Topic: Nextcloud: set the maintenance tasks

[Arnaud]

Hello,

I installed nextcloud according to our wiki and I have an issue concerning the maintenance tasks.
I would like to run these tasks over a cron job and I tried the parameters given into the wiki: https://wiki.contribs.org/OwnCloud#Maintenance_tasks

Unfortunately, Nextcloud informs me that the tasks do not run.

Therefore, I tried to make the configuration of the cron over another way: over templates-custom
- I created a file /etc/e-smith/templates-custom/etc/crontab/40nextcloud containing the given entry: (php7.0 is enabeld for this ibay)

Code: [Select]

*/15  *  *  *  * apache scl enable php70 'php -f /home/e-smith/files/ibays/nextcloud/html/cron.php > /dev/null 2>&1'- expand-template /etc/crontab
- service crond restart

But it makes no change.

"apache" seems not the have the permissions to reach the file cron.php:

Code: [Select]

# su -s /bin/bash apache
bash-4.1$ ls /home/e-smith/files/ibays/nextcloud/html
ls: impossible d'ouvrir le répertoire /home/e-smith/files/ibays/nextcloud/html: Permission non accordée
but Nextcloud is running => apache must for sure be able to read the folder.....

So where is my mistake?

Thanks in advance.

Arnaud

[mab974]

Hi,

Code: [Select]

*/15 * * * * admin scl enable php56 "php -f /home/e-smith/files/ibays/nextcloud/html/cron.php"
works for me.

[Arnaud]

hi,
thanks for your indication.
Unfortunately, even run as "admin" instead of "apache" it still doesn't work.

The difference is that logged as "admin", it is possible to reach the script cron.php but it doesn't work due to not matching user:

Code: [Select]

# su -s /bin/bash admin
$ cd /home/e-smith/files/ibays/nextcloud/html/
$ scl enable php70 'php -f cron.php'
Console has to be executed with the same user as the web server is operated
Current user: admin
Web server user:
I removed the "/dev/null 2>&1"  in order to see something.

Nextcloud indicates that the maintenance tasks have not been run.

I wonder that the script can be run as user "admin" by you.

[mab974]

Arnaud,

cron.php compares  the user who executes and the owner of ./config/config.php. You have to adjust that.

Otherwise, the permission problem with apache is rather stange. Can you show us

db accounts show nextcloud

and

ls -l /home/e-smith/files/ibays/nextclown/html

[Arnaud]

Hi,
you were on the right way: there were some issues with the permissions of the html folder.
Now the maintenance tasks are done.
The working config is:

Code: [Select]

# db accounts show nextcloud
nextcloud=ibay
    AllowOverride=All
    CgiBin=enabled
    FollowSymLinks=enabled
    Gid=5117
    Group=groupe-nextcloud
    Name=nextcloud
    PasswordSet=no
    PhpVersion=php70
    PublicAccess=local
    SSL=enabled
    Uid=5117
    UserAccess=wr-group-rd-everyone
and

Code: [Select]

