Www-data: command not allowed when openeing NCP-webui

For some time now, I do see error messages on my system when opening the NCP-WebUi

www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ maintenance:mode
www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status

What is it in the sudoers file, which I have not touched for this to be added. I added other information but this is the original adoption from NCP during its installation process I must assume.

www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh, /sbin/halt, /sbin/reboot
  • NextCloudPi version | v1.43.7
  • Nextcloud version | 21.0.4.1

I do not know if there should have been something added to the sudoers file or if I missed something during the many years of running NextcloudPi on my x86 server using Debian 10, upgrade from Debian 9 years ago.

The NCP Issue gets reopened as soon as it is reproducible

please clarify, what does that mean exactly.

looks alright to me, mine has the same line in it.

I’d try running nc-fix-permissions using ncp-config in terminal
Anything not working in ncp-web, try same in ncp-config.
Check content of /var/log/ncp.log and or run ncp-report from terminal.
Sometimes a reboot is worth a try.

Seems to me that for www-data the command /usr/bin/php is not allowed

Please test this from root:

sudo -u www-data /usr/bin/php -v

I think it is not a sudo-problem.

ww-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh, /sbin/halt, /sbin/reboot

This belongs not to your problem.
It is only the sudo from www-data to root and not for nextcloud configuration with e.g. php.

1 Like

Updated the text, but actually I have not touched that specific line. So parsing that line using NCP should not be a problem. It was introduced by NCP (I must assume) and therefore there I assume that something got missed by an upgrade or the NCP installation.

I thought nc-fix-permissions checks the permissions of files in the data directory, so I am not sure if this fixes the problem, but I gave it a try anyways but it did not change anything.

The problem only appears on the status page of the web-ui. There you get the system info of your system and it seems to use OCC in the background to get some data. But correct me if I am wrong.

The ncp.log does not show anything specific to an error but journalctl does

@devnull
I also assume that sudo is not the issue, but what NCP has preconfigured and uses in combination with sudo.
The entry for OCC comes from my NCP installation, I have not added them there. So I must assume that NCP has forgotten something to add to the sudoers file during upgrade.

I also do not want to give php overall sudoers permission. If php goes crazy it could just do whatever it wants on my system. So I assume I would need to add something more specific, or NCP fixes this in their code if this problem also exists on other installations.

So please have a look at your systemlogs using for example ‘journalctl’ and open the webui to see if the error appears. The webui itself does not give you any information on this.

I think you do not understand the sudo system.
The sudo entry allows www-data some commands executing as root.
www-data can (without sudo) execute all php commands.
www-data is your webserver user and only the webserver uses php :wink:

Sorry, for whatever reason I miss reading sentences today or just forget to write them. Sorry, I should just step back a little.
Sorry, I read the post and thought you want me to add php to the sudoers list, which is not written in your post.

This is the output of your command

sudo -u www-data /usr/bin/php -v
PHP 7.3.31-1~deb10u1 (cli) (built: Oct 24 2021 15:18:08) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.31, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.31-1~deb10u1, Copyright (c) 1999-2018, by Zend Technologies

thanks

Ok. Is this an error from sudo/sudoers?

Perhaps you execude with user www-data:

sudo /usr/bin/php /var/www/nextcloud/occ maintenance:mode
That is wrong.
In all commands from www-data there does not be included a sudo
Correct is e.g.
/usr/bin/php /var/www/nextcloud/occ maintenance:mode

sudo is only used if:

a.) root want to execute www-data stuff:
sudo -u www-data ...
sudo -u www-data /usr/bin/php /var/www/nextcloud/occ maintenance:mode
b.) www-data want e.g. execute root stuff:
sudo /sbin/reboot

a little bit offtopic:

