NC Symlinks not allowed

After a fresh install of DietPi on a Raspi 4B, an external SSD and Nextcloud I got the following error(s) in Nextcloud.
Login into admin works, creating a user also. But login into this user fails with “internal error message”

This is what I found in the NC protocols:
(1)

[core] Error: Following symlinks is not allowed ('/mnt/dietpi_userdata/nextcloud_data/uwjhn/cache' -> '/mnt/7627eacf-bfd9-4168-9bd0-897988222727/dietpi_userdata/nextcloud_data/uwjhn/cache/' not inside '/mnt/dietpi_userdata/nextcloud_data/uwjhn/')

POST /nextcloud/index.php/login
from 192.168.178.35 by uwjhn at 2020-07-15T18:21:40+00:00

(2)

[index] Error: OCP\Files\ForbiddenException: Following symlinks is not allowed at <<closure>>

 0. /var/www/nextcloud/lib/private/Files/Storage/Local.php line 158
    OC\Files\Storage\Local->getSourcePath("/cache")
 1. /var/www/nextcloud/lib/private/Files/Storage/Common.php line 879
    OC\Files\Storage\Local->getMetaData("/cache")
 2. <<closure>>
    OC\Files\Storage\Common->getDirectoryContent("")
 3. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 408
    iterator_to_array(Generator {})
 4. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 388
    OC\Files\Cache\Scanner->handleChildren("", false, 3, 139, true, 0)
 5. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 340
    OC\Files\Cache\Scanner->scanChildren("", false, 3, 139, true)
 6. /var/www/nextcloud/lib/private/Files/View.php line 1339
    OC\Files\Cache\Scanner->scan("", false)
 7. /var/www/nextcloud/lib/private/Files/View.php line 1383
    OC\Files\View->getCacheEntry(OCA\Files_Trashb ... }}, "", "/uwjhn")
 8. /var/www/nextcloud/lib/private/Files/Node/Root.php line 201
    OC\Files\View->getFileInfo("/uwjhn")
 9. /var/www/nextcloud/lib/private/Files/Node/Folder.php line 147
    OC\Files\Node\Root->get("/uwjhn")
10. /var/www/nextcloud/lib/private/Files/Node/Root.php line 384
    OC\Files\Node\Folder->nodeExists("/uwjhn")
11. <<closure>>
    OC\Files\Node\Root->getUserFolder("*** sensitive parameter replaced ***")
12. /var/www/nextcloud/lib/private/Files/Node/LazyRoot.php line 66
    call_user_func_array([OC\Files\Node\Root {},"getUserFolder"], ["*** sensitive parameter replaced ***"])
13. /var/www/nextcloud/lib/private/Files/Node/LazyRoot.php line 283
    OC\Files\Node\LazyRoot->__call("getUserFolder", ["*** sensitive parameter replaced ***"])
14. /var/www/nextcloud/lib/private/Server.php line 1556
    OC\Files\Node\LazyRoot->getUserFolder("*** sensitive parameter replaced ***")
15. /var/www/nextcloud/lib/private/User/Session.php line 552
    OC\Server->getUserFolder("*** sensitive parameter replaced ***")
16. /var/www/nextcloud/lib/private/User/Session.php line 412
    OC\User\Session->prepareUserLogin(true, true)
17. /var/www/nextcloud/lib/private/Authentication/Login/CompleteLoginCommand.php line 44
    OC\User\Session->completeLogin("*** sensitive parameters replaced ***")
18. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\CompleteLoginCommand->process(OC\Authentication\Login\LoginData {})
19. /var/www/nextcloud/lib/private/Authentication/Login/LoggedInCheckCommand.php line 61
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
20. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\LoggedInCheckCommand->process(OC\Authentication\Login\LoginData {})
21. /var/www/nextcloud/lib/private/Authentication/Login/EmailLoginCommand.php line 58
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
22. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\EmailLoginCommand->process(OC\Authentication\Login\LoginData {})
23. /var/www/nextcloud/lib/private/Authentication/Login/UidLoginCommand.php line 54
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
24. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\UidLoginCommand->process(OC\Authentication\Login\LoginData {})
25. /var/www/nextcloud/lib/private/Authentication/Login/UserDisabledCheckCommand.php line 57
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
26. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\UserDisabledCheckCommand->process(OC\Authentication\Login\LoginData {})
27. /var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php line 53
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
28. /var/www/nextcloud/lib/private/Authentication/Login/Chain.php line 108
    OC\Authentication\Login\PreLoginHookCommand->process(OC\Authentication\Login\LoginData {})
29. /var/www/nextcloud/core/Controller/LoginController.php line 307
    OC\Authentication\Login\Chain->process(OC\Authentication\Login\LoginData {})
30. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 170
    OC\Core\Controller\LoginController->tryLogin("*** sensitive parameters replaced ***")
31. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OC\Core\Controller\LoginController {}, "tryLogin")
32. /var/www/nextcloud/lib/private/AppFramework/App.php line 137
    OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\LoginController {}, "tryLogin")
33. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main("OC\\Core\\Controller\\LoginController", "tryLogin", OC\AppFramework\ ... {}, {_route: "core.login.tryLogin"})
34. <<closure>>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: "core.login.tryLogin"})
35. /var/www/nextcloud/lib/private/Route/Router.php line 297
    call_user_func(OC\AppFramework\ ... {}, {_route: "core.login.tryLogin"})
36. /var/www/nextcloud/lib/base.php line 1007
    OC\Route\Router->match("/login")
37. /var/www/nextcloud/index.php line 37
    OC::handleRequest()

