NC 13.0.4: Constant OC\ForbiddenException: This request is not allowed to access the filesystem

[Fiech]

Steps to reproduce

1. Use file encryption module
2. Open log

Expected behaviour

No Error messages in log

Actual behaviour

Constant "OC\ForbiddenException: This request is not allowed to access the filesystem" entries (see below). Multiple per hours. PHP user is owner of NC directory (with sub directories).

General server configuration

Operating system: Linux hermes 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2+deb8u3 (2017-08-15) x86_64

Web server: nginx/1.12.1 (fpm-fcgi)

Database: pgsql PostgreSQL 9.4.13 on x86_64-unknown-linux-gnu, compiled by gcc (Debian 4.9.2-10) 4.9.2, 64-bit

PHP version: 7.0.23-1~dotdeb+8.1

PHP-modules loaded

 - Core
 - date
 - libxml
 - openssl
 - pcre
 - zlib
 - filter
 - hash
 - Reflection
 - SPL
 - session
 - standard
 - cgi-fcgi
 - igbinary
 - PDO
 - xml
 - calendar
 - ctype
 - curl
 - dom
 - mbstring
 - fileinfo
 - ftp
 - gd
 - gettext
 - iconv
 - imagick
 - imap
 - json
 - exif
 - mcrypt
 - pdo_pgsql
 - pgsql
 - Phar
 - posix
 - readline
 - redis
 - shmop
 - SimpleXML
 - sockets
 - sysvmsg
 - sysvsem
 - sysvshm
 - tokenizer
 - wddx
 - xmlreader
 - xmlwriter
 - xsl
 - zip
 - Zend OPcache

Nextcloud configuration

Nextcloud version: 12.0.3 RC2 - 12.0.3.1

Updated from an older Nextcloud/ownCloud or fresh install: YOUR ANSWER HERE

Where did you install Nextcloud from: YOUR ANSWER HERE

Are you using external storage, if yes which one: Array
(
[0] => \OC\Files\Storage\Local
[1] => \OCA\Files_External\Lib\Storage\FTP
[2] => \OC\Files\Storage\DAV
[3] => \OCA\Files_External\Lib\Storage\OwnCloud
[4] => \OCA\Files_External\Lib\Storage\SFTP
[5] => \OCA\Files_External\Lib\Storage\AmazonS3
[6] => \OCA\Files_External\Lib\Storage\Dropbox
[7] => \OCA\Files_External\Lib\Storage\Google
[8] => \OCA\Files_External\Lib\Storage\Swift
[9] => \OCA\Files_External\Lib\Storage\SFTP
[10] => \OCA\Files_External\Lib\Storage\SMB
[11] => \OCA\Files_External\Lib\Storage\SMB
)

Are you using encryption: yes

Are you using an external user-backend, if yes which one:

Signing status

{
    "calendar": {
        "FILE_MISSING": {
            ".gitignore": {
                "expected": "2ebfa9d965d970eb2f3356f80cbff785c90c9a0d7634b406e49cd4e311826eb4abb482d8be75557cff491837881af2795fc4bd3a8e8d42b24c56d3b53b9b5dee",
                "current": ""
            }
        }
    }
}

This is discussed here nextcloud/calendar#600

Enabled apps

 - activity: 2.5.2
 - admin_audit: 1.2.0
 - admin_notifications: 1.0.0
 - bookmarks: 0.10.1
 - comments: 1.2.0
 - contacts: 1.5.3
 - dav: 1.3.0
 - encryption: 1.6.0
 - federatedfilesharing: 1.2.0
 - federation: 1.2.0
 - files: 1.7.2
 - files_external: 1.3.0
 - files_markdown: 2.0.1
 - files_pdfviewer: 1.1.1
 - files_sharing: 1.4.0
 - files_texteditor: 2.4.1
 - files_trashbin: 1.2.0
 - files_versions: 1.5.0
 - files_videoplayer: 1.1.0
 - firstrunwizard: 2.1
 - gallery: 17.0.0
 - issuetemplate: 0.2.2
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - nextcloud_announcements: 1.1
 - notes: 2.3.1
 - notifications: 2.0.0
 - oauth2: 1.0.5
 - password_policy: 1.2.2
 - provisioning_api: 1.2.0
 - serverinfo: 1.2.0
 - sharebymail: 1.2.0
 - spreed: 2.0.1
 - survey_client: 1.0.0
 - systemtags: 1.2.0
 - tasks: 0.9.5
 - theming: 1.3.0
 - twofactor_backupcodes: 1.1.1
 - twofactor_totp: 1.3.1
 - twofactor_u2f: 1.3.3
 - updatenotification: 1.2.0
 - workflowengine: 1.2.0