# ls -l /home/e-smith/files/ibays/nextcloud/html
total 116
drwxrwsr-x 33 apache groupe-nextcloud  4096  6 févr. 01:40 3rdparty
drwxrwsr-x 37 apache groupe-nextcloud  4096 10 févr. 10:37 apps
-rw-rw-r--  1 apache groupe-nextcloud 12063  6 févr. 01:38 AUTHORS
drwxrwsr-x  2 apache groupe-nextcloud  4096 16 févr. 18:36 config
-rw-rw-r--  1 apache groupe-nextcloud  3593  6 févr. 01:38 console.php
drwxrwsr-x 17 apache groupe-nextcloud  4096  6 févr. 01:40 core
-rw-rw-r--  1 apache groupe-nextcloud  4946  6 févr. 01:38 cron.php
drwxrwx---  6 apache groupe-nextcloud  4096  9 févr. 20:14 data
-rw-rw-r--  1 apache groupe-nextcloud     0 14 août   2016 fichier-texte
-rw-rw-r--  1 apache groupe-nextcloud   179  6 févr. 01:38 index.html
-rw-rw-r--  1 apache groupe-nextcloud  3417  6 févr. 01:38 index.php
drwxrwsr-x  3 apache groupe-nextcloud  4096  6 févr. 01:38 l10n
drwxrwsr-x  6 apache groupe-nextcloud  4096  6 févr. 01:38 lib
-rw-rw-r--  1 apache groupe-nextcloud   283  6 févr. 01:38 occ
drwxrwsr-x  2 apache groupe-nextcloud  4096  6 févr. 01:38 ocs
drwxrwsr-x  2 apache groupe-nextcloud  4096  6 févr. 01:38 ocs-provider
-rw-rw-r--  1 apache groupe-nextcloud  3214  6 févr. 01:38 public.php
-rw-rw-r--  1 apache groupe-nextcloud  5370  6 févr. 01:38 remote.php
drwxrwsr-x  4 apache groupe-nextcloud  4096  6 févr. 01:38 resources
-rw-rw-r--  1 apache groupe-nextcloud    26  6 févr. 01:38 robots.txt
drwxrwsr-x 14 apache groupe-nextcloud  4096  6 févr. 01:38 settings
-rw-rw-r--  1 apache groupe-nextcloud  2274  6 févr. 01:38 status.php
drwxrwsr-x  3 apache groupe-nextcloud  4096  6 févr. 01:38 themes
drwxrwsr-x  2 apache groupe-nextcloud  4096  8 févr. 19:18 tmp
drwxrwsr-x  2 apache groupe-nextcloud  4096  6 févr. 01:38 updater
-rw-rw-r--  1 apache groupe-nextcloud   363  6 févr. 01:40 version.php

The mistakes were:
- "my_user" was owner of all the files (because of copying the files by the installation over samba)=> issue with cron.php because of non matching user (as you explained)
=> I "choowned" cron.php to apache
=> then nexcloud claimed for permission for folders "config" and "apps"
So I "chowned" all the folder html

- the other mistake was the permissions set for the ibay: inspite "UserAccess=wr-group-rd-everyone" is written into the wiki, I had "UserAccess=wr-group-rd-group" because I didn't want that everyone can read the folders over samba.

I'm surprised about this: it is the first time that permissions for samba have an effect on the www behavior of the ibay (therefore I didn't give the "read" for everyone).
On the other hand, during this writing I'm realizing that this script has nothing to do with www, it is in fact the normal way to run a command: the user (apache in this case) must have enough permissions on the files and folder...
As "apache" isn't "admin" and doesn't belong to the group, the files and folders have to be set for "everyone"!

Questions: do you run the tasks as "admin" to avoid giving read permission for everyone on this ibay? Does "admin" belong to your group for the ibay?

Many thanks in any case for your help!

Arnaud

[janet]

Arnaud

A fundamental part of managing Koozali SME server is the use of Groups, even if you only have two or a few users.
In most cases you should configure various Groups.

You should use Groups to control (allow/disallow) access to ibays for certain groups of Users ie via local samba access over the LAN. Usually you limit access to all users except those who directly maintain a website in an ibay & do so via samba over LAN.

The ibay permissions you refer to & configure when setting up an ibay relate to that type of access.

Web access is controlled using different settings (also selected in server manager when setting up an ibay).

Be careful not to confuse the two.

[mab974]

Questions: do you run the tasks as "admin" to avoid giving read permission for everyone on this ibay? Does "admin" belong to your group for the ibay?

Yes, most of the time my ibays belongs to admin. I give write access only to "www" on data directories (and on config files when needed). that specific test in nextcloud forces me to change my way of doing things.    Besides, I rarely use specific groups and never samba.

[Jean-Philippe Pialasse]

Arnaud,

you have an issue with your shadow passwrd files as your files are shown to belong to apache and not to www.

this is likely caused by the use of affa.

this cause an inversion of apache and www  in the files. This usually cause no issue, but sometime will (mailman is an example)

[Arnaud]

Hi,

Be careful not to confuse the two.

yes, that is what happened: I forgot/didn't think that running the script isn't web acces!
Thanks to present clearly the difference once again.

