Nextcloud 14: This request is not allowed to access the filesystem

[virusbrain]

System Information

• Nextcloud Version: 14.0
• PHP Version: 7.2.9
• Passwords Version: 2018.9.0
• Browser and Version: Chrome 69
• Client OS and Version: MacOS 10.13.6
• Server OS and Version: ArchLinux

Steps to reproduce

I have updated the Passwords App to 2018.9.0 and Nextcloud to 14.0 after that, I can not access the passwords app anymore.

Actual result

Can't access the passwords app. The list keeps blank. In the logfile of nextcloud I can see the following entries:

Error passwords Exception: Authenticated ciphertext could not be decoded.
/var/www/domain/htdocs/apps/passwords/lib/Encryption/SseV1Encryption.php - line 136:
OC\Security\Crypto->decrypt("*** sensiti ... ")
/var/www/domain/htdocs/apps/passwords/lib/Services/EncryptionService.php - line 89:
OCA\Passwords\Encryption\SseV1Encryption->decryptObject("** sensiti ... ")
/var/www/domain/htdocs/apps/passwords/lib/Helper/ApiObjects/AbstractObjectHelper.php - line 111:
OCA\Passwords\Services\EncryptionService->decrypt("** sensiti ... ")
/var/www/domain/htdocs/apps/passwords/lib/Helper/ApiObjects/PasswordObjectHelper.php - line 104:
OCA\Passwords\Helper\ApiObjects\AbstractObjectHelper->getRevision(OCA\Password ... 4}, { hidden: " ... "})
/var/www/domain/htdocs/apps/passwords/lib/Helper/ApiObjects/FolderObjectHelper.php - line 247:
OCA\Passwords\Helper\ApiObjects\PasswordObjectHelper->getApiObject(OCA\Password ... 4}, "model", { hidden: "* ... "})
/var/www/domain/htdocs/apps/passwords/lib/Helper/ApiObjects/FolderObjectHelper.php - line 109:
OCA\Passwords\Helper\ApiObjects\FolderObjectHelper->getPasswords("*** sensiti ... *")
/var/www/domain/htdocs/apps/passwords/lib/Controller/Api/AbstractObjectApiController.php - line 142:
OCA\Passwords\Helper\ApiObjects\FolderObjectHelper->getApiObject(OCA\Password ... l}, "model+folders+passwords")
/var/www/domain/htdocs/lib/private/AppFramework/Http/Dispatcher.php - line 166:
OCA\Passwords\Controller\Api\AbstractObjectApiController->show("00000000-00 ... 0", "model+folders+passwords")
/var/www/domain/htdocs/lib/private/AppFramework/Http/Dispatcher.php - line 99:
OC\AppFramework\Http\Dispatcher->executeController(OCA\Password ... {}, "show")
/var/www/domain/htdocs/lib/private/AppFramework/App.php - line 118:
OC\AppFramework\Http\Dispatcher->dispatch(OCA\Password ... {}, "show")
/var/www/domain/htdocs/lib/private/AppFramework/Routing/RouteActionHandler.php - line 47:
OC\AppFramework\App::main("FolderApiController", "show", OC\AppFramew ... {}, { _route: "p ... "})
OC\AppFramework\Routing\RouteActionHandler->__invoke({ _route: "p ... "})
/var/www/domain/htdocs/lib/private/Route/Router.php - line 297:
call_user_func(OC\AppFramew ... {}, { _route: "p ... "})
/var/www/domain/htdocs/lib/base.php - line 989:
OC\Route\Router->match("/apps/passw ... w")
/var/www/domain/htdocs/index.php - line 42:
OC::handleRequest()