Disabled apps

 - audioplayer
 - calendar
 - user_external
 - user_ldap

Content of config/config.php

{
    "instanceid": "oc676d29f5b0",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "***REMOVED SENSITIVE VALUE***"
    ],
    "datadirectory": "\/owncloud\/data",
    "dbtype": "pgsql",
    "version": "12.0.3.1",
    "dbname": "***REMOVED SENSITIVE VALUE***",
    "dbhost": "localhost",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "installed": true,
    "forcessl": true,
    "theme": "",
    "maintenance": false,
    "secret": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpmode": "smtp",
    "mail_from_address": "owncloud",
    "mail_domain": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpauthtype": "LOGIN",
    "mail_smtpauth": 1,
    "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpport": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
    "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
    "mail_smtpsecure": "tls",
    "singleuser": false,
    "forceSSLforSubdomains": true,
    "loglevel": 2,
    "filelocking.enabled": "false",
    "memcache.local": "\\OC\\Memcache\\Redis",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "localhost",
        "port": 6379,
        "timeout": 0,
        "dbindex": 0
    },
    "trashbin_retention_obligation": "auto",
    "updater.release.channel": "beta",
    "overwrite.cli.url": "https:\/\/***REMOVED SENSITIVE VALUE***"
}

Client configuration

Browser: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/60.0.3112.113 Chrome/60.0.3112.113 Safari/537.36

Operating system: Ubuntu 16.10

Logs

Web server error log

No seemingly related lines, will of course provide if told what to look for

Nextcloud log (data/nextcloud.log)

OC\ForbiddenException: This request is not allowed to access the filesystem
/owncloud/htdocs/lib/private/Files/View.php - line 1136: OC\Lockdown\Filesystem\NullStorage->mkdir('files_encryptio...')
/owncloud/htdocs/lib/private/Files/View.php - line 269: OC\Files\View->basicOperation('mkdir', '/*** sensitive parameters replaced ***/files_e...', Array)
/owncloud/htdocs/lib/private/Encryption/Keys/Storage.php - line 370: OC\Files\View->mkdir('/*** sensitive parameters replaced ***/files_e...')
/owncloud/htdocs/lib/private/Encryption/Keys/Storage.php - line 230: OC\Encryption\Keys\Storage->keySetPreparation('/*** sensitive parameters replaced ***/files_e...')
/owncloud/htdocs/lib/private/Encryption/Keys/Storage.php - line 115: OC\Encryption\Keys\Storage->setKey('/*** sensitive parameters replaced ***/files_e...', '-----BEGIN PUBL...')
/owncloud/htdocs/apps/encryption/lib/KeyManager.php - line 287: OC\Encryption\Keys\Storage->setUserKey('*** sensitive parameters replaced ***', 'publicKey', '-----BEGIN PUBL...', 'OC_DEFAULT_MODU...')
/owncloud/htdocs/apps/encryption/lib/KeyManager.php - line 246: OCA\Encryption\KeyManager->setPublicKey('*** sensitive parameters replaced ***', '-----BEGIN PUBL...')
/owncloud/htdocs/apps/encryption/lib/Users/Setup.php - line 77: OCA\Encryption\KeyManager->storeKeyPair('*** sensitive parameters replaced ***', '*** sensitive parameters replaced ***', Array)
/owncloud/htdocs/apps/encryption/lib/Hooks/UserHooks.php - line 183: OCA\Encryption\Users\Setup->setupUser('*** sensitive parameters replaced ***', '*** sensitive parameters replaced ***')
/owncloud/htdocs/lib/private/legacy/hook.php - line 106: OCA\Encryption\Hooks\UserHooks->login(*** sensitive parameters replaced ***)
/owncloud/htdocs/lib/private/Server.php - line 362: OC_Hook emit('OC_User', 'post_login', Array)
[internal function] OC\Server->OC\{closure}(Object(OC\User\User), '*** sensitive parameters replaced ***')
/owncloud/htdocs/lib/private/Hooks/EmitterTrait.php - line 99: call_user_func_array(Object(Closure), Array)
/owncloud/htdocs/lib/private/Hooks/PublicEmitter.php - line 33: OC\Hooks\BasicEmitter->emit('\\OC\\User', 'postLogin', Array)
/owncloud/htdocs/lib/private/User/Session.php - line 359: OC\Hooks\PublicEmitter->emit('\\OC\\User', 'postLogin', Array)
/owncloud/htdocs/lib/private/User/Session.php - line 588: OC\User\Session->completeLogin(*** sensitive parameters replaced ***)
/owncloud/htdocs/lib/private/User/Session.php - line 324: OC\User\Session->loginWithToken('*** sensitive parameters replaced ***')
/owncloud/htdocs/lib/private/User/Session.php - line 400: OC\User\Session->login(*** sensitive parameters replaced ***)
/owncloud/htdocs/apps/dav/lib/Connector/Sabre/Auth.php - line 129: OC\User\Session->logClientIn(*** sensitive parameters replaced ***)
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Auth/Backend/AbstractBasic.php - line 105: OCA\DAV\Connector\Sabre\Auth->validateUserPass(*** sensitive parameters replaced ***)
/owncloud/htdocs/apps/dav/lib/Connector/Sabre/Auth.php - line 252: Sabre\DAV\Auth\Backend\AbstractBasic->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/apps/dav/lib/Connector/Sabre/Auth.php - line 154: OCA\DAV\Connector\Sabre\Auth->auth(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 201: OCA\DAV\Connector\Sabre\Auth->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Auth/Plugin.php - line 150: Sabre\DAV\Auth\Plugin->check(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
[internal function] Sabre\DAV\Auth\Plugin->beforeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/3rdparty/sabre/event/lib/EventEmitterTrait.php - line 105: call_user_func_array(Array, Array)
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Server.php - line 466: Sabre\Event\EventEmitter->emit('beforeMethod', Array)
/owncloud/htdocs/3rdparty/sabre/dav/lib/DAV/Server.php - line 254: Sabre\DAV\Server->invokeMethod(Object(Sabre\HTTP\Request), Object(Sabre\HTTP\Response))
/owncloud/htdocs/apps/dav/appinfo/v1/caldav.php - line 91: Sabre\DAV\Server->exec()
/owncloud/htdocs/remote.php - line 162: require_once('/owncloud/htdoc...')
{main}```
</details>

