Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug]: nextcloud-init-sync.lock considered as extra file by the scanner #2070

Closed
5 of 8 tasks
leolivier opened this issue Sep 23, 2023 · 8 comments
Closed
5 of 8 tasks
Labels
0. Needs triage bug needs info Additional info needed to triage needs review Needs confirmation this is still happening or relevant

Comments

@leolivier
Copy link

⚠️ This issue respects the following points: ⚠️

Bug description

I get a warning that some file don't pass the integrity checks and when I look at the details, I get:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
	- EXTRA_FILE
		- nextcloud-init-sync.lock

Raw output
==========
Array
(
    [core] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [nextcloud-init-sync.lock] => Array
                        (
                            [expected] => 
                            [current] => 
                        )

                )

        )

)

Looking at the logs, I can see:

{"reqId":"zDBWUSdnTLLbD8uhFxoM","level":3,"time":"2023-09-23T10:04:31+02:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"hash_file(/var/www/html/nextcloud-init-sync.lock): Failed to open stream: Permission denied at /var/www/html/lib/private/IntegrityCheck/Checker.php#211","userAgent":"--","version":"27.1.0.7","data":{"app":"PHP"},"id":"650ea3672af6f"}

but this file is created by nextcloud itself in the container so it's weird
Checking the file permissions inside the container:
-rw------- 1 root root 0 Sep 23 08:02 /var/www/html/nextcloud-init-sync.lock
I changed the ownership to www-data:www-data in the container and the above error disappeared but the integrity check continue to fail

Steps to reproduce

  1. Open the admin main screen
  2. See the warning
  3. Follow the link

Expected behavior

This file should not be considered in the integrity check

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

  • Default user-backend (database)
  • LDAP/ Active Directory
  • SSO - SAML
  • Other

Configuration report

{
    "system": {
        "installed": true,
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "default_language": "fr",
        "default_locale": "fr_FR",
        "knowledgebaseenabled": true,
        "default_phone_region": "FR",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_sendmailmode": "smtp",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "overwritehost": "nextcloud.<my domain>",
        "overwrite.cli.url": "https:\/\/nextcloud.<my domain>",
        "overwriteprotocol": "https",
        "trusted_domains": [
            "localhost",
            "192.168.1.8",
            "nextcloud.<my domain>",
            "blog.<my domain>"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.1.1.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/Paris",
        "loglevel": 2,
        "maintenance": false,
        "app_install_overwrite": [
            "audioplayer",
            "previewgenerator",
            "keeweb"
        ],
        "theme": "",
        "mail_smtpsecure": "TLS"
    }
}

List of activated Apps

Enabled:
  - audioplayer: 3.4.0
  - calendar: 4.5.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - files: 1.22.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - groupfolders: 15.3.1
  - keeweb: 0.6.13
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mail: 3.4.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - previewgenerator: 5.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - suspicious_login: 5.0.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - activity: 2.19.0 (installed 2.13.4)
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0 (installed 2.0.1)
  - circles: 27.0.1 (installed 0.20.6)
  - encryption: 2.15.0 (installed 2.5.0)
  - federation: 1.17.0 (installed 1.7.0)
  - serverinfo: 1.17.0 (installed 1.4.0)
  - support: 1.10.0 (installed 1.0.0)
  - survey_client: 1.15.0 (installed 1.2.0)
  - systemtags: 1.17.0 (installed 1.4.0)
  - twofactor_totp: 9.0.0 (installed 5.0.0)
  - user_ldap: 1.17.0

Nextcloud Signing status

see above, this is precisely the issue

Nextcloud Logs

24MB, only adding related errors:
{"reqId":"zDBWUSdnTLLbD8uhFxoM","level":3,"time":"2023-09-23T10:04:31+02:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"hash_file(/var/www/html/nextcloud-init-sync.lock): Failed to open stream: Permission denied at /var/www/html/lib/private/IntegrityCheck/Checker.php#211","userAgent":"--","version":"27.1.0.7","data":{"app":"PHP"},"id":"650ea3672af6f"}

Additional info

No response

@szaimen szaimen transferred this issue from nextcloud/server Sep 23, 2023
@leolivier
Copy link
Author

I didn't rerun the scan after changing the file owner, now the error disappeared, but still I should not have to change myself the owner of this file.

