  2021 apps
drwxrwxr-x 1 www-data www-data   300 Dec 26  2021 config
-rwxrwxr-x 1     1000       82  3924 Dec 26  2021 console.php
drwxrwxr-x 1     1000       82   428 Dec 26  2021 core
-rwxrwxr-x 1     1000       82  5226 Dec 26  2021 cron.php
drwxrwxr-x 1 www-data www-data     0 Dec 26  2021 custom_apps
drwxrwxr-x 1 www-data www-data   136 Dec 26  2021 data
-rwxrwxr-x 1     1000       82   156 Dec 26  2021 index.html
-rwxrwxr-x 1     1000       82  3455 Dec 26  2021 index.php
drwxrwxr-x 1     1000       82   126 Dec 26  2021 lib
-rwxrwxr-x 1     1000       82   283 Dec 26  2021 occ
drwxrwxr-x 1     1000       82    18 Dec 26  2021 ocm-provider
drwxrwxr-x 1     1000       82    50 Dec 26  2021 ocs
drwxrwxr-x 1     1000       82    18 Dec 26  2021 ocs-provider
-rwxrwxr-x 1     1000       82  3139 Dec 26  2021 public.php
-rwxrwxr-x 1     1000       82  5340 Dec 26  2021 remote.php
drwxrwxr-x 1     1000       82   158 Dec 26  2021 resources
-rwxrwxr-x 1     1000       82    26 Dec 26  2021 robots.txt
-rwxrwxr-x 1     1000       82  2452 Dec 26  2021 status.php
drwxrwxr-x 1 www-data www-data    26 Dec 26  2021 themes
-rwxrwxr-x 1     1000       82   383 Dec 26  2021 version.php

Both approaches still do not work.

All images in use are up to date.

Is there anything i am doing wrong here?

Cheers!

ulpin · December 18, 2022, 9:52am

So, this error stat() is originating from the proxy, but it is not thrown in the proxy log… so i try to fix it in the web-container. Is this correct? Or could the error actually be within the nginx config?


       # <mydomain>
upstream <mydomain> {
        # Cannot connect to network 'new_live_default' of this container
        ## Can be connected with "new_live_proxy-tier" network
        # new_live_web_1
        server 172.26.0.4:80;
}
server {
        server_name <mydomain>;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        # Do not HTTPS redirect Let'sEncrypt ACME challenge
        location ^~ /.well-known/acme-challenge/ {
                auth_basic off;
                auth_request off;
                allow all;
                root /usr/share/nginx/html;
                try_files $uri =404;
                break;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        server_name <mydomain>;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/<mydomain>.crt;
        ssl_certificate_key /etc/nginx/certs/<mydomain>.key;
        ssl_dhparam /etc/nginx/certs/<mydomain>.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/<mydomain>.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass <mydomain>;
}
}

Another thought of mine was about the trusted hosts in within the nexctloud configuration. I tried to set the ip of the web-container (see nginx config) into the configuration ‘trusted proxies’

docker-compose exec --user www-data app php occ config:system:set trusted_proxies --value='172.26.0.5'

Restarting the app container did also not work.

ulpin · December 18, 2022, 10:06am

Can someone help me with this cmd?

docker-compose exec --user www-data web find /var/www/html -type d -print0 | xargs -0 chmod 0755

As result, I get a full list of all files in this directory, saying, it does not exist.

it is a huge, list, so i just post a few lines.... same error in each line
chmod: cannot access '/var/www/html/core/doc/admin/_sources/configuration_files': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/configuration_files/external_storage': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/configuration_mimetypes': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/configuration_server': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/configuration_user': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/file_workflows': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/gdpr': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/groupware': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/installation': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/issues': No such file or directory
chmod: cannot access '/var/www/html/core/doc/admin/_sources/maintenance': No such file or directory

So could one consider the cmd as proof-of-not-working-yet? So event the www-data user is owner of the directoy, it cannot see the files, right?

KarlF12 · December 18, 2022, 4:31pm

The web root, data directory, and everything in them should be owned by www-data:www-data and permission 750 on folders and 640 on files.

ulpin · December 19, 2022, 1:16pm

Thanks KarlF12.

I have corrected the permission to 0750 and 0640.

docker-compose exec --user www-data web ls -al /var


total 4
drwxr-x---    1 www-data www-data        92 Dec 18 19:10 .
drwxr-xr-x    1 www-data www-data       212 Dec 18 19:10 ..
drwxr-x---    1 www-data www-data        24 May 25  2021 cache
drwxr-x---    1 www-data www-data         0 Apr 14  2021 empty
drwxr-x---    1 www-data www-data        26 Apr 14  2021 lib
drwxr-x---    1 www-data www-data         0 Apr 14  2021 local
drwxr-x---    1 www-data www-data        12 Apr 14  2021 lock
drwxr-x---    1 www-data www-data        10 May 25  2021 log
drwxr-x---    1 www-data www-data         0 Apr 14  2021 mail
drwxr-x---    1 www-data www-data         0 Apr 14  2021 opt
lrwxrwxrwx    1 www-data www-data         4 Apr 14  2021 run -> /run
drwxr-x---    1 www-data www-data        16 Apr 14  2021 spool
drwxr-x---    1 www-data www-data         0 Apr 14  2021 tmp
drwxr-x---    1 www-data www-data         8 Dec 18 19:10 www

So everything except sys is mapped to www-data user.

