NC Symlinks not allowed Topic is solved

Having issues with your DietPi installation, or, found a bug? Post it here.
Post Reply
uwjhn
Posts: 4
Joined: Wed Jul 15, 2020 8:28 pm

NC Symlinks not allowed

Post by uwjhn »

After a fresh install of DietPi on a Raspi 4B, an external SSD and Nextcloud I got the following error(s) in Nextcloud.
Login into admin works, creating a user also. But login into this user fails with "internal error message"

This is what I found in the NC protocols:
(1)

Code: Select all

[core] Error: Following symlinks is not allowed ('/mnt/dietpi_userdata/nextcloud_data/uwjhn/cache' -> '/mnt/7627eacf-bfd9-4168-9bd0-897988222727/dietpi_userdata/nextcloud_data/uwjhn/cache/' not inside '/mnt/dietpi_userdata/nextcloud_data/uwjhn/')

POST /nextcloud/index.php/login
from 192.168.178.35 by uwjhn at 2020-07-15T18:21:40+00:00
(2)

Code: Select all

[index] Error: OCP\Files\ForbiddenException: Following symlinks is not allowed at <<closure>>

 0. /var/www/nextcloud/lib/private/Files/Storage/Local.php line 158
    OC\Files\Storage\Local->getSourcePath("/cache")
 1. /var/www/nextcloud/lib/private/Files/Storage/Common.php line 879
    OC\Files\Storage\Local->getMetaData("/cache")
 2. <<closure>>
    OC\Files\Storage\Common->getDirectoryContent("")
 3. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 408
    iterator_to_array(Generator {})
 4. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 388
    OC\Files\Cache\Scanner->handleChildren("", false, 3, 139, true, 0)
 5. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 340
    OC\Files\Cache\Scanner->scanChildren("", false, 3, 139, true)
 6. /var/www/nextcloud/lib/private/Files/View.php line 1339
    OC\Files\Cache\Scanner->scan("", false)
 7. /var/www/nextcloud/lib/private/Files/View.php line 1383
    OC\Files\View->getCacheEntry(OCA\Files_Trashb ... }}, "", "/uwjhn")
 8. /var/www/nextcloud/lib/private/Files/Node/Root.php line 201
    OC\Files\View->getFileInfo("/uwjhn")
 9. /var/www/nextcloud/lib/private/Files/Node/Folder.php line 147
    OC\Files\Node\Root->get("/uwjhn")
10. /var/www/nextcloud/lib/private/Files/Node/Root.php line 384
    OC\Files\Node\Folder->nodeExists("/uwjhn")
11. <<closure>>
    OC\Files\Node\Root->getUserFolder("*** sensitive parameter replaced ***")
12. /var/www/nextcloud/lib/private/Files/Node/LazyRoot.php line 66
    call_user_func_array([OC\Files\Node\Root {},"getUserFolder"], ["*** sensitive parameter replaced ***"])
13. /var/www/nextcloud/lib/private/Files/Node/LazyRoot.php line 283
    OC\Files\Node\LazyRoot->__call("getUserFolder", ["*** sensitive parameter replaced ***"])
14. /var/www/nextcloud/lib/private/Server.php line 1556
    OC\Files\Node\LazyRoot->getUserFolder("*** sensitive parameter replaced ***")
15. /var/www/nextcloud/lib/private/User/Session.php line 552
    OC\Server->getUserFolder("*** sensitive parameter replaced ***")
16. /var/www/nextcloud/lib/private/User/Session.php line 412
    OC\User\Session->prepareUserLogin(true, true)
17. /var/www/nextcloud/lib/private/Authentication/Login/CompleteLoginCommand.php line 44
    OC\User\Session->completeLogin("*** sensitive parameters replaced ***")
18. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\CompleteLoginCommand->process(OC\Authentication\Login\LoginData {})
19. /var/www/nextcloud/lib/private/Authentication/Login/LoggedInCheckCommand.php line 61
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
20. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\LoggedInCheckCommand->process(OC\Authentication\Login\LoginData {})
21. /var/www/nextcloud/lib/private/Authentication/Login/EmailLoginCommand.php line 58
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
22. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\EmailLoginCommand->process(OC\Authentication\Login\LoginData {})
23. /var/www/nextcloud/lib/private/Authentication/Login/UidLoginCommand.php line 54
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
24. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\UidLoginCommand->process(OC\Authentication\Login\LoginData {})
25. /var/www/nextcloud/lib/private/Authentication/Login/UserDisabledCheckCommand.php line 57
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
26. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\UserDisabledCheckCommand->process(OC\Authentication\Login\LoginData {})
27. /var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php line 53
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
28. /var/www/nextcloud/lib/private/Authentication/Login/Chain.php line 108
    OC\Authentication\Login\PreLoginHookCommand->process(OC\Authentication\Login\LoginData {})
29. /var/www/nextcloud/core/Controller/LoginController.php line 307
    OC\Authentication\Login\Chain->process(OC\Authentication\Login\LoginData {})
30. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 170
    OC\Core\Controller\LoginController->tryLogin("*** sensitive parameters replaced ***")
31. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OC\Core\Controller\LoginController {}, "tryLogin")
32. /var/www/nextcloud/lib/private/AppFramework/App.php line 137
    OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\LoginController {}, "tryLogin")
33. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main("OC\\Core\\Controller\\LoginController", "tryLogin", OC\AppFramework\ ... {}, {_route: "core.login.tryLogin"})
34. <<closure>>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: "core.login.tryLogin"})
35. /var/www/nextcloud/lib/private/Route/Router.php line 297
    call_user_func(OC\AppFramework\ ... {}, {_route: "core.login.tryLogin"})
36. /var/www/nextcloud/lib/base.php line 1007
    OC\Route\Router->match("/login")
37. /var/www/nextcloud/index.php line 37
    OC::handleRequest()

