'OCA\\Settings\\Settings\\Personal\\Security\\TwoFactor' => $baseDir . '/../lib/Settings/Personal/Security/TwoFactor.php',
'OCA\\Settings\\Settings\\Personal\\Security\\WebAuthn' => $baseDir . '/../lib/Settings/Personal/Security/WebAuthn.php',
'OCA\\Settings\\Settings\\Personal\\ServerDevNotice' => $baseDir . '/../lib/Settings/Personal/ServerDevNotice.php',
+ 'OCA\\Settings\\SetupChecks\\AppDirsWithDifferentOwner' => $baseDir . '/../lib/SetupChecks/AppDirsWithDifferentOwner.php',
'OCA\\Settings\\SetupChecks\\BruteForceThrottler' => $baseDir . '/../lib/SetupChecks/BruteForceThrottler.php',
'OCA\\Settings\\SetupChecks\\CheckUserCertificates' => $baseDir . '/../lib/SetupChecks/CheckUserCertificates.php',
'OCA\\Settings\\SetupChecks\\DatabaseHasMissingColumns' => $baseDir . '/../lib/SetupChecks/DatabaseHasMissingColumns.php',
'OCA\\Settings\\Settings\\Personal\\Security\\TwoFactor' => __DIR__ . '/..' . '/../lib/Settings/Personal/Security/TwoFactor.php',
'OCA\\Settings\\Settings\\Personal\\Security\\WebAuthn' => __DIR__ . '/..' . '/../lib/Settings/Personal/Security/WebAuthn.php',
'OCA\\Settings\\Settings\\Personal\\ServerDevNotice' => __DIR__ . '/..' . '/../lib/Settings/Personal/ServerDevNotice.php',
+ 'OCA\\Settings\\SetupChecks\\AppDirsWithDifferentOwner' => __DIR__ . '/..' . '/../lib/SetupChecks/AppDirsWithDifferentOwner.php',
'OCA\\Settings\\SetupChecks\\BruteForceThrottler' => __DIR__ . '/..' . '/../lib/SetupChecks/BruteForceThrottler.php',
'OCA\\Settings\\SetupChecks\\CheckUserCertificates' => __DIR__ . '/..' . '/../lib/SetupChecks/CheckUserCertificates.php',
'OCA\\Settings\\SetupChecks\\DatabaseHasMissingColumns' => __DIR__ . '/..' . '/../lib/SetupChecks/DatabaseHasMissingColumns.php',
use OCA\Settings\Search\AppSearch;
use OCA\Settings\Search\SectionSearch;
use OCA\Settings\Search\UserSearch;
+use OCA\Settings\SetupChecks\AppDirsWithDifferentOwner;
use OCA\Settings\SetupChecks\BruteForceThrottler;
use OCA\Settings\SetupChecks\CheckUserCertificates;
use OCA\Settings\SetupChecks\DatabaseHasMissingColumns;
Util::getDefaultEmailAddress('no-reply')
);
});
+ $context->registerSetupCheck(AppDirsWithDifferentOwner::class);
$context->registerSetupCheck(BruteForceThrottler::class);
$context->registerSetupCheck(CheckUserCertificates::class);
$context->registerSetupCheck(DatabaseHasMissingColumns::class);
*/
namespace OCA\Settings\Controller;
-use DirectoryIterator;
use GuzzleHttp\Exception\ClientException;
use OC\AppFramework\Http;
use OC\IntegrityCheck\Checker;
return false;
}
- /**
- * Iterates through the configured app roots and
- * tests if the subdirectories are owned by the same user than the current user.
- *
- * @return array
- */
- protected function getAppDirsWithDifferentOwner(): array {
- $currentUser = posix_getuid();
- $appDirsWithDifferentOwner = [[]];
-
- foreach (\OC::$APPSROOTS as $appRoot) {
- if ($appRoot['writable'] === true) {
- $appDirsWithDifferentOwner[] = $this->getAppDirsWithDifferentOwnerForAppRoot($currentUser, $appRoot);
- }
- }
-
- $appDirsWithDifferentOwner = array_merge(...$appDirsWithDifferentOwner);
- sort($appDirsWithDifferentOwner);
-
- return $appDirsWithDifferentOwner;
- }
-
- /**
- * Tests if the directories for one apps directory are writable by the current user.