Error no app in context OC\ForbiddenException: This request is not allowed to access the filesystem
/var/www/domain/htdocs/lib/private/Files/View.php - line 1146:
OC\Lockdown\Filesystem\NullStorage->mkdir("files_encryption")
/var/www/domain/htdocs/lib/private/Files/View.php - line 268:
OC\Files\View->basicOperation("mkdir", "/username/files_encryption", [ "create","write"])
/var/www/domain/htdocs/lib/private/Encryption/Keys/Storage.php - line 372:
OC\Files\View->mkdir("/username/files_encryption")
/var/www/domain/htdocs/lib/private/Encryption/Keys/Storage.php - line 232:
OC\Encryption\Keys\Storage->keySetPreparation("/username/fil ... E")
/var/www/domain/htdocs/lib/private/Encryption/Keys/Storage.php - line 117:
OC\Encryption\Keys\Storage->setKey("/username/fil ... y", "-----BEGIN ... n")
/var/www/domain/htdocs/apps/encryption/lib/KeyManager.php - line 298:
OC\Encryption\Keys\Storage->setUserKey("*** sensiti ... ", "publicKey", "-----BEGIN ... n", "OC_DEFAULT_MODULE")
/var/www/domain/htdocs/apps/encryption/lib/KeyManager.php - line 257:
OCA\Encryption\KeyManager->setPublicKey("** sensiti ... ", "-----BEGIN ... n")
/var/www/domain/htdocs/apps/encryption/lib/Users/Setup.php - line 77:
OCA\Encryption\KeyManager->storeKeyPair("** sensiti ... ")
/var/www/domain/htdocs/apps/encryption/lib/Hooks/UserHooks.php - line 180:
OCA\Encryption\Users\Setup->setupUser("** sensiti ... ")
/var/www/domain/htdocs/lib/private/legacy/hook.php - line 106:
OCA\Encryption\Hooks\UserHooks->login("** sensiti ... ")
/var/www/domain/htdocs/lib/private/Server.php - line 410:
OC_Hook::emit("OC_User", "post_login", "** sensiti ... ")
OC\Server->OC{closure}("** sensiti ... ")
/var/www/domain/htdocs/lib/private/Hooks/EmitterTrait.php - line 99:
call_user_func_array(Closure {}, [ "** sensi ... "])
/var/www/domain/htdocs/lib/private/Hooks/PublicEmitter.php - line 36:
OC\Hooks\BasicEmitter->emit("\OC\User", "postLogin", [ "*** sensi ... "])
/var/www/domain/htdocs/lib/private/User/Session.php - line 370:
OC\Hooks\PublicEmitter->emit("\OC\User", "postLogin", [ "*** sensi ... "])
/var/www/domain/htdocs/lib/private/User/Session.php - line 607:
OC\User\Session->completeLogin("*** sensiti ... ")
/var/www/domain/htdocs/lib/private/User/Session.php - line 335:
OC\User\Session->loginWithToken("** sensiti ... ")
/var/www/domain/htdocs/lib/private/User/Session.php - line 413:
OC\User\Session->login("** sensiti ... ")
/var/www/domain/htdocs/lib/private/User/Session.php - line 527:
OC\User\Session->logClientIn("** sensiti ... ")
/var/www/domain/htdocs/lib/base.php - line 1042:
OC\User\Session->tryBasicAuthLogin("** sensiti ... ", "** sensiti ... ")
/var/www/domain/htdocs/lib/base.php - line 978:
OC::handleLogin("** sensiti ... *")
/var/www/domain/htdocs/index.php - line 42:
OC::handleRequest()
`

Expected result

Password-Entries should be listed in the web interface.

[marius-wieschollek]

The second error trace makes it look like there is an issue with the permissions on the filesystem. Can you check the the permission in your Nextcloud's data directory, especial the appdata directory and subfolders?

[virusbrain]

Thanks for you quick response!
I think the permissions are correct. http (the apache-user) is allowed to access als these folders and files. Could there be a connection between this and the encryption? I only activated encryption for external storage.

