Page 1 of 1

NC Symlinks not allowed

Posted: Wed Jul 15, 2020 8:33 pm
by uwjhn
After a fresh install of DietPi on a Raspi 4B, an external SSD and Nextcloud I got the following error(s) in Nextcloud.
Login into admin works, creating a user also. But login into this user fails with "internal error message"

This is what I found in the NC protocols:

Code: Select all

[core] Error: Following symlinks is not allowed ('/mnt/dietpi_userdata/nextcloud_data/uwjhn/cache' -> '/mnt/7627eacf-bfd9-4168-9bd0-897988222727/dietpi_userdata/nextcloud_data/uwjhn/cache/' not inside '/mnt/dietpi_userdata/nextcloud_data/uwjhn/')

POST /nextcloud/index.php/login
from by uwjhn at 2020-07-15T18:21:40+00:00

Code: Select all

[index] Error: OCP\Files\ForbiddenException: Following symlinks is not allowed at <<closure>>

 0. /var/www/nextcloud/lib/private/Files/Storage/Local.php line 158
 1. /var/www/nextcloud/lib/private/Files/Storage/Common.php line 879
 2. <<closure>>
 3. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 408
    iterator_to_array(Generator {})
 4. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 388
    OC\Files\Cache\Scanner->handleChildren("", false, 3, 139, true, 0)
 5. /var/www/nextcloud/lib/private/Files/Cache/Scanner.php line 340
    OC\Files\Cache\Scanner->scanChildren("", false, 3, 139, true)
 6. /var/www/nextcloud/lib/private/Files/View.php line 1339
    OC\Files\Cache\Scanner->scan("", false)
 7. /var/www/nextcloud/lib/private/Files/View.php line 1383
    OC\Files\View->getCacheEntry(OCA\Files_Trashb ... }}, "", "/uwjhn")
 8. /var/www/nextcloud/lib/private/Files/Node/Root.php line 201
 9. /var/www/nextcloud/lib/private/Files/Node/Folder.php line 147
10. /var/www/nextcloud/lib/private/Files/Node/Root.php line 384
11. <<closure>>
    OC\Files\Node\Root->getUserFolder("*** sensitive parameter replaced ***")
12. /var/www/nextcloud/lib/private/Files/Node/LazyRoot.php line 66
    call_user_func_array([OC\Files\Node\Root {},"getUserFolder"], ["*** sensitive parameter replaced ***"])
13. /var/www/nextcloud/lib/private/Files/Node/LazyRoot.php line 283
    OC\Files\Node\LazyRoot->__call("getUserFolder", ["*** sensitive parameter replaced ***"])
14. /var/www/nextcloud/lib/private/Server.php line 1556
    OC\Files\Node\LazyRoot->getUserFolder("*** sensitive parameter replaced ***")
15. /var/www/nextcloud/lib/private/User/Session.php line 552
    OC\Server->getUserFolder("*** sensitive parameter replaced ***")
16. /var/www/nextcloud/lib/private/User/Session.php line 412
    OC\User\Session->prepareUserLogin(true, true)
17. /var/www/nextcloud/lib/private/Authentication/Login/CompleteLoginCommand.php line 44
    OC\User\Session->completeLogin("*** sensitive parameters replaced ***")
18. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\CompleteLoginCommand->process(OC\Authentication\Login\LoginData {})
19. /var/www/nextcloud/lib/private/Authentication/Login/LoggedInCheckCommand.php line 61
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
20. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\LoggedInCheckCommand->process(OC\Authentication\Login\LoginData {})
21. /var/www/nextcloud/lib/private/Authentication/Login/EmailLoginCommand.php line 58
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
22. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\EmailLoginCommand->process(OC\Authentication\Login\LoginData {})
23. /var/www/nextcloud/lib/private/Authentication/Login/UidLoginCommand.php line 54
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
24. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\UidLoginCommand->process(OC\Authentication\Login\LoginData {})
25. /var/www/nextcloud/lib/private/Authentication/Login/UserDisabledCheckCommand.php line 57
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
26. /var/www/nextcloud/lib/private/Authentication/Login/ALoginCommand.php line 40
    OC\Authentication\Login\UserDisabledCheckCommand->process(OC\Authentication\Login\LoginData {})
27. /var/www/nextcloud/lib/private/Authentication/Login/PreLoginHookCommand.php line 53
    OC\Authentication\Login\ALoginCommand->processNextOrFinishSuccessfully(OC\Authentication\Login\LoginData {})
28. /var/www/nextcloud/lib/private/Authentication/Login/Chain.php line 108
    OC\Authentication\Login\PreLoginHookCommand->process(OC\Authentication\Login\LoginData {})
29. /var/www/nextcloud/core/Controller/LoginController.php line 307
    OC\Authentication\Login\Chain->process(OC\Authentication\Login\LoginData {})
30. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 170
    OC\Core\Controller\LoginController->tryLogin("*** sensitive parameters replaced ***")
31. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 100
    OC\AppFramework\Http\Dispatcher->executeController(OC\Core\Controller\LoginController {}, "tryLogin")
32. /var/www/nextcloud/lib/private/AppFramework/App.php line 137
    OC\AppFramework\Http\Dispatcher->dispatch(OC\Core\Controller\LoginController {}, "tryLogin")
33. /var/www/nextcloud/lib/private/AppFramework/Routing/RouteActionHandler.php line 47
    OC\AppFramework\App::main("OC\\Core\\Controller\\LoginController", "tryLogin", OC\AppFramework\ ... {}, {_route: "core.login.tryLogin"})
34. <<closure>>
    OC\AppFramework\Routing\RouteActionHandler->__invoke({_route: "core.login.tryLogin"})
35. /var/www/nextcloud/lib/private/Route/Router.php line 297
    call_user_func(OC\AppFramework\ ... {}, {_route: "core.login.tryLogin"})
36. /var/www/nextcloud/lib/base.php line 1007
37. /var/www/nextcloud/index.php line 37

