[Bug]: wrong permissions attributed to a copy of a file

jcdufourd commented 2 weeks ago

⚠️ This issue respects the following points: ⚠️

[X] This is a bug, not a question or a configuration/webserver/proxy issue.
[X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
[X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
[X] I agree to follow Nextcloud's Code of Conduct.

Bug description

I start with a folder A with read-only sharing for everyone, and add some files including a file B to it. A and B are created as an admin.

Then, as a normal user, I create a folder C with full-editing sharing with a group, then copy file B into folder C. The resulting file is D.

The permissions on file D are read-only, and I cannot find a way to remove it. My expectation is that the user who made the copy should be able to remove it. The admin account, with which D is shared with full-editing share from folder C, also cannot remove the file, and I think it should also have.

With the outlined process, files are created that noone can get rid of. I believe that is a bug.

Steps to reproduce

create folder A as admin, share it with read-only to everyone
create file B in A as admin
create folder C as normal user and share it allow-editing with a group
copy B into C, yielding file D
file D cannot be deleted by anyone, user owning the copy or admin

Expected behavior

There should be a way for the user who made the copy to remove the file

Installation method

Community Docker image

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

None

What user-backends are you using?

[ ] Default user-backend (database)
[ ] LDAP/ Active Directory
[X] SSO - SAML
[ ] Other

Configuration report

{
    "system": {
        "memcache.local": "\\OC\\Memcache\\APCu",
        "apps_paths": [
            {
                "path": "\/var\/www\/html\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/www\/html\/custom_apps",
                "url": "\/custom_apps",
                "writable": true
            }
        ],
        "objectstore": {
            "class": "\\OC\\Files\\ObjectStore\\S3",
            "arguments": {
                "bucket": "***REMOVED SENSITIVE VALUE***",
                "region": "eu-west-3",
                "hostname": "",
                "port": "443",
                "objectPrefix": "urn:oid:",
                "autocreate": false,
                "use_ssl": true,
                "use_path_style": false,
                "legacy_auth": false,
                "key": "***REMOVED SENSITIVE VALUE***",
                "secret": "***REMOVED SENSITIVE VALUE***"
            }
        },
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "***REMOVED SENSITIVE VALUE***",
            "nginx-server"
        ],
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.3.4",
        "overwrite.cli.url": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "defaultapp": "files",
        "auth.webauthn.enabled": false,
        "onlyoffice": {
            "verify_peer_off": true,
            "DocumentServerUrl": "\/ds-vpath\/",
            "DocumentServerInternalUrl": "***REMOVED SENSITIVE VALUE***",
            "StorageUrl": "http:\/\/nginx-server\/",
            "jwt_secret": "***REMOVED SENSITIVE VALUE***",
            "jwt_header": "AuthorizationJwt",
            "allow_local_remote_servers": true
        },
        "overwriteprotocol": "https",
        "upgrade.disable-web": true,
        "maintenance": false,
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "mysql.utf8mb4": true,
        "loglevel": 0,
        "app_install_overwrite": [
            "backup",
            "hsts"
        ],
        "maintenance_window_start": 1,
        "htaccess.RewriteBase": "\/"
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - bruteforcesettings: 2.9.0
  - cloud_federation_api: 1.12.0
  - dav: 1.30.1
  - deck: 1.13.1
  - external: 5.4.0
  - federatedfilesharing: 1.19.0
  - files: 2.1.0
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_pdfviewer: 2.10.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - files_versions: 1.22.0
  - forms: 4.2.4
  - group_everyone: 0.1.15
  - hsts: 0.9.0
  - impersonate: 1.16.0
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - onlyoffice: 9.3.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sociallogin: 5.6.5
  - spreed: 19.0.4
  - support: 1.12.0
  - text: 3.10.1
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - user_status: 1.9.0
  - viewer: 2.3.0
  - workflowengine: 2.11.0
Disabled:
  - admin_audit: 1.19.0
  - backup: 1.4.0 (installed 1.4.0)
  - circles: 29.0.0-dev (installed 28.0.0-dev)
  - comments: 1.19.0 (installed 1.18.0)
  - contactsinteraction: 1.10.0 (installed 1.9.0)
  - dashboard: 7.9.0 (installed 7.8.0)
  - encryption: 2.17.0
  - federation: 1.19.0 (installed 1.18.0)
  - files_fulltextsearch: 29.0.0 (installed 29.0.0)
  - files_reminders: 1.2.0 (installed 1.1.0)
  - firstrunwizard: 2.18.0 (installed 2.17.0)
  - fulltextsearch: 29.0.0 (installed 29.0.0)
  - fulltextsearch_elasticsearch: 29.0.1 (installed 29.0.1)
  - health: 2.2.2 (installed 2.2.2)
  - nextcloud_announcements: 1.18.0 (installed 1.17.0)
  - password_policy: 1.19.0 (installed 1.18.0)
  - photos: 2.5.0 (installed 2.4.0)
  - recommendations: 2.1.0 (installed 2.0.0)
  - related_resources: 1.4.0 (installed 1.3.0)
  - sharebymail: 1.19.0 (installed 1.18.0)
  - survey_client: 1.17.0 (installed 1.16.0)
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0 (installed 1.18.0)
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1 (installed 1.18.0)
  - user_ldap: 1.20.0
  - weather_status: 1.9.0 (installed 1.8.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