/home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh

there must be included sudo because www-data can not make e.g. the backup

Ok all I do is opening the NCP-Webui and with journalctl -xfI do get this …

Nov 18 13:58:01 cloud sudo[9146]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:01 cloud sudo[9269]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:01 cloud sudo[9342]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:01 cloud sudo[9392]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:01 cloud sudo[9414]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9436]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9456]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9476]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9498]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9520]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9546]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9572]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9592]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9622]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9652]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9682]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9704]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9724]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9745]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9768]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9789]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9811]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9833]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9855]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9875]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9921]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:02 cloud sudo[9950]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[9987]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10014]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10053]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10077]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10185]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10288]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10309]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10323]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10342]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10362]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10393]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10415]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10437]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10459]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10481]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10503]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10524]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10555]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:03 cloud sudo[10588]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10610]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10639]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10659]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10685]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10717]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10739]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10759]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10779]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10794]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ maintenance:mode
Nov 18 13:58:04 cloud sudo[10807]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10827]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10847]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10861]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10880]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10902]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10924]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10946]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10966]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10980]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[10997]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status
Nov 18 13:58:04 cloud sudo[11017]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status

Everytime I relaod the webui of NCP I get the same errors with the same amount.
I have no clue who why and what this is caused by :wink: but it is coming from the NCP Webui, because if I do not open it, the errors are not popping up.

And this is the reason why I am here :wink: because I do not know why and what exactly this is :smiley: but it gets triggered using the NCP Webui

You must not use (with user www-data)

sudo /usr/bin/php /var/www/nextcloud/occ status

You must use (with user www-data)

/usr/bin/php /var/www/nextcloud/occ status

or with user root:

sudo -u www-data /usr/bin/php /var/www/nextcloud/occ status

Thought I’d chip in with a little context too :slight_smile:

From sudoers manpage
( man sudoers )

DESCRIPTION
The sudoers policy plugin determines a user's sudo privileges.  
It is the default sudo policy plugin.  
The policy is driven by the /etc/sudoers file or, optionally in LDAP.  
The policy format is described in detail in the SUDOERS 

FILE FORMAT section.  
For information on storing sudoers policy information in LDAP, please see sudoers.ldap(5).
If sudo is run by root and the SUDO_USER environment variable is set, 
the sudoers policy will use this value to determine who the actual user is.  

This can be used by a user to log commands through sudo even when a root shell has been invoked.  
It also allows the -e option to remain useful even when invoked via a sudo-run script or program. 

Note, however, that the sudoers file lookup is still done for root, 
not the user specified by SUDO_USER.

The line

www-data ALL = NOPASSWD: /home/www/ncp-launcher.sh , /home/www/ncp-backup-launcher.sh, /sbin/halt, /sbin/reboot

Is indeed there by default and put there by NCP during the installation, and this needs to remain there so the www-data user (which is the Webserver User for Apache2) is allowed to run shell scripts and/or other specified system processes as root without a password, or to allow a certain bin process to be run without password with that specified user (in this case www-data).

You can see the processes which it allows in the line itself :

ncp-launcher.sh - shell script
ncp-backup-launcher.sh - shell script
halt - system binary
reboot - system binary

If this line would not be there with these options included the www-data user would not be allowed to launch or execute any of the above mentioned scripts and processes without having to enter the Sudo password :slight_smile:

I understand that I must use (with user www-data)

/usr/bin/php /var/www/nextcloud/occ status

But I am not the Webui of NCP which listens on port 4443. I have no clue what the webui executes how, I just open a browser to get the the NCP Webui on https://IP:4443 - authenticate myself and wait for the page to be loaded.
While this error show up on the server hosting nextcloud installed as NCP.

So I try to find out where the problem is. I have understood that the sudoers file is correct, I also do understand how sudo works, but what I do not understand is why I get those errors when openein the NextcloudPI Webui in my Browser. So something happens during rendering the Webui of NCP.
And not nextcloud, because my nextcloud instance is running smoothly over many years now :wink: it is the nextcloudpi webui I am talking about.

It seems like we do talk about different thinks, but perhaps it is just me not getting it.

thanks, I thought so too, that this was added via NCP
still, the problem is opening the NCP Webui, and what that tries to execute in the background - this is what it looks like for me.

