nextcloud
[Bug]: nextcloud-init-sync.lock considered as extra file by the scanner
⚠️ This issue respects the following points: ⚠️
- [X] This is a bug, not a question or a configuration/webserver/proxy issue.
- [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- [X] I agree to follow Nextcloud's Code of Conduct.
Bug description
I get a warning that some file don't pass the integrity checks and when I look at the details, I get:
Technical information
=====================
The following list covers which files have failed the integrity check. Please read
the previous linked documentation to learn more about the errors and how to fix
them.
Results
=======
- core
- EXTRA_FILE
- nextcloud-init-sync.lock
Raw output
==========
Array
(
[core] => Array
(
[EXTRA_FILE] => Array
(
[nextcloud-init-sync.lock] => Array
(
[expected] =>
[current] =>
)
)
)
)
Looking at the logs, I can see:
{"reqId":"zDBWUSdnTLLbD8uhFxoM","level":3,"time":"2023-09-23T10:04:31+02:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"hash_file(/var/www/html/nextcloud-init-sync.lock): Failed to open stream: Permission denied at /var/www/html/lib/private/IntegrityCheck/Checker.php#211","userAgent":"--","version":"27.1.0.7","data":{"app":"PHP"},"id":"650ea3672af6f"}
but this file is created by nextcloud itself in the container so it's weird
Checking the file permissions inside the container:
-rw------- 1 root root 0 Sep 23 08:02 /var/www/html/nextcloud-init-sync.lock
I changed the ownership to www-data:www-data in the container and the above error disappeared but the integrity check continue to fail
Steps to reproduce
- Open the admin main screen
- See the warning
- Follow the link
Expected behavior
This file should not be considered in the integrity check
Installation method
Community Docker image
Nextcloud Server version
27
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Upgraded to a MAJOR version (ex. 22 to 23)
Are you using the Nextcloud Server Encryption module?
Encryption is Disabled
What user-backends are you using?
- [X] Default user-backend (database)
- [ ] LDAP/ Active Directory
- [ ] SSO - SAML
- [ ] Other
Configuration report
{
"system": {
"installed": true,
"datadirectory": "***REMOVED SENSITIVE VALUE***",
"instanceid": "***REMOVED SENSITIVE VALUE***",
"htaccess.RewriteBase": "\/",
"default_language": "fr",
"default_locale": "fr_FR",
"knowledgebaseenabled": true,
"default_phone_region": "FR",
"apps_paths": [
{
"path": "\/var\/www\/html\/apps",
"url": "\/apps",
"writable": false
},
{
"path": "\/var\/www\/html\/custom_apps",
"url": "\/custom_apps",
"writable": true
}
],
"memcache.local": "\\OC\\Memcache\\APCu",
"memcache.distributed": "\\OC\\Memcache\\Redis",
"memcache.locking": "\\OC\\Memcache\\Redis",
"redis": {
"host": "***REMOVED SENSITIVE VALUE***",
"password": "***REMOVED SENSITIVE VALUE***",
"port": 6379
},
"mail_sendmailmode": "smtp",
"mail_smtpmode": "smtp",
"mail_smtphost": "***REMOVED SENSITIVE VALUE***",
"mail_smtpport": "587",
"mail_smtpauth": true,
"mail_smtpauthtype": "LOGIN",
"mail_smtpname": "***REMOVED SENSITIVE VALUE***",
"mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
"mail_from_address": "***REMOVED SENSITIVE VALUE***",
"mail_domain": "***REMOVED SENSITIVE VALUE***",
"passwordsalt": "***REMOVED SENSITIVE VALUE***",
"secret": "***REMOVED SENSITIVE VALUE***",
"twofactor_enforced": "false",
"twofactor_enforced_groups": [
"admin"
],
"twofactor_enforced_excluded_groups": [],
"overwritehost": "nextcloud.<my domain>",
"overwrite.cli.url": "https:\/\/nextcloud.<my domain>",
"overwriteprotocol": "https",
"trusted_domains": [
"localhost",
"192.168.1.8",
"nextcloud.<my domain>",
"blog.<my domain>"
],
"trusted_proxies": "***REMOVED SENSITIVE VALUE***",
"dbtype": "mysql",
"version": "27.1.1.0",
"dbname": "***REMOVED SENSITIVE VALUE***",
"dbhost": "***REMOVED SENSITIVE VALUE***",
"dbport": "",
"dbtableprefix": "oc_",
"mysql.utf8mb4": true,
"dbuser": "***REMOVED SENSITIVE VALUE***",
"dbpassword": "***REMOVED SENSITIVE VALUE***",
"logtimezone": "Europe\/Paris",
"loglevel": 2,
"maintenance": false,
"app_install_overwrite": [
"audioplayer",
"previewgenerator",
"keeweb"
],
"theme": "",
"mail_smtpsecure": "TLS"
}
}
List of activated Apps
Enabled:
- audioplayer: 3.4.0
- calendar: 4.5.1
- cloud_federation_api: 1.10.0
- comments: 1.17.0
- contacts: 5.4.2
- contactsinteraction: 1.8.0
- dashboard: 7.7.0
- dav: 1.27.0
- federatedfilesharing: 1.17.0
- files: 1.22.0
- files_external: 1.19.0
- files_pdfviewer: 2.8.0
- files_reminders: 1.0.0
- files_rightclick: 1.6.0
- files_sharing: 1.19.0
- files_trashbin: 1.17.0
- files_versions: 1.20.0
- firstrunwizard: 2.16.0
