Why is "files_access_control" app after (nearly) every update part of integrity hints because of "extra files" warning?

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version (eg, 20.0.5): now 27.1.6.x
Operating system and version (eg, Ubuntu 20.04): ubuntu 22.04.3
Apache or nginx version (eg, Apache 2.4.25): NGinx
PHP version (eg, 7.4): 8.2.14

The issue you are facing:
updater.phar and DB updates inkl. upgrade and apps update all went well
After integrity:check-core there are integrity hints mentioned for the “files_access_control” app as part of flow unit to let admins set special rights for file access depending on flow rules.

So it was (once more) nescessary to completely deaktivate and uninstall the app so that the apps folder is deleted as well. After re-check of the integrity:check-core the failures went away → all green

After that back to the Admin → Apps section and re-install of the files_access_control app (every time latest valid version for the actual running nextcloud (27.1.6.x in this case)

Once again control of the integrity and it stays “green” also with re-enabled files_access_control

It is less than uncomfortable to be forced every time using the updater.phar to rebuild the apps files like described.

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  1. see above descrition

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

    "instanceid": "***REMOVED SENSITIVE VALUE***",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
    "dns_pinning": true,
    "activity_expire_days": 14,
    "auth.bruteforce.protection.enabled": true,
    "blacklisted_files": [
    "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
    "overwritehost": "MY_DOMAIN",
    "overwriteconaddr": "^192\\.168\\.55\\.90$",
    "overwriteprotocol": "https",
    "forward_for_headers": [
    "datadirectory": "***REMOVED SENSITIVE VALUE***",
    "overwrite.cli.url": "https:\/\/MY_DOMAIN",
    "dbtype": "pgsql",
    "version": "",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "***REMOVED SENSITIVE VALUE***",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "htaccess.RewriteBase": "\/",
    "logtimezone": "Europe\/Berlin",
    "default_phone_region": "DE",
    "logfile": "\/media\/cloud\/data\/nextcloud.log",
    "log_rotate_size": 10485760,
    "cron_log": true,
    "installed": true,
    "filesystem_check_changes": 0,
    "quota_include_external_storage": false,
    "skeletondirectory": "",
    "share_folder": "\/Freigaben",
    "knowledgebaseenabled": false,
    "ldapIgnoreNamingRules": false,
    "ldapProviderFactory": "\\OCA\\User_LDAP\\LDAPProviderFactory",
    "ldapUserCleanupInterval": 20,
    "bulkupload.enabled": false,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "memcache.distributed": "\\OC\\Memcache\\Redis",
    "filelocking.enabled": "true",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "***REMOVED SENSITIVE VALUE***",
        "port": 0
    "mail_smtpmode": "sendmail",
    "mail_smtpsecure": "ssl",
    "mail_from_address": "***REMOVED SENSITIVE VALUE***",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "465",
    "mail_smtptimeout": 10,
    "mail_smtpauth": 0,
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "maintenance": false,
    "integrity.check.disabled": false,
    "updater.release.channel": "stable",
    "enable_previews": true,
    "preview_Movie_path": "\/usr\/bin\/ffmpeg",
    "preview_ffmpeg_path": "\/usr\/bin\/ffmpeg",
    "enabledPreviewProviders": [
    "preview_max_x": 2048,
    "preview_max_y": 2048,
    "preview_max_memory": 4096,
    "preview_max_filesize_image": 256,
    "preview_max_scale_factor": 1,
    "trashbin_retention_obligation": "auto, 2",
    "loglevel": 3,
    "mail_sendmailmode": "smtp",
    "data-fingerprint": "FINGERPRINT",
    "onlyoffice": {
        "verify_peer_off": true,
        "jwt_header": "Authorization",
        "jwt_secret": "***REMOVED SENSITIVE VALUE***"
    "encryption.legacy_format_support": false,
    "encryption.key_storage_migrated": false,
    "defaultapp": "dashboard",
    "theme": "",
    "allow_local_remote_servers": true,
    "files_external_allow_create_new_local": true,
    "simpleSignUpLink.shown": false,
    "memories.exiftool": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/exiftool-amd64-glibc",
    "memories.vod.path": "\/var\/www\/nextcloud\/apps\/memories\/bin-ext\/go-vod-amd64",
    "memories.vod.ffmpeg": "\/usr\/bin\/ffmpeg",
    "memories.vod.ffprobe": "\/usr\/bin\/ffprobe",
    "memories.gis_type": 2,
    "session_keepalive": true,
    "memories.vod.disable": false,
    "memories.video_default_quality": "-2"

I’ve been running with separate apps_paths for so long I can’t remember the exact logic used for handling the situation when there’s a single apps folder for both shipped + custom (locally installed) apps.

The way I think most of the pre-built environments do things these days (e.g. the Docker images) is to have a config like this:

        "apps_paths": [
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true

In this way the apps you install on your own end up in the custom_apps folder.

You might try that.

Docs on the parameter here: Apps management — Nextcloud latest Administration Manual latest documentation

1 Like

I’ll give that config a try …

Thanks so far!

It is not clear why an officially maintained app causes such “extra file” output during integrity check. The fact that uninstalling and re-installing the (same) app and having different results in scanning the core folders is not comprehensible, isn’t it?

It’s a Nextcloud app, but it’s not a shipped or default app, which is what the Updater really cares about generally.

One more question concerning this manual page:

When changing / expanding my config with different apps paths for nextcloud (immanent) apps and seperated “additional user wanted apps” apps that are installed will resist in the “apps1” path, right?

So if i will switch apps from apps1 to apps2 (were apps2 = additional user wanted apps) i will have to disable / delete all these apps and re-install them one by one, correct?

Or is just a move from apps1 to apps2 via file manager needed?
Clear, that access rights for apps2 must be set to www-user as well…

ok just copying is enough :slight_smile:

after a reboot my config looks like this concerning “apps_paths”

  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/nextcloud/apps',
      'url' => '/apps',
      'writable' => false,
    1 => 
    array (
      'path' => '/var/www/nextcloud/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,

What is weird is, that the memories app does not work in another path like /custom_apps because i can’t change the field for the path where to look for the EXIF binary?!

I copied the whole /custom_apps/memories back to /apps and it worked again.
Don’t know how to make updates to this app as long as /apps is not writable??

For the notify_push app it was nescessary to adjust the path in /etc/systemd/system/…service file to /custom_apps/… as well. (worked so far)