[Bug]: nextcloud-init-sync.lock considered as extra file by the scanner

leolivier commented 1 year ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I get a warning that some file don't pass the integrity checks and when I look at the details, I get:

Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.

Results
=======
- core
    - EXTRA_FILE
        - nextcloud-init-sync.lock

Raw output
==========
Array
(
    [core] => Array
        (
            [EXTRA_FILE] => Array
                (
                    [nextcloud-init-sync.lock] => Array
                        (
                            [expected] => 
                            [current] => 
                        )

                )

        )

)

Looking at the logs, I can see:

{"reqId":"zDBWUSdnTLLbD8uhFxoM","level":3,"time":"2023-09-23T10:04:31+02:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"hash_file(/var/www/html/nextcloud-init-sync.lock): Failed to open stream: Permission denied at /var/www/html/lib/private/IntegrityCheck/Checker.php#211","userAgent":"--","version":"27.1.0.7","data":{"app":"PHP"},"id":"650ea3672af6f"}

but this file is created by nextcloud itself in the container so it's weird Checking the file permissions inside the container: -rw------- 1 root root 0 Sep 23 08:02 /var/www/html/nextcloud-init-sync.lock I changed the ownership to www-data:www-data in the container and the above error disappeared but the integrity check continue to fail

Steps to reproduce

Open the admin main screen
See the warning
Follow the link

Expected behavior

This file should not be considered in the integrity check

Installation method

Community Docker image

Nextcloud Server version

27

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

[X] Default user-backend (database)
[ ] LDAP/ Active Directory
[ ] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "installed": true,
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "htaccess.RewriteBase": "\/",
        "default_language": "fr",
        "default_locale": "fr_FR",
        "knowledgebaseenabled": true,
        "default_phone_region": "FR",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "password": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mail_sendmailmode": "smtp",
        "mail_smtpmode": "smtp",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "587",
        "mail_smtpauth": true,
        "mail_smtpauthtype": "LOGIN",
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [
            "admin"
        ],
        "twofactor_enforced_excluded_groups": [],
        "overwritehost": "nextcloud.<my domain>",
        "overwrite.cli.url": "https:\/\/nextcloud.<my domain>",
        "overwriteprotocol": "https",
        "trusted_domains": [
            "localhost",
            "192.168.1.8",
            "nextcloud.<my domain>",
            "blog.<my domain>"
        ],
        "trusted_proxies": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "27.1.1.0",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "logtimezone": "Europe\/Paris",
        "loglevel": 2,
        "maintenance": false,
        "app_install_overwrite": [
            "audioplayer",
            "previewgenerator",
            "keeweb"
        ],
        "theme": "",
        "mail_smtpsecure": "TLS"
    }
}

List of activated Apps

Enabled:
  - audioplayer: 3.4.0
  - calendar: 4.5.1
  - cloud_federation_api: 1.10.0
  - comments: 1.17.0
  - contacts: 5.4.2
  - contactsinteraction: 1.8.0
  - dashboard: 7.7.0
  - dav: 1.27.0
  - federatedfilesharing: 1.17.0
  - files: 1.22.0
  - files_external: 1.19.0
  - files_pdfviewer: 2.8.0
  - files_reminders: 1.0.0
  - files_rightclick: 1.6.0
  - files_sharing: 1.19.0
  - files_trashbin: 1.17.0
  - files_versions: 1.20.0
  - firstrunwizard: 2.16.0
  - groupfolders: 15.3.1
  - keeweb: 0.6.13
  - logreader: 2.12.0
  - lookup_server_connector: 1.15.0
  - mail: 3.4.0
  - nextcloud_announcements: 1.16.0
  - notifications: 2.15.0
  - oauth2: 1.15.1
  - password_policy: 1.17.0
  - photos: 2.3.0
  - previewgenerator: 5.3.0
  - privacy: 1.11.0
  - provisioning_api: 1.17.0
  - recommendations: 1.6.0
  - related_resources: 1.2.0
  - settings: 1.9.0
  - sharebymail: 1.17.0
  - suspicious_login: 5.0.0
  - text: 3.8.0
  - theming: 2.2.0
  - twofactor_backupcodes: 1.16.0
  - updatenotification: 1.17.0
  - user_status: 1.7.0
  - viewer: 2.1.0
  - weather_status: 1.7.0
  - workflowengine: 2.9.0
Disabled:
  - activity: 2.19.0 (installed 2.13.4)
  - admin_audit: 1.17.0
  - bruteforcesettings: 2.7.0 (installed 2.0.1)
  - circles: 27.0.1 (installed 0.20.6)
  - encryption: 2.15.0 (installed 2.5.0)
  - federation: 1.17.0 (installed 1.7.0)
  - serverinfo: 1.17.0 (installed 1.4.0)
  - support: 1.10.0 (installed 1.0.0)
  - survey_client: 1.15.0 (installed 1.2.0)
  - systemtags: 1.17.0 (installed 1.4.0)
  - twofactor_totp: 9.0.0 (installed 5.0.0)
  - user_ldap: 1.17.0

