Nextcloud version: 11.0.3.2
Operating system and version: Ubuntu 16.04.2
Apache or nginx version: Apache 2.4.18
PHP version: 7.0.15
Is this the first time you’ve seen this error?: Yes
Can you reliably replicate it? (If so, please outline steps): Yes
-
install nextcloud
-
change mysql passwd for oc_ncadmin
$mysql -u root mysql -p$NCPASS -e "update mysql.user set password=PASSWORD('$NCPASS') where User='oc_ncadmin';"
$mysql -u root -p$NCPASS -e "flush privileges;"
-
try to run maintenance:repair
$sudo -u www-data php "/var/www/nextcloud/occ" maintenance:repair
-
get the following error:
An unhandled exception has been thrown:
Doctrine\DBAL\DBALException: Failed to connect to the database: An exception occured in driver: SQLSTATE[HY000] [1045] Access denied for user 'oc_ncadmin'@'localhost' (using password: YES)
-
Check /var/www/nextcloud/config/config.php to see if ‘dbpassword’ is correct for ‘dbuser’ => ‘oc_ncadmin’ (it will not be)
-
replace old salted ‘dbpassword’ with plain text new passwd and run:
$sudo -u www-data php "/var/www/nextcloud/occ" maintenance:repair
-
there will be no error this time
The issue I am facing:
I changed the passwd for the oc_ncadmin user in mysql using the following commands:
$mysql -u root mysql -p$NCPASS -e "update mysql.user set password=PASSWORD('$NCPASS') where User='oc_ncadmin';"
$mysql -u root -p$NCPASS -e "flush privileges;"
Which worked as expected, however now I can not run
$sudo -u www-data php "/var/www/nextcloud/occ" maintenance:repair
Because the passwd for oc_ncadmin is now wrong in /var/www/nextcloud/config/config.php
I can edit the file and replace old salted ‘dbpassword’ with the plain text new passwd but that does not seem very secure.
Is there anyway to have the system generate a new /var/www/nextcloud/config/config.php file like it does when nextcloud is first installed, This way the new passwd for oc_ncadmin is salted and I have more peace of mind?
The output of your Nextcloud log in Admin > Logging: (N/A)
The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):
https://pastebin.com/nVPHSvku
Perhaps I can salt the password myself however I do not now which method should be used or would be compatible. I have tested this a few times already but with no luck.
Are you sure ‘dbpassword’ is salted, when Nextcloud is installed? It wasn’t when I installed Nextcloud…
Intersting, but yes the ‘dbpassword’ is definitely salted after install…perhaps my method of install made the ‘dbpassword’ salted during the auto gen of /var/www/nextcloud/config/config.php… I was using a tweaked version of the install script from this site: https://raw.githubusercontent.com/nextcloud/vm/master/nextcloud_install_production.sh
Or perhaps it is just the version of Nextcloud that was installed. My Nextcloud version is 11.0.3.2, was this also yours?
PS: do you think it is safe to leave the ‘dbpassword’ unsalted and in plain text?
I can’t see that that script is salting the mysql password and I really doubt that Nextcloud is able to use a salted dbpassword in config.php.
I use Nextcloud 11.0.3 - it has been upgraded a couple of times from previous versions though.[quote=“hungrykanamit, post:4, topic:12036”]
PS: do you think it is safe to leave the ‘dbpassword’ unsalted and in plain text?
[/quote]
Yes I do think this is safe.
Are you insinuating that I am lying?
Here is a brand new /var/www/nextcloud/config/config.php which was generated after a fresh install of ubuntu and running the script above.
Also, from what I understand, nextcloud doesn’t use this file but it is actually for the owncloud CLI “occ” when something like this is ran:
$sudo -u www-data php "/var/www/nextcloud/occ" maintenance:repair
Why do you think this is safe to save passwords in plain text on a server connected to the internet?
No.
I did not say that. Generally that is not a good idea and should be avoided.
You were asking whether it is safe to leave the ‘dbpassword’ unsalted and in plain text in config.php and I do think it is OK to store the password to the database as plain text in config.php, as long as it is not the mysql root password and *.php files are not delivered by the server as plain-text-files. Look at all the other php-programs out there (e.g. textpattern, wordpress, piwik, piwigo, etc…) - they all store the password to their database in plain text.
1 Like
Did you ever solve this? I would like to switch to a new database server but don’t know what the password for the database is/was.
How can I have a new password be salted?
OK apparently the dbpassword in config.php has never been salted! Just try it!