@mab974: as you said, I set /config/config.php as owned by "admin", run the cron as "admin" and then I could use more restrictive permissions (r+w for group only) for the ibay.  Much better! (at least as long as the script doesn't use the admin rights to do bad things...)

@jpp: thanks for your attention! In this case it is because I changed manually the owner of the files from "user" to "apache" (because "apache" is given into the wiki to run the maintenance script).
Reading your comment, I can then remember that I had this issue apache/www with mailman.
But I think having done already the right corrections: as written into the wiki of mailman https://wiki.contribs.org/Mailman#.22www.22_instead_of_.22apache I changed the id of apache from 48 to 102. Now:

Code: [Select]

# id -u apache
102
# id -u www
102
# getent group
...
apache:x:102:
www:x:102:admin,apache,www
...
Question: when I set chmod -R www .../html/* the ls -l .../html gives "apache" again as owner => is it correct?

Bye Arnaud

[mmccarn]

Question: when I set chmod -R www .../html/* the ls -l .../html gives "apache" again as owner => is it correct?

"www" and "apache" are both user id number 102 on my SME 9.2:

Code: [Select]

# grep www /etc/passwd
www:x:102:102:SME Server web server:/home/e-smith:/bin/false
apache:x:102:102:Apache:/var/www:/sbin/nologin


[Arnaud]

Hi,
I have this too, but in the opposite order: "apache" before "www"

Code: [Select]

# grep www /etc/passwd
apache:x:102:102:Apache:/var/www:/sbin/nologin
www:x:102:102:SME Server web server:/home/e-smith:/bin/false

I remember having modified the order a long time ago, but I can't remember why....Mailman??
So I can't say if my current order is modified or original....
Do you know if you changed it manually?

[mmccarn]

I have not edited /etc/passwd on my current system.

It shouldn't matter functionally - both names refer to user ID 102.  It appears that the order controls what name is shown by the OS - so my system, with "www" before "apache" in /etc/passwd, shows "www", while yours shows "apache":

Code: [Select]

# ls -l /home/e-smith/files/ibays/smokeping
total 44
drwxrwsr-x 2 www admin 4096 Jul  7  2017 bin
drwxrwsr-x 3 www admin 4096 Jul  8  2017 cgi-bin
drwxr-xr-x 6 www admin 4096 Jul  8  2017 data
drwxrwsr-x 3 www admin 4096 Feb 25 11:56 etc
drwxrwsr-x 5 www admin 4096 Feb 25 11:14 files
drwxrwsr-x 3 www admin 4096 Jul  7  2017 htdocs
drwxrwsr-x 4 www admin 4096 Jul  8  2017 html
drwxrwsr-x 3 www admin 4096 Jul  7  2017 lib
drwxrwsr-x 3 www admin 4096 Jul  7  2017 share
drwxrwsr-x 7 www admin 4096 Feb 25 09:54 thirdparty
drwxrwsr-x 2 www admin 4096 Jul  7  2017 var

# ls -ln /home/e-smith/files/ibays/smokeping
total 44
drwxrwsr-x 2 102 101 4096 Jul  7  2017 bin
drwxrwsr-x 3 102 101 4096 Jul  8  2017 cgi-bin
drwxr-xr-x 6 102 101 4096 Jul  8  2017 data
drwxrwsr-x 3 102 101 4096 Feb 25 11:56 etc
drwxrwsr-x 5 102 101 4096 Feb 25 11:14 files
drwxrwsr-x 3 102 101 4096 Jul  7  2017 htdocs
drwxrwsr-x 4 102 101 4096 Jul  8  2017 html
drwxrwsr-x 3 102 101 4096 Jul  7  2017 lib
drwxrwsr-x 3 102 101 4096 Jul  7  2017 share
drwxrwsr-x 7 102 101 4096 Feb 25 09:54 thirdparty
drwxrwsr-x 2 102 101 4096 Jul  7  2017 var


[Arnaud]

OK, thanks for the information.
I will let my system as it is (never change a running system).
I have made a note about www/apache and I hope that I will remember that I have the note if a problem occurs...

Bye
Arnaud