- groupfolders: 15.3.1
- keeweb: 0.6.13
- logreader: 2.12.0
- lookup_server_connector: 1.15.0
- mail: 3.4.0
- nextcloud_announcements: 1.16.0
- notifications: 2.15.0
- oauth2: 1.15.1
- password_policy: 1.17.0
- photos: 2.3.0
- previewgenerator: 5.3.0
- privacy: 1.11.0
- provisioning_api: 1.17.0
- recommendations: 1.6.0
- related_resources: 1.2.0
- settings: 1.9.0
- sharebymail: 1.17.0
- suspicious_login: 5.0.0
- text: 3.8.0
- theming: 2.2.0
- twofactor_backupcodes: 1.16.0
- updatenotification: 1.17.0
- user_status: 1.7.0
- viewer: 2.1.0
- weather_status: 1.7.0
- workflowengine: 2.9.0
Disabled:
- activity: 2.19.0 (installed 2.13.4)
- admin_audit: 1.17.0
- bruteforcesettings: 2.7.0 (installed 2.0.1)
- circles: 27.0.1 (installed 0.20.6)
- encryption: 2.15.0 (installed 2.5.0)
- federation: 1.17.0 (installed 1.7.0)
- serverinfo: 1.17.0 (installed 1.4.0)
- support: 1.10.0 (installed 1.0.0)
- survey_client: 1.15.0 (installed 1.2.0)
- systemtags: 1.17.0 (installed 1.4.0)
- twofactor_totp: 9.0.0 (installed 5.0.0)
- user_ldap: 1.17.0
Nextcloud Signing status
see above, this is precisely the issue
Nextcloud Logs
24MB, only adding related errors:
{"reqId":"zDBWUSdnTLLbD8uhFxoM","level":3,"time":"2023-09-23T10:04:31+02:00","remoteAddr":"","user":"--","app":"PHP","method":"","url":"--","message":"hash_file(/var/www/html/nextcloud-init-sync.lock): Failed to open stream: Permission denied at /var/www/html/lib/private/IntegrityCheck/Checker.php#211","userAgent":"--","version":"27.1.0.7","data":{"app":"PHP"},"id":"650ea3672af6f"}
Additional info
No response
I didn't rerun the scan after changing the file owner, now the error disappeared, but still I should not have to change myself the owner of this file.
This file isn't created by Nextcloud, but by community Docker image's entrypoint.sh
How are your underlying volume mounts defined in your Docker? Either your Docker compose or command-line?
Because the resulting ownership should be more like:
-rw-r--r-- 1 root root 0 Sep 19 15:24 nextcloud-init-sync.lock
And are you by chance running Docker under a different user or rootless?
Related: #2057
Thanks fo₹your answer @joshtrichards My docker is running as a Linux service so they are root:
UID PID PPID C STIME TTY STAT TIME CMD
root 2692 1347 0 oct.02 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.20.0.2 -container-port 80
root 2704 1347 0 oct.02 ? Sl 0:00 /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8081 -container-ip 172.20.0.2 -container-port 80
and the mounts are done like this (docker compose extract):
volumes:
- nextcloud2:/var/www/html
- ./config:/var/www/html/config
- /hdd/nextcloud:/var/www/html/data
- ./apps:/var/www/html/apps
What is your underlying host OS/version, host hardware platform, libseccomp version, and Docker Engine version?
When you restart the Nextcloud app container are there any interesting bits in the Docker logs for the container during startup?
I'm running Nextcloud on a Raspberry Pi 4 with RaspberryPi OS
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
$ dpkg-query -s libseccomp2
Package: libseccomp2
Status: install ok installed
Priority: optional
Section: libs
Installed-Size: 146
Maintainer: Kees Cook <[email protected]>
Architecture: arm64
Multi-Arch: same
Source: libseccomp
Version: 2.5.1-1+deb11u1
Depends: libc6 (>= 2.17)
$ docker -v
Docker version 24.0.6, build ed223bc
After a docker restart on the container, I don't get anything interesting in the logs (knowing that the error disappeared since I chmoded myself the file)
192.168.1.8 - olivier [31/Oct/2023:10:08:15 +0000] "PROPFIND /remote.php/dav/files/olivier/ HTTP/1.1" 207 1116 "-" "Mozilla/5.0 (Windows) mirall/3.10.1stable-Win64 (build 20231025) (Nextcloud, windows-10.0.22635 ClientArchitecture: x86_64 OsArchitecture: x86_64)"
[Tue Oct 31 10:08:15.867480 2023] [mpm_prefork:notice] [pid 1] AH00170: caught SIGWINCH, shutting down gracefully
192.168.1.8 - - [31/Oct/2023:10:08:16 +0000] "GET /ocs/v2.php/apps/notifications/api/v2/notifications HTTP/1.1" 304 785 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"
Configuring Redis as session handler
=> Searching for scripts (*.sh) to run, located in the folder: /docker-entrypoint-hooks.d/before-starting
==> but the hook folder "before-starting" is empty, so nothing to do
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.20.0.2. Set the 'ServerName' directive globally to suppress this message
[Tue Oct 31 10:08:32.107508 2023] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.57 (Debian) PHP/8.2.12 configured -- resuming normal operations
[Tue Oct 31 10:08:32.107656 2023] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'