[LukasReschke]

cc @icewind1991

[nickvergessen]

Well my guess is, that someone is using an app token in the sync client which doesn't have Allow filesystem access in the options menu checked...

[Fiech]

That may very well be the problem. I'm using app tokens and my phone only get's caldav and carddav access.

[nickvergessen]

Well I think we should either not set up encryption, or make sure the NullStorage only blocks files/

This is exactly what I predicted back then. We only want apps to not be able to read the filesystem. Not prevent internal mechanisms to be blocked by it...

[nickvergessen]

There is no exception, when 1. the app token is not restricted, 2. master key is enabled

So there are 2 workarounds

[Fiech]

App token not being restricted kind of defies half the reason to use them. I actived encryption recovery for my account (I hope this is what you meant by master key) and alas, the error still pops up, whenevery I'm syncing my caldav or carddav account on my phone.

[nickvergessen]

I ment the console command:

./occ encryption:enable-master-key --help
Usage:
  encryption:enable-master-key

Options:
...

Help:
  Enable the master key. Only available for fresh installations with no existing encrypted data! There is also no way to disable it again.

So my suggestion would be to temporarily allow the file access, until the issue is resolved.

[nickvergessen]

@schiessle I guess it would be save to catch the exception on the init of encryption and just ignore it? we can't write any files anyway, so no need to fail with encryption keys?

[Fiech]

Oh, ok... no, that's not a possibilty for me ;-)

Well, then I'll wait for a fix.

[Fiech]

I am unable to recreate this behaviour in a current 13.0.0a version at home. Has something changed?

[MorrisJobke]

Was most likely finally fixed in 13.0.3 with #9608

[armaccloud]

Hi @MorrisJobke
This issue is still occurring for me in 13.0.4.
For example, DavDroid doesn't get filesystem access, which is only cal/carddav.
But the log still gets a lot of errors.

[FlorentCoppint]

Any news about that issue ?
The issue is present on NextCloud 14.
Why does DAVdroid token needs Filesystem access ?

[skjnldsv]

As the version of the software you've reported this for has reached end of life, I will close this ticket. If this is still happening after an upgrade to the latest version, feel free to reopen