POST /nextcloud/index.php/login
from 192.168.178.35 by uwjhn at 2020-07-15T18:21:40+00:00
User avatar
Joulinar
Posts: 2299
Joined: Sat Nov 16, 2019 12:49 am

Re: NC Symlinks not allowed

Post by Joulinar »

Hi,

many thanks for your report. Yes indeed, that's a behaviour of NextCloud since the beginning and works as designed. Unfortunetaly NextCloud Devs are not willing to change this. However there is workaround provided by a user on NextCloud GitHub.

https://github.com/nextcloud/server/iss ... -263228234

The file to be changed is:

Code: Select all

nano /var/www/nextcloud/lib/private/Files/Storage/Local.php
Search for allowSymlinks and set it to true. Don't know if needed, but I restarted all services using dietpi-services restart

Pls keep in mind that it might be possible that the change will be revert back on a NextCloud software update.

Btw, on my test it was needed to delete NC users and re-create them (don't ask my why). Afterwads I could login to NextCloud.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
uwjhn
Posts: 4
Joined: Wed Jul 15, 2020 8:28 pm

Re: NC Symlinks not allowed

Post by uwjhn »

thanks. this workaround helped.
User avatar
MichaIng
Site Admin
Posts: 2333
Joined: Sat Nov 18, 2017 6:21 pm

Re: NC Symlinks not allowed

Post by MichaIng »

Hmm in this case it looks like a Nextcloud bug to me since the symlink is pointing from inside the data dir to inside, respectively the whole Nextcloud data dir symlinked and there is no symlink inside, is it?

I remember a similar issue when doing a fresh Nextcloud install and using the dietpi_userdata symlink location as data dir argument, it failed. For this reason dietpi-software always expands the path completely before giving it as data dir argument. However I never saw similar issue on operation afterwards, especially since Nextcloud should always use the real path now. But you installed via dietpi-software, right? You moved dietpi_userdata to the external drive before or after Nextcloud install?

I have an open bug report on Nextcloud for ages about this topic to allow the while data dir to be inside a symlinked location, will review and refresh.
User avatar
Joulinar
Posts: 2299
Joined: Sat Nov 16, 2019 12:49 am

Re: NC Symlinks not allowed

Post by Joulinar »

@MichaIng
Best to my knowledge, NextCloud Devs don't like the symlinks due to security reasons. The don't like that users could break out of there home Di. Even if there is no security breach as the symnlink is on OS and transparent for NextCloud. There are quite some issues on GitHub requesting this feature...
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
User avatar
MichaIng
Site Admin
Posts: 2333
Joined: Sat Nov 18, 2017 6:21 pm

Re: NC Symlinks not allowed

Post by MichaIng »

But as said, in this case the symlink is not inside the data dir, hence it is impossible to use it to break out.

I found my issue: https://github.com/nextcloud/server/issues/12247
And whoopsie, our workaround is different: The symlink check was until then only done wrong for the skeleton dir transfer, since the skeleton dir is outside the data dir. So we simply transfer the skeleton dir manually as everything else succeeds perfectly fine.

The problem there is when files are transferred from(/to) places outside of the data dir. What I just never understood is why copying the skeleton files can succeed even without symlink because regardless of symlink one dir is outside the allowed places.

In OP case now, the transfer is from and to a user-specific dir. Nextcloud should actually always compare the real path, as outlined in the issue, but probably in the particular case of cache, it is missing.
Post Reply