@joshtrichards
Copy link
Member

joshtrichards commented Oct 3, 2023

This file isn't created by Nextcloud, but by community Docker image's entrypoint.sh

How are your underlying volume mounts defined in your Docker? Either your Docker compose or command-line?

Because the resulting ownership should be more like:

-rw-r--r-- 1 root root 0 Sep 19 15:24 nextcloud-init-sync.lock

And are you by chance running Docker under a different user or rootless?

Related: #2057

@joshtrichards joshtrichards added the needs info Additional info needed to triage label Oct 3, 2023
@leolivier
Copy link
Author

Thanks fo₹your answer @joshtrichards
My docker is running as a Linux service so they are root:

UID          PID    PPID  C STIME TTY      STAT   TIME CMD
root        2692    1347  0 oct.02 ?       Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.20.0.2 -container-port 80
root        2704    1347  0 oct.02 ?       Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8081 -container-ip 172.20.0.2 -container-port 80

and the mounts are done like this (docker compose extract):

    volumes:
      - nextcloud2:/var/www/html
      - ./config:/var/www/html/config
      - /hdd/nextcloud:/var/www/html/data
      - ./apps:/var/www/html/apps

@joshtrichards joshtrichards removed the needs info Additional info needed to triage label Oct 22, 2023
@joshtrichards
Copy link
Member

What is your underlying host OS/version, host hardware platform, libseccomp version, and Docker Engine version?

When you restart the Nextcloud app container are there any interesting bits in the Docker logs for the container during startup?

@leolivier
Copy link
Author

I'm running Nextcloud on a Raspberry Pi 4 with RaspberryPi OS

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

$ dpkg-query -s libseccomp2
Package: libseccomp2
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 146
Maintainer: Kees Cook <[email protected]>
Architecture: arm64
Multi-Arch: same
Source: libseccomp
Version: 2.5.1-1+deb11u1
Depends: libc6 (>= 2.17)

$ docker -v
Docker version 24.0.6, build ed223bc

After a docker restart on the container, I don't get anything interesting in the logs (knowing that the error disappeared since I chmoded myself the file)

192.168.1.8 - olivier [31/Oct/2023:10:08:15 +0000] "PROPFIND /remote.php/dav/files/olivier/ HTTP/1.1" 207 1116 "-" "Mozilla/5.0 (Windows) mirall/3.10.1stable-Win64 (build 20231025) (Nextcloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
[Tue Oct 31 10:08:15.867480 2023] [mpm_prefork:notice] [pid 1] AH00170: caught SIGWINCH, shutting down gracefully
192.168.1.8 - - [31/Oct/2023:10:08:16 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 785 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
Configuring Redis as session handler
=> Searching for scripts (*.sh) to run, located in the folder: /docker-entrypoint-hooks.d/before-starting
==> but the hook folder "before-starting" is empty, so nothing to do
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.2. Set the 'ServerName' directive globally to suppress this message
[Tue Oct 31 10:08:32.107508 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.57 (Debian) PHP/8.2.12 configured -- resuming normal operations
[Tue Oct 31 10:08:32.107656 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

@joshtrichards
Copy link
Member

joshtrichards commented Oct 14, 2024

Have you had this reoccur since?

(Outside of v30.0.0 which was unrelated and due to an upstream change that is fixed in the upcoming v30.0.1).

Outside of the recent regression (which we know the cause of), there haven't been any similar reports since your report.

@joshtrichards joshtrichards added the needs info Additional info needed to triage label Oct 14, 2024
@leolivier
Copy link
Author

leolivier commented Oct 14, 2024

No, I didn't... I have it currently with 30.0.0 but I don't think I had it before (although I didn't check this for quite a long time)

@joshtrichards
Copy link
Member

Alright. I'm going to close this since there haven't been other reports either so there isn't anything actionable at this point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
0. Needs triage bug needs info Additional info needed to triage needs review Needs confirmation this is still happening or relevant
Projects
None yet
Development

No branches or pull requests

2 participants