Skip to content

nextcloud: make home group-readable#115317

Closed
Mic92 wants to merge 1 commit intoNixOS:masterfrom
Mic92:nextcloud
Closed

nextcloud: make home group-readable#115317
Mic92 wants to merge 1 commit intoNixOS:masterfrom
Mic92:nextcloud

Conversation

@Mic92
Copy link
Copy Markdown
Member

@Mic92 Mic92 commented Mar 7, 2021
edited
Loading

users.users makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.

Motivation for this change
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@Mic92
nextcloud: make home world-readable
0d0d796 
users.users makes home only owner-readable.
This breaks nginx reading static assets from nextcloud's home,
after a nixos-rebuild that did not restart nextcloud-setup.
@ofborg ofborg bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. labels Mar 7, 2021
@aanderse aanderse mentioned this pull request Mar 7, 2021
Merged
10 tasks
@Ma27
Copy link
Copy Markdown
Member

Ma27 commented Mar 7, 2021

Isn't nginx's user part of the nextcloud group now? Or am I misunderstanding the issue you're having? :)

@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented Mar 7, 2021

Isn't nginx's user part of the nextcloud group now? Or am I misunderstanding the issue you're having? :)

It is in the same group, but 700 is not readable my nextcloud group members but only nextcloud users.

@Ma27
Copy link
Copy Markdown
Member

Ma27 commented Mar 7, 2021

So, /var/lib/nextcloud is indeed not readable for the group, but the exec-permission is set and hence group-members can traverse through the structure, right? data/, config/, apps/ and store-apps have read permissions for both user & group on my machine at least. Also, why does that only happen when nextcloud-setup is not invoked? It also sets the owning group of the files to nextcloud and then you'd run into the same problem, correct?

Finally, why 750 if you claim to make /var/lib/nextcloud world-readable?

I'm sorry, maybe I'm just blind atm and totally missing the point!

@Mic92 Mic92 changed the title nextcloud: make home world-readable nextcloud: make home group-readable Mar 10, 2021
@Mic92
Copy link
Copy Markdown
Member Author

Mic92 commented Mar 10, 2021

So, /var/lib/nextcloud is indeed not readable for the group, but the exec-permission is set and hence group-members can traverse through the structure, right? data/, config/, apps/ and store-apps have read permissions for both user & group on my machine at least. Also, why does that only happen when nextcloud-setup is not invoked? It also sets the owning group of the files to nextcloud and then you'd run into the same problem, correct?

It does not have the exec permissions if home is re-chowned by the users activation script but nextcloud-setup.service is not restarted.

Finally, why 750 if you claim to make /var/lib/nextcloud world-readable?

fixed the title. Commit message can be fixed by using Github's squash feature.

I'm sorry, maybe I'm just blind atm and totally missing the point!

Mic92
Mic92 commented Mar 10, 2021
View reviewed changes
nixos/modules/services/web-apps/nextcloud.nix
wantedBy = [ "multi-user.target" ];
before = [ "phpfpm-nextcloud.service" ];
path = [ occ ];
serviceConfig.ExecStartPre = "+${pkgs.coreutils}/bin/install -m750 --owner nextcloud --group nextcloud -d ${cfg.home}";
Copy link
Copy Markdown
Member Author

@Mic92 Mic92 Mar 10, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess this should be enough?

Suggested change
serviceConfig.ExecStartPre = "+${pkgs.coreutils}/bin/install -m750 --owner nextcloud --group nextcloud -d ${cfg.home}";
serviceConfig.ExecStartPre = "+${pkgs.coreutils}/bin/install -m710 --owner nextcloud --group nextcloud -d ${cfg.home}";

@Mic92 Mic92 closed this Jul 23, 2021
@Mic92 Mic92 deleted the nextcloud branch July 23, 2021 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Mic92 @Ma27