So sudoers file is right, so the question is why is the webui triggering this error.

I searched the code of NextcloudPi with occ or status

Search · occ · GitHub
Search · status · GitHub

Perhaps someone find something in the code.
I find nothing. Only sudo -u www-data but that is not the problem (i think).

I searched a little too and it seems that
ncp-launcher executes ncp-diag and ncp-diag uses
But I am not an expert on php nor anything near an expert on how NCP works

# Nextcloud
[[ ${EUID} -eq 0 ]] && SUDO="sudo -u www-data"
VERSION="$( $SUDO php /var/www/nextcloud/occ status | grep "version:" | awk '{ print $3 }' )"
if [[ "$VERSION" != "" ]]; then
  echo "Nextcloud check|ok"
  echo "Nextcloud version|$VERSION"
  else
  echo "Nextcloud check|error"
fi

based on the description ncp-launcher is

///
// NextCloudPi Web Panel backend
//
// Copyleft 2018 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
// GPL licensed (see end of file) * Use at your own risk!
//
// More at https://nextcloudpi.com
///

and the code I found on the ncp-launcher for using ncp-diag

//
// info
//
else if ( $_POST['action'] == "info" )
{
  exec( 'bash /usr/local/bin/ncp-diag', $output, $ret );

  // info table
  $table = '<table class="dashtable">';
  foreach( $output as $line )
  {

This is for status, didn’t search for maintenance:mode

but the command looks very familiar, so perhaps it is an indicator for something. perhaps someone knows :smiley:

Yes but this is completed to
sudo -u www-data php /var/www/nextcloud/occ status | grep "version:" | awk '{ print $3 }'
But then you get not the sudo error for user www-data. www-data does not use sudo in this case. sudo is used from root.

Just a mindgame:
who executes that script?
is it root who executes it ? hopefully not because the execution gets triggered by the webserver, which is apache and therefore www-data

I mean there must be a reason why sudo is even in the code if www-data would have access to this software anyhow and for me it looks like sudo is needed but for a reason. So perhaps this gets executes as another systemuser and this one would need to provide a password.

The funny part is, that my system info page is correct and filled out.
So whatever is going on there, I do no know.

Yes. www-data is allowed to execute root commands:

/home/www/ncp-launcher.sh 
/home/www/ncp-backup-launcher.sh
/sbin/halt
/sbin/reboot

But it makes no sense that www-data executes /usr/bin/php /var/www/nextcloud/occ through root

Nov 18 13:58:01 cloud sudo[9146]: www-data : command not allowed ; TTY=unknown ; PWD=/var/www/ncp-web ; USER=www-data ; COMMAND=/usr/bin/php /var/www/nextcloud/occ status

But perhaps we do not correct interpret the sudo errors.

I went a little further and looked up the files executed in this case the ncp-diag
and it is located in /usr/local/bin which seems ok based on the code I have read so far.
The permissions are rwxr-xr-x for root:staff and there is also a ncp user with no shell login on my system (based on the passwd file).

ncp:x:1001:1001::/nonexistent:/usr/sbin/nologin

and ncp is not part of the group staff

groups ncp
ncp : ncp netdev

So if the scripts gets executed with the NCP user, we would have solved the mystery or not?

Would this be a way to test this ?
sudo -u ncp sudo -u www-data php /var/www/nextcloud/occ status | grep "version:" | awk '{ print $3 }'

Still I do not know if the ncp user is executing those scripts at all :smiley: but if, should the ncp user be somehow in the sudo or suduers file or are the permissions set wrong for the files (which I never touched).

I think ncp is not ww-data.

grep www-data /etc/passwd

But in the sudo error the user www-data (not ncp) wants to execute sudo /usr/bin/php ... Or we misinterpret the error.

Perhaps you can grep all code.

grep -R sudo /usr/local/bin
grep -R sudo /home

Perhaps further directorys.