- *
- * @param int $currentUser The current user
- * @param array $appRoot The app root config
- * @return string[] The none writable directory paths inside the app root
- */
- private function getAppDirsWithDifferentOwnerForAppRoot(int $currentUser, array $appRoot): array {
- $appDirsWithDifferentOwner = [];
- $appsPath = $appRoot['path'];
- $appsDir = new DirectoryIterator($appRoot['path']);
-
- foreach ($appsDir as $fileInfo) {
- if ($fileInfo->isDir() && !$fileInfo->isDot()) {
- $absAppPath = $appsPath . DIRECTORY_SEPARATOR . $fileInfo->getFilename();
- $appDirUser = fileowner($absAppPath);
- if ($appDirUser !== $currentUser) {
- $appDirsWithDifferentOwner[] = $absAppPath;
- }
- }
- }
-
- return $appDirsWithDifferentOwner;
- }
-
protected function isImagickEnabled(): bool {
if ($this->config->getAppValue('theming', 'enabled', 'no') === 'yes') {
if (!extension_loaded('imagick')) {
'hasPassedCodeIntegrityCheck' => $this->checker->hasPassedCheck(),
'codeIntegrityCheckerDocumentation' => $this->urlGenerator->linkToDocs('admin-code-integrity'),
'isSettimelimitAvailable' => $this->isSettimelimitAvailable(),
- 'appDirsWithDifferentOwner' => $this->getAppDirsWithDifferentOwner(),
'isImagickEnabled' => $this->isImagickEnabled(),
'areWebauthnExtensionsEnabled' => $this->areWebauthnExtensionsEnabled(),
'isMysqlUsedWithoutUTF8MB4' => $this->isMysqlUsedWithoutUTF8MB4(),
--- /dev/null
+<?php
+
+declare(strict_types=1);
+
+/**
+ * @copyright Copyright (c) 2023 Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @author Côme Chilliet <come.chilliet@nextcloud.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+namespace OCA\Settings\SetupChecks;
+
+use OCP\IL10N;
+use OCP\SetupCheck\ISetupCheck;
+use OCP\SetupCheck\SetupResult;
+
+class AppDirsWithDifferentOwner implements ISetupCheck {
+ public function __construct(
+ private IL10N $l10n,
+ ) {
+ }
+
+ public function getName(): string {
+ return $this->l10n->t('App directories owner');
+ }
+
+ public function getCategory(): string {
+ return 'security';
+ }
+
+ /**
+ * Iterates through the configured app roots and
+ * tests if the subdirectories are owned by the same user than the current user.
+ *
+ * @return string[]
+ */
+ private function getAppDirsWithDifferentOwner(int $currentUser): array {
+ $appDirsWithDifferentOwner = [[]];
+
+ foreach (\OC::$APPSROOTS as $appRoot) {
+ if ($appRoot['writable'] === true) {
+ $appDirsWithDifferentOwner[] = $this->getAppDirsWithDifferentOwnerForAppRoot($currentUser, $appRoot);
+ }
+ }
+
+ $appDirsWithDifferentOwner = array_merge(...$appDirsWithDifferentOwner);
+ sort($appDirsWithDifferentOwner);
+
+ return $appDirsWithDifferentOwner;
+ }
+
+ /**
+ * Tests if the directories for one apps directory are writable by the current user.