Nextcloud Signing status

see above, this is precisely the issue

Nextcloud Logs

24MB, only adding related errors:
{"reqId":"zDBWUSdnTLLbD8uhFxoM","level":3,"time":"2023-09-23T10:04:31+02:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"hash_file(/var/www/html/nextcloud-init-sync.lock): Failed to open stream: Permission denied at /var/www/html/lib/private/IntegrityCheck/Checker.php#211","userAgent":"--","version":"27.1.0.7","data":{"app":"PHP"},"id":"650ea3672af6f"}

Additional info

No response

leolivier commented 1 year ago

I didn't rerun the scan after changing the file owner, now the error disappeared, but still I should not have to change myself the owner of this file.

joshtrichards commented 1 year ago

This file isn't created by Nextcloud, but by community Docker image's entrypoint.sh

How are your underlying volume mounts defined in your Docker? Either your Docker compose or command-line?

Because the resulting ownership should be more like:

-rw-r--r-- 1 root root 0 Sep 19 15:24 nextcloud-init-sync.lock

And are you by chance running Docker under a different user or rootless?

Related: #2057

leolivier commented 1 year ago

Thanks fo₹your answer @joshtrichards My docker is running as a Linux service so they are root:

UID          PID    PPID  C STIME TTY      STAT   TIME CMD
root        2692    1347  0 oct.02 ?       Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.20.0.2 -container-port 80
root        2704    1347  0 oct.02 ?       Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8081 -container-ip 172.20.0.2 -container-port 80

and the mounts are done like this (docker compose extract):

    volumes:
      - nextcloud2:/var/www/html
      - ./config:/var/www/html/config
      - /hdd/nextcloud:/var/www/html/data
      - ./apps:/var/www/html/apps

joshtrichards commented 1 year ago

What is your underlying host OS/version, host hardware platform, libseccomp version, and Docker Engine version?

When you restart the Nextcloud app container are there any interesting bits in the Docker logs for the container during startup?

leolivier commented 1 year ago

I'm running Nextcloud on a Raspberry Pi 4 with RaspberryPi OS

$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian

$ dpkg-query -s libseccomp2
Package: libseccomp2
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 146
Maintainer: Kees Cook <kees@debian.org>
Architecture: arm64
Multi-Arch: same
Source: libseccomp
Version: 2.5.1-1+deb11u1
Depends: libc6 (>= 2.17)

$ docker -v
Docker version 24.0.6, build ed223bc

After a docker restart on the container, I don't get anything interesting in the logs (knowing that the error disappeared since I chmoded myself the file)

192.168.1.8 - olivier [31/Oct/2023:10:08:15 +0000] "PROPFIND /remote.php/dav/files/olivier/ HTTP/1.1" 207 1116 "-" "Mozilla/5.0 (Windows) mirall/3.10.1stable-Win64 (build 20231025) (Nextcloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
[Tue Oct 31 10:08:15.867480 2023] [mpm_prefork:notice] [pid 1] AH00170: caught SIGWINCH, shutting down gracefully
192.168.1.8 - - [31/Oct/2023:10:08:16 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 785 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
Configuring Redis as session handler
=> Searching for scripts (*.sh) to run, located in the folder: /docker-entrypoint-hooks.d/before-starting
==> but the hook folder "before-starting" is empty, so nothing to do
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.2. Set the 'ServerName' directive globally to suppress this message
[Tue Oct 31 10:08:32.107508 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.57 (Debian) PHP/8.2.12 configured -- resuming normal operations
[Tue Oct 31 10:08:32.107656 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

joshtrichards commented 3 weeks ago

Have you had this reoccur since?

(Outside of v30.0.0 which was unrelated and due to an upstream change that is fixed in the upcoming v30.0.1).

Outside of the recent regression (which we know the cause of), there haven't been any similar reports since your report.

leolivier commented 3 weeks ago

No, I didn't... I have it currently with 30.0.0 but I don't think I had it before (although I didn't check this for quite a long time)

joshtrichards commented 3 weeks ago

Alright. I'm going to close this since there haven't been other reports either so there isn't anything actionable at this point.

nextcloud / docker