POST /nextcloud/index.php/login
from by uwjhn at 2020-07-15T18:21:40+00:00

Re: NC Symlinks not allowed

Posted: Thu Jul 16, 2020 2:19 am
by Joulinar

many thanks for your report. Yes indeed, that's a behaviour of NextCloud since the beginning and works as designed. Unfortunetaly NextCloud Devs are not willing to change this. However there is workaround provided by a user on NextCloud GitHub. ... -263228234

The file to be changed is:

Code: Select all

nano /var/www/nextcloud/lib/private/Files/Storage/Local.php
Search for allowSymlinks and set it to true. Don't know if needed, but I restarted all services using dietpi-services restart

Pls keep in mind that it might be possible that the change will be revert back on a NextCloud software update.

Btw, on my test it was needed to delete NC users and re-create them (don't ask my why). Afterwads I could login to NextCloud.

Re: NC Symlinks not allowed

Posted: Thu Jul 16, 2020 7:07 am
by uwjhn
thanks. this workaround helped.

Re: NC Symlinks not allowed

Posted: Sat Jul 18, 2020 11:48 am
by MichaIng
Hmm in this case it looks like a Nextcloud bug to me since the symlink is pointing from inside the data dir to inside, respectively the whole Nextcloud data dir symlinked and there is no symlink inside, is it?

I remember a similar issue when doing a fresh Nextcloud install and using the dietpi_userdata symlink location as data dir argument, it failed. For this reason dietpi-software always expands the path completely before giving it as data dir argument. However I never saw similar issue on operation afterwards, especially since Nextcloud should always use the real path now. But you installed via dietpi-software, right? You moved dietpi_userdata to the external drive before or after Nextcloud install?

I have an open bug report on Nextcloud for ages about this topic to allow the while data dir to be inside a symlinked location, will review and refresh.

Re: NC Symlinks not allowed

Posted: Sat Jul 18, 2020 12:27 pm
by Joulinar
Best to my knowledge, NextCloud Devs don't like the symlinks due to security reasons. The don't like that users could break out of there home Di. Even if there is no security breach as the symnlink is on OS and transparent for NextCloud. There are quite some issues on GitHub requesting this feature...

Re: NC Symlinks not allowed

Posted: Sat Jul 18, 2020 1:15 pm
by MichaIng
But as said, in this case the symlink is not inside the data dir, hence it is impossible to use it to break out.

I found my issue:
And whoopsie, our workaround is different: The symlink check was until then only done wrong for the skeleton dir transfer, since the skeleton dir is outside the data dir. So we simply transfer the skeleton dir manually as everything else succeeds perfectly fine.

The problem there is when files are transferred from(/to) places outside of the data dir. What I just never understood is why copying the skeleton files can succeed even without symlink because regardless of symlink one dir is outside the allowed places.

In OP case now, the transfer is from and to a user-specific dir. Nextcloud should actually always compare the real path, as outlined in the issue, but probably in the particular case of cache, it is missing.