+ *
+ * @param int $currentUser The current user
+ * @param array $appRoot The app root config
+ * @return string[] The none writable directory paths inside the app root
+ */
+ private function getAppDirsWithDifferentOwnerForAppRoot(int $currentUser, array $appRoot): array {
+ $appDirsWithDifferentOwner = [];
+ $appsPath = $appRoot['path'];
+ $appsDir = new \DirectoryIterator($appRoot['path']);
+
+ foreach ($appsDir as $fileInfo) {
+ if ($fileInfo->isDir() && !$fileInfo->isDot()) {
+ $absAppPath = $appsPath . DIRECTORY_SEPARATOR . $fileInfo->getFilename();
+ $appDirUser = fileowner($absAppPath);
+ if ($appDirUser !== $currentUser) {
+ $appDirsWithDifferentOwner[] = $absAppPath;
+ }
+ }
+ }
+
+ return $appDirsWithDifferentOwner;
+ }
+
+ public function run(): SetupResult {
+ $currentUser = posix_getuid();
+ $currentUserInfos = posix_getpwuid($currentUser) ?: [];
+ $appDirsWithDifferentOwner = $this->getAppDirsWithDifferentOwner($currentUser);
+ if (count($appDirsWithDifferentOwner) > 0) {
+ return SetupResult::warning(
+ $this->l10n->t("Some app directories are owned by a different user than the web server one. This may be the case if apps have been installed manually. Check the permissions of the following app directories:\n%s", implode("\n", $appDirsWithDifferentOwner))
+ );
+ } else {
+ return SetupResult::success($this->l10n->t('App directories have the correct owner "%s"', [$currentUserInfos['name'] ?? '']));
+ }
+ }
+}
'hasPassedCodeIntegrityCheck' => true,
'codeIntegrityCheckerDocumentation' => 'http://docs.example.org/server/go.php?to=admin-code-integrity',
'isSettimelimitAvailable' => true,
- 'appDirsWithDifferentOwner' => [],
'isImagickEnabled' => false,
'areWebauthnExtensionsEnabled' => false,
'isMysqlUsedWithoutUTF8MB4' => false,
})
}
- if(data.appDirsWithDifferentOwner && data.appDirsWithDifferentOwner.length > 0) {
- var appDirsWithDifferentOwner = data.appDirsWithDifferentOwner.reduce(
- function(appDirsWithDifferentOwner, directory) {
- return appDirsWithDifferentOwner + '<li>' + directory + '</li>';
- },
- ''
- );
- messages.push({
- msg: t('core', 'Some app directories are owned by a different user than the web server one. ' +
- 'This may be the case if apps have been installed manually. ' +
- 'Check the permissions of the following app directories:')
- + '<ul>' + appDirsWithDifferentOwner + '</ul>',
- type: OC.SetupChecks.MESSAGE_TYPE_WARNING
- });
- }
if (data.isMysqlUsedWithoutUTF8MB4) {
messages.push({
msg: t('core', 'MySQL is used as database but does not support 4-byte characters. To be able to handle 4-byte characters (like emojis) without issues in filenames or comments for example it is recommended to enable the 4-byte support in MySQL. For further details read {linkstart}the documentation page about this ↗{linkend}.')
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
});
});
- it('should return a warning if there are app directories with wrong permissions', function(done) {
- var async = OC.SetupChecks.checkSetup();
-
- suite.server.requests[0].respond(
- 200,
- {
- 'Content-Type': 'application/json',
- },
- JSON.stringify({
- suggestedOverwriteCliURL: '',
- isFairUseOfFreePushService: true,
- isCorrectMemcachedPHPModuleInstalled: true,
- hasPassedCodeIntegrityCheck: true,
- isSettimelimitAvailable: true,
- cronErrors: [],
- cronInfo: {
- diffInSeconds: 0
- },
- appDirsWithDifferentOwner: [
- '/some/path'
- ],
- isImagickEnabled: true,
- areWebauthnExtensionsEnabled: true,
- isMysqlUsedWithoutUTF8MB4: false,
- isEnoughTempSpaceAvailableIfS3PrimaryStorageIsUsed: true,
- reverseProxyGeneratedURL: 'https://server',
- temporaryDirectoryWritable: true,
- generic: {
- network: {
- "Internet connectivity": {
- severity: "success",
- description: null,
- linkToDoc: null
- }
- },
- },
- })
- );
-
- async.done(function( data, s, x ){
- expect(data).toEqual([{
- msg: 'Some app directories are owned by a different user than the web server one. This may be the case if apps have been installed manually. Check the permissions of the following app directories:<ul><li>/some/path</li></ul>',
- type: OC.SetupChecks.MESSAGE_TYPE_WARNING
- }]);
- done();
- });
- });
-
it('should return an error if set_time_limit is unavailable', function(done) {
var async = OC.SetupChecks.checkSetup();
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: true,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: false,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: false,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
cronInfo: {
diffInSeconds: 0
},
- appDirsWithDifferentOwner: [],
isImagickEnabled: true,
areWebauthnExtensionsEnabled: true,
isMysqlUsedWithoutUTF8MB4: false,
projects / nextcloud-server.git / commitdiff