(file too big to be provided entirely, here are the last lines)
{"reqId":"KDooXJC7eOCfpQcgvure","level":1,"time":"2024-07-02T12:27:13+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Notification was not parsed by any notifier [app: firstrunwizard, subject: apphint-tasks]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":[]}
{"reqId":"KDooXJC7eOCfpQcgvure","level":1,"time":"2024-07-02T12:27:13+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Notification was not parsed by any notifier [app: firstrunwizard, subject: apphint-deck]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":[]}
{"reqId":"KDooXJC7eOCfpQcgvure","level":1,"time":"2024-07-02T12:27:13+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Notification was not parsed by any notifier [app: firstrunwizard, subject: apphint-forms]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":[]}
{"reqId":"KDooXJC7eOCfpQcgvure","level":1,"time":"2024-07-02T12:27:13+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Notification was not parsed by any notifier [app: firstrunwizard, subject: apphint-groupfolders]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":[]}
{"reqId":"KDooXJC7eOCfpQcgvure","level":1,"time":"2024-07-02T12:27:13+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"no app in context","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"Notification was not parsed by any notifier [app: firstrunwizard, subject: apphint-recognize]","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":[]}
{"reqId":"sNP6i9gh4IogdPSrTNou","level":0,"time":"2024-07-02T12:27:22+00:00","remoteAddr":"84.97.183.62","user":"ePIT-44171","app":"hsts","method":"PROPFIND","url":"/remote.php/dav/files/ePIT-44171/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.5legacy (build 20200710) (Nextcloud)","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"UjRptuLeNpxJplodeDx2","level":0,"time":"2024-07-02T12:27:24+00:00","remoteAddr":"84.97.183.62","user":"ePIT-44171","app":"hsts","method":"GET","url":"/ocs/v2.php/core/navigation/apps?absolute=true&format=json","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.5legacy (build 20200710) (Nextcloud)","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"9bcuHuPcCEe6QcQAr6hD","level":0,"time":"2024-07-02T12:27:25+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"hsts","method":"GET","url":"/index.php/settings/integrity/failed","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"9bcuHuPcCEe6QcQAr6hD","level":0,"time":"2024-07-02T12:27:25+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"no app in context","method":"GET","url":"/index.php/settings/integrity/failed","message":"The loading of lazy AppConfig values have been requested","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","exception":{"Exception":"RuntimeException","Message":"ignorable exception","Code":0,"Trace":[{"file":"/var/www/html/lib/private/AppConfig.php","line":460,"function":"loadConfig","class":"OC\\AppConfig","type":"->","args":[true]},{"file":"/var/www/html/lib/private/AppConfig.php","line":433,"function":"getTypedValue","class":"OC\\AppConfig","type":"->","args":["core","oc.integritycheck.checker","[]",true,64]},{"file":"/var/www/html/lib/private/IntegrityCheck/Checker.php","line":415,"function":"getValueArray","class":"OC\\AppConfig","type":"->","args":["core","oc.integritycheck.checker",[],true]},{"file":"/var/www/html/apps/settings/lib/Controller/CheckSetupController.php","line":124,"function":"getResults","class":"OC\\IntegrityCheck\\Checker","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":232,"function":"getFailedIntegrityCheckFiles","class":"OCA\\Settings\\Controller\\CheckSetupController","type":"->","args":[]},{"file":"/var/www/html/lib/private/AppFramework/Http/Dispatcher.php","line":138,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\CheckSetupController"],"getFailedIntegrityCheckFiles"]},{"file":"/var/www/html/lib/private/AppFramework/App.php","line":184,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->","args":[["OCA\\Settings\\Controller\\CheckSetupController"],"getFailedIntegrityCheckFiles"]},{"file":"/var/www/html/lib/private/Route/Router.php","line":338,"function":"main","class":"OC\\AppFramework\\App","type":"::","args":["OCA\\Settings\\Controller\\CheckSetupController","getFailedIntegrityCheckFiles",["OC\\AppFramework\\DependencyInjection\\DIContainer"],["settings.checksetup.getfailedintegritycheckfiles"]]},{"file":"/var/www/html/lib/base.php","line":1050,"function":"match","class":"OC\\Route\\Router","type":"->","args":["/settings/integrity/failed"]},{"file":"/var/www/html/index.php","line":49,"function":"handleRequest","class":"OC","type":"::","args":[]}],"File":"/var/www/html/lib/private/AppConfig.php","Line":1222,"message":"The loading of lazy AppConfig values have been requested","exception":{},"CustomMessage":"The loading of lazy AppConfig values have been requested"}}
{"reqId":"qaLLGX73auCAiCZlowY6","level":0,"time":"2024-07-02T12:27:27+00:00","remoteAddr":"192.168.0.254","user":"jcdufourd","app":"hsts","method":"GET","url":"/index.php/apps/files/preview-service-worker.js","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"2Hg1tqZc6afCfEIK1hiu","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"hsts","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"aQL4Y8PuD8Hk16gHZ0Rm","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"hsts","method":"GET","url":"/index.php/apps/files/api/v1/stats","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"1ZxQ448LO9S7VgrXevfB","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"hsts","method":"GET","url":"/ocs/v2.php/apps/notifications/api/v2/notifications","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"duCanPyYxAGlWTUs1dHa","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"hsts","method":"PUT","url":"/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"iB7LEHiva4gTXTjplVMc","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"hsts","method":"PUT","url":"/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"duCanPyYxAGlWTUs1dHa","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"dav","method":"PUT","url":"/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json","message":"No calendar events found for status check","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"dav","user":"ePIT-44252"}}
{"reqId":"iB7LEHiva4gTXTjplVMc","level":0,"time":"2024-07-02T12:27:35+00:00","remoteAddr":"86.219.250.25","user":"ePIT-44252","app":"dav","method":"PUT","url":"/ocs/v2.php/apps/user_status/api/v1/heartbeat?format=json","message":"No calendar events found for status check","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"dav","user":"ePIT-44252"}}
{"reqId":"qf18x4RQ1XrfYEnnQthT","level":0,"time":"2024-07-02T12:27:45+00:00","remoteAddr":"84.97.183.62","user":"ePIT-44171","app":"hsts","method":"PROPFIND","url":"/remote.php/dav/files/ePIT-44171/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.5legacy (build 20200710) (Nextcloud)","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"U8Sq6pRrP2IRMJm16ddB","level":0,"time":"2024-07-02T12:27:52+00:00","remoteAddr":"84.97.183.62","user":"ePIT-44171","app":"hsts","method":"PROPFIND","url":"/remote.php/dav/files/ePIT-44171/","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.5legacy (build 20200710) (Nextcloud)","version":"29.0.3.4","data":{"app":"hsts"}}
{"reqId":"W2e9CHBIibh873yHr7e4","level":0,"time":"2024-07-02T12:27:54+00:00","remoteAddr":"84.97.183.62","user":"ePIT-44171","app":"hsts","method":"GET","url":"/ocs/v2.php/core/navigation/apps?absolute=true&format=json","message":"/appinfo/app.php is deprecated, use \\OCP\\AppFramework\\Bootstrap\\IBootstrap on the application class instead.","userAgent":"Mozilla/5.0 (Macintosh) mirall/2.6.5legacy (build 20200710) (Nextcloud)","version":"29.0.3.4","data":{"app":"hsts"}}

