DocumentServer icon indicating copy to clipboard operation
DocumentServer copied to clipboard

Published 20 hours ago verified publisher icon ONLYOFFICE

Access Rights to the Web Server Directory /var/www/

Open nils-schween opened this issue 5 years ago • 10 comments

Hello everyone,

I would like to report a somewhat strange glitch, which I found while setting up the OnlyOffice Document Server on Debian Buster. To install the Document Server I followed the instructions which can be found in the helpcenter. Hence, I am using the Debian repository and I installed the Document Server with apt.

It was not working out of the box, and looking into the log files (e.g, /var/log/onlyoffice/documentserver/docservice/err.log) I saw the following error messages:

supervisor: couldn't chdir to /var/www/onlyoffice/documentserver/server/DocService: EACCES
supervisor: child process was not spawned supervisor: couldn't chdir to /var/www/onlyoffice/documentserver/server/DocService: EACCES supervisor: child process was not spawned

The supervisor was not able to access my web server's directory. I checked the rights of the web server's directory and I got the following result drwx-rwx---- www-data www-data /var/www/

In a next step, I checked if the user to whom OnlyOffice belongs, which is the user "ds", was part of the www-data group. Here is the output of cat /etc/group | grep www-data : ds:x:119:www-data

Hence, "ds" was part of the "www-data" group and I expect it to have the rights to access the web-server's directory /var/www/ . But obviously the "supervisor" tool did not have access.

I changed the owner of the /var/www/ directory to be "ds". And it worked.

I really do not like this setup, the /var/www/ should belong to the "www-data" user and not to the owner of the document server "ds". Why is it, that "ds" must own /var/www/ and can we change this to the more expected behaviour, that if "ds" is part of www-data group it has access to its files?

Thanks a lot.

nils-schween avatar Mar 08 '20 11:03 nils-schween

@agolybev please take a look

ShockwaveNN avatar Mar 10 '20 07:03 ShockwaveNN

Hi @nils-schween, I think you have to install nginx (nginx-extras package) before document server installation. There is a notice about it in the installation guide but it mentioned only Ubuntu releases.

agolybev avatar Mar 10 '20 10:03 agolybev

Hi, @agolybev thanks for your answer. To be honest I am a little bit confused. What does the order of installation change? I would, for example, love to see how the config files in /etc/supervisor/conf.d would look like, if I had installed nginx-extras before the document server. All the ds-*.conf files in this folder contain a line with user=ds This line seems to restrict the access of the supervisor program to folders which are owned by the user "ds". Would there be an additional line, which tells supervisor, that it also has access to folders which belong to the "www-data" group?

Can you post the content of these files for the scenario that the user running the web server (www-data) is different from the user owning the document server (ds)? And are other config files which I have to change.

Once more: thank you. Nils

nils-schween avatar Mar 11 '20 18:03 nils-schween

Is this still an issue tracked? I encountered the same issue and stumbled upon that. It seems to be true that the document services only work when /var/www is owned by ds:ds. Would also be interested in seeing if this could be changed somehow without having to edit all configuration files coming with the onlyoffice-documentserver debian package...

the-technat avatar May 31 '22 08:05 the-technat

@the-technat Hi, the issue is rather old and I think we lost a track of it

Am I right that if

  1. I install DocumentServer from deb package
  2. I change ownership of /vaw/www to www-data

In result, I get a broken installation of DocumentServer?

In other words if before installing DocumentServer /var/www belonged to www-data and www-data has some files in it - after installation of DocumentServer only ds user will have access to those files?

ShockwaveNN avatar May 31 '22 11:05 ShockwaveNN

It's partially right. That's what exactly got to the error:

  1. You setup a nextcloud or something on a debian 11 machine that has it's webroot in /var/www/nextcloud
  2. You ensure the permissions for /var/www recursively are 770 for www-data:www-data.
  3. You install and setup onlyoffice-documentserver (my guide was this one)
  4. the supervisor services of the documentserver all exit with the following error:
supervisor: couldn't chdir to /var/www/onlyoffice/documentserver/server/FileConverter: EACCES
supervisor: child process was not spawned
  1. You try to change the owner of /var/www/onlyoffice to ds:ds and restart the services
  2. The issue still encounters
  3. You change the owner of the /var/www folder (non-recusively) to ds:ds -> now the supervisor services work and if you make sure that /var/www/nextcloud is still owned by www-data:www-data the nextcloud will also work, but it's just a bit ugly that /var/www has to be owned by ds:ds.

Hopefully that clarifies it. Although I have to say that my guide worked in a first try long ago without noticing the permission problem. I only got the issue two days ago when I did an upgrade of the onlyoffice-documentserver & nextcloud and reran the chown command for /var/www. So I can not 100% confirm that the issue is only related to the debian package, it could be a combination with other things.

the-technat avatar May 31 '22 12:05 the-technat

@igwyd Please take a look, this is a good explanation of the problem

@the-technat Thanks for detailed report

ShockwaveNN avatar May 31 '22 12:05 ShockwaveNN

Hello @the-technat, by default the directory /var/www owner is user root(in nginx and apache) and with default permissions ONLYOFFICE DocumentServer install without errors. Why do change owner /var/www?

igwyd avatar Jun 06 '22 11:06 igwyd

@igwyd it was just the easiest way for my backup solution. If I remember correctly the user home of www-data is /var/www, so I placed my scripts in there (run as user www-data). But will definitely try to find another solution for this and switch the owner of /var/www to root.

If this works, I think this issue can be closed as it only appears on non-default setups...

the-technat avatar Jun 06 '22 11:06 the-technat

I can confirm that with the following permissions both nextcloud and onlyoffice work together on the same server (nginx): carbon

I just had to make sure that all users other than root are still allowed to change directory to /var/www, thus the 771.

I think with this it's proven that the issue comes from manipulating permissions to something other than defaults and not from the onlyoffice-documentserver debian package.

Do we want to close this?

the-technat avatar Jun 06 '22 18:06 the-technat

I close this issue. Feel free to comment or reopen it if you got further questions.

Rita-Bubnova avatar Aug 11 '23 21:08 Rita-Bubnova