POST /nextcloud/index.php/login
from 192.168.178.35 by uwjhn at 2020-07-15T18:21:40+00:00

Hi,

many thanks for your report. Yes indeed, that’s a behaviour of NextCloud since the beginning and works as designed. Unfortunetaly NextCloud Devs are not willing to change this. However there is workaround provided by a user on NextCloud GitHub.

https://github.com/nextcloud/server/issues/1257#issuecomment-263228234

The file to be changed is:

nano /var/www/nextcloud/lib/private/Files/Storage/Local.php

Search for allowSymlinks and set it to true. Don’t know if needed, but I restarted all services using dietpi-services restart

Pls keep in mind that it might be possible that the change will be revert back on a NextCloud software update.

Btw, on my test it was needed to delete NC users and re-create them (don’t ask my why). Afterwads I could login to NextCloud.

thanks. this workaround helped.

Hmm in this case it looks like a Nextcloud bug to me since the symlink is pointing from inside the data dir to inside, respectively the whole Nextcloud data dir symlinked and there is no symlink inside, is it?

I remember a similar issue when doing a fresh Nextcloud install and using the dietpi_userdata symlink location as data dir argument, it failed. For this reason dietpi-software always expands the path completely before giving it as data dir argument. However I never saw similar issue on operation afterwards, especially since Nextcloud should always use the real path now. But you installed via dietpi-software, right? You moved dietpi_userdata to the external drive before or after Nextcloud install?

I have an open bug report on Nextcloud for ages about this topic to allow the while data dir to be inside a symlinked location, will review and refresh.

MichaIng
Best to my knowledge, NextCloud Devs don’t like the symlinks due to security reasons. The don’t like that users could break out of there home Di. Even if there is no security breach as the symnlink is on OS and transparent for NextCloud. There are quite some issues on GitHub requesting this feature…

But as said, in this case the symlink is not inside the data dir, hence it is impossible to use it to break out.

I found my issue: https://github.com/nextcloud/server/issues/12247
And whoopsie, our workaround is different: The symlink check was until then only done wrong for the skeleton dir transfer, since the skeleton dir is outside the data dir. So we simply transfer the skeleton dir manually as everything else succeeds perfectly fine.

The problem there is when files are transferred from(/to) places outside of the data dir. What I just never understood is why copying the skeleton files can succeed even without symlink because regardless of symlink one dir is outside the allowed places.

In OP case now, the transfer is from and to a user-specific dir. Nextcloud should actually always compare the real path, as outlined in the issue, but probably in the particular case of cache, it is missing.

nice find
gives me some hope
i have an external ntfs hdd with all my media
tried to mount it in nextcloud but unfortunately seems they dont suport ntfs and drive must be formated to some exotic filetype
anyway the storage plunin was a no go so symlinks if they work woukld be great
problem is i use nextcloud:fpm docker
created symlink under /var/lib/docker/volumes/ncfpm_nextcloud/_data/data/user_name/files
but the Local.php that is located under
/var/lib/docker/volumes/ncfpm_nextcloud/_data/lib/private/Files/Storage/Local.php
is a bit diferent than your example.
there is no allowSymlinks entry under class Local extends
it is like this
class Local extends \OC\Files\Storage\Common {
protected $datadir;

protected $dataDirLength;

protected $realDataDir;

adding
protected $allowSymlinks = true;

and occ files:scan --all , dietpi-services restart , reboot dont work

changing the ‘localstorage.allowsymlinks’ => false, under public function getSourcePath to true also dont work
keeping both protected $allowSymlinks = true; and ‘localstorage.allowsymlinks’ => true also the same
deleting and recreating symlinks same

so
any ideas apreciated

well you are running NextCloud inside a docker container, correct?

Means all tools, like ncc files:scan --all or dietpi-services, you are going to use on DietPi command line will have no effect to the container. Probably better to check with the provider of the container how to get the external storage plugin configured and/or how to connect an external device to the NextCloud docker container correctly.

οκ
so
i finally made my “already mounted in the host and already fanctional with other apps and docker containers but not with nextcloud” external ntfs hard drive to show up in nextcloud with mount --bind
after unsacesfuly tried with ‘external storage app’ , adding uid-gid in fstab and the symlink workaround

i am using the nextcloud:fpc docker container so the path is a bit diferent on my case
hard drive is mounted in host under /mnt/700C216E0C213110
mount --bind /mnt/700C216E0C213110/photos /var/lib/docker/volumes/ncfpm_nextcloud/_data/data/user_name/files/photos
and then
docker exec --user www-data container_id php occ files:scan --all

docker exec --user www-data container_id php occ files:scan --all

yep that’s correct way to execute commands inside the container.

i know how to run occ on a docker container
reason external storage previusly didnt work is not that i didnt entered the corect files:scan