Additional info

No response

jcdufourd commented 1 week ago

I also tried removing one such file with:

sudo -u www-data php occ files:delete 87859 -f

and the answer is

File cannot be deleted, insufficient permissions.

susnux commented 1 week ago

Add handleCopiesAsOwned with value true to your object storage configuration to drop restricted permissions on copy

jcdufourd commented 1 week ago

Thank you @susnux for your suggestion. This option addition does not change the current situation: existing copies are still not changeable. This does not change a new situation entirely constructed after the option has been added: new copies in a new folder newly shared are still not changeable. (Note: only steps 3-4-5 above were done again, not the initial creation of read-only documents and folder = step 1-2) (Note2: even redoing all 5 steps changes nothing: the copied files are unchangeable by anyone)

susnux commented 1 week ago

You need something like this:

// ...
'objectstore' => [
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => [
        'handleCopiesAsOwned' => true,
        // ...
    ],
],
// ...

jcdufourd commented 1 week ago

You need something like this:

// ...
'objectstore' => [
    'class' => '\\OC\\Files\\ObjectStore\\S3',
    'arguments' => [
        'handleCopiesAsOwned' => true,
        // ...
    ],
],
// ...

This is exactly what I have already done (but "your" option is last in my array of arguments).

susnux commented 1 week ago

Then if you now copy a file you should gain all permissions as the copy is now owned by you

jcdufourd commented 1 week ago

Then if you now copy a file you should gain all permissions as the copy is now owned by you

When I now copy a read-only file, the copy is still read-only

susnux commented 1 week ago

Have you restarted your FPM processes (so the config is reload / not cached)? Because I tested it right now and with this option copies gain all permissions.

jcdufourd commented 1 week ago

I have no idea how to check this. I am using the docker version of nextcloud+onlyoffice and fpm is not a service. I only know I am using fpm because the image I use is called 29-fpm.

nextcloud / server