docker-compose exec --user www-data web ls -al /

total 4
drwxr-xr-x    1 www-data www-data       212 Dec 18 19:10 .
drwxr-xr-x    1 www-data www-data       212 Dec 18 19:10 ..
-rwxr-xr-x    1 www-data www-data         0 Dec 18 19:10 .dockerenv
drwxr-xr-x    1 www-data www-data       838 Apr 14  2021 bin
drwxr-xr-x    5 www-data www-data       340 Dec 18 19:10 dev
drwxr-xr-x    1 www-data www-data       170 May 25  2021 docker-entrypoint.d
-rwxrwxr-x    1 www-data www-data      1202 May 25  2021 docker-entrypoint.sh
drwxr-xr-x    1 www-data www-data       644 Dec 18 19:10 etc
drwxr-xr-x    1 www-data www-data         0 Apr 14  2021 home
drwxr-xr-x    1 www-data www-data       290 Apr 14  2021 lib
drwxr-xr-x    1 www-data www-data        28 Apr 14  2021 media
drwxr-xr-x    1 www-data www-data         0 Apr 14  2021 mnt
drwxr-xr-x    1 www-data www-data         0 Apr 14  2021 opt
dr-xr-xr-x  325 www-data www-data         0 Dec 18 19:10 proc
drwx------    1 www-data www-data         0 Apr 14  2021 root
drwxr-xr-x    1 www-data www-data        18 Dec 18 19:10 run
drwxr-xr-x    1 www-data www-data       800 Apr 14  2021 sbin
drwxr-xr-x    1 www-data www-data         0 Apr 14  2021 srv
dr-xr-xr-x   13 root     root             0 Dec 18 19:10 sys
drwxrwxrwt    1 www-data www-data         0 May 25  2021 tmp
drwxr-xr-x    1 www-data www-data        40 Apr 14  2021 usr
drwxr-x---    1 www-data www-data        92 Dec 18 19:10 var

But the error remains the same within the log:

022/12/19 11:03:47 [crit] 37#37: *137 stat() "/var/www/html/index.php" failed (13: Permission denied), client: <myip> server: , request: "GET / HTTP/1.1", host: "<mydomain>"

Here is the permissions on index.php

docker-compose exec --user www-data web ls -al /var/www/html/index.php

-rwxr-x---    1 www-data www-data      3455 Dec 18 19:10 /var/www/html/index.php

Is there something else i could check?

KarlF12 · December 19, 2022, 1:44pm

Yeah… chown and chmod recursively on your whole system was probably not a good move… I think after doing that, you’ll probably have to start over.

Nextcloud’s web root needs these permissions, not the system root.

Did you make this change on your host system or in the container?

ulpin · December 19, 2022, 2:19pm

I always did change the permissions within the container.

Initially I used a volume nextcloud (see docker-commpose at start). But then I got some read-only file systems errors, so i thought taking the data into a local folder within the docker-compose stack is a good idea to double check permissions:

./nextcloud:/var/www/html

Within that newly created folder i also tried setting the access rights recursively, but i never touched any other files except that ./nextcloud folder or the nextcloud volume.

ulpin · December 19, 2022, 2:29pm

Here is my Dockerfile to build the web container…

I tried those configs:
1

FROM nginx:alpine

COPY nginx.conf /etc/nginx/nginx.conf

2

FROM nginx:alpine

RUN adduser -D -H -u 1000 -s /bin/bash www-data -G www-data

COPY nginx.conf /etc/nginx/nginx.conf

3

FROM nginx:alpine

RUN adduser -D -H -u 1000 -s /bin/bash www-data -G www-data

RUN chown -R www-data:www-data /var

RUN chmod -R 0750 /var

COPY nginx.conf /etc/nginx/nginx.conf

If i run something like this, I get an error stating that the /var/www/html folder does not yet exist.
4

FROM nginx:alpine

RUN adduser -D -H -u 1000 -s /bin/bash www-data -G www-data

RUN chown -R www-data:www-data /var/www/html

RUN chmod -R 0750 /var/www/html

COPY nginx.conf /etc/nginx/nginx.conf

And of course, after each new docker-compose up -d --build web i set the permissions again.

So in case i may have targeted the wrong files by accident, a rebuild should always reset the changes. And I tried it really often.

ulpin · December 19, 2022, 3:31pm

Ok, I started over and moved the docker-compose file into /home/www-data directory, which seems to work to pass the permission denied error.

Thank you for helping KarlF12!

But now i got another issue, accessing the nextcloud webpage

connect() failed (111: Connection refused) while connecting to upstream,

which led me to check the trusted-proxies settings…

docker-compose exec --user root app php occ config:system:get trusted_proxies

but on the above line I get the exception below.

An exception occurred in the driver: SQLSTATE[HY000] [1045] Access denied for user 'nextcloud'@'172.26.0.4' (using password: YES) in /var/www/html/lib/private/DB/Connection.php:87

Which is again very strange. Yesterday, I was able to adjust the trustedproxies config by the same db.env configuration file with the exact same CMD and it worked.

So I guess I resetted the PW - but not sure how… only thing I could have done, is deleting and recreating the folder var/www/html while moving into home/www-data folder…

KarlF12 · December 19, 2022, 11:13pm

Not sure. That was a SQL login error.

So you have the docker-compose.yml inside the container now? Nothing should need write access to that file.

ulpin · December 20, 2022, 4:10pm

It was just an password error. I was able to correct it via mysql cli.