[marius-wieschollek]

Passwords uses the encryption interface provided by Nextcloud (a wrapper for phpseclib) to encrypt passwords server side. This is usually also the same interface as used by the server side storage encryption.
Passwords uses three keys for encryption: the SSEv1ServerKey which is stored in appconfig, the SSEv1UserKey which is stored in preferences and the password key which is stored with the password (all in the database). If one of these keys gets lost there is no rescue
If you check the second log entry, you see that OC\Lockdown\Filesystem\NullStorage is being used. this leads me to the assumption that there is something wrong with the encryption setup on your Nextcloud. Do you also have issues with files from an encrypted external storage?

[Somebodyisnobody]

Hello, i have the same error, but without the second message.

• I didn't upgraded for NC 14 because the internal updater didn't offer me that
• My database is a local MySQL database
• LDAP isn't used
• Desktop doesn't work, and in the NC-app (Android) there is no reference to passwords
• Server encryption is disabled all the time
• The error appeared just after the last update of passwords
• NC was a few years ago upgraded from owncloud, i always use the internal updater (i'm too lazy)
• One change is the database prefix, changed it from "oc_" to "nc_" when upgrading to nextcloud
• I didn't change any unix rights on the filesystem or nginx service

If you need more information with a low time to response we could make a teamviewer session and collect the results in a post.

Thanks for help

[Biont]

I have the same problem. The Android app does work, but it only shows a small handful of passwords. How does that make sense?

I re-ran https://wiki.archlinux.org/index.php/Nextcloud#Setting_strong_permissions_for_the_filesystem
and now the admin settings no longer complain about permission issues, but it did not help with the passwords app

[Somebodyisnobody]

Hmm so the first error still exists? I'm so happy to be not alone with this error, you won't belive how much i am 😄

[virusbrain]

Passwords uses the encryption interface provided by Nextcloud (a wrapper for phpseclib) to encrypt passwords server side. This is usually also the same interface as used by the server side storage encryption.
Passwords uses three keys for encryption: the SSEv1ServerKey which is stored in appconfig, the SSEv1UserKey which is stored in preferences and the password key which is stored with the password (all in the database). If one of these keys gets lost there is no rescue
If you check the second log entry, you see that OC\Lockdown\Filesystem\NullStorage is being used. this leads me to the assumption that there is something wrong with the encryption setup on your Nextcloud. Do you also have issues with files from an encrypted external storage?

No, access to the encrypted external storages is working correctly.

[marius-wieschollek]

I was unable to figure out what causes the issue so far, so i pulled the 2018.9 release from the app store today.

The information i have so far leads me tho the conclusion that one of the migrations within the app must be the cause of this.
I tried the upgrade process from several older versions of the app but was unable to reproduce the issue. I noticed however that this Nextcloud issue also means that some migrations are not actually executed during an app update but might be executed with the next app update. Maybe there is some information that you can provide that will help me to find the source of this issue.

1. Which version of the app did you upgrade from?
2. Which version of the app did you start with?
3. Which version of Nextcloud (all three numbers) were you running when you upgraded?
4. Are you using ajax or webcron for background jobs?
5. Did you upgrade using the Appstore or manually?
6. Did you see the Upgrade page afterwards?
7. Were there any errors during the upgrade?
8. Do you use the "delete old objects from database" option?
9. Are you having multiple users on your Nextcloud?
10. Did you delete an user?
11. Did you share passwords?

If you know how to use Docker, you can also use the development environment for the following. (Just import a database dump)

Also if you do have a database backup, it would be great if you could take a look at the table appconfig and compare the value of the entry with the configkey SSEv1ServerKey with the current value of that field. Also you can check the table preferences and compare the values for the configkey SSEv1UserKey. Also look at the user field and check if you notice anything strange.

Lastly you can also run the command ./occ maintenance:repair and see what the repair job Repair Passwords Database Objects outputs. Please make a database backup before you do this

[Somebodyisnobody]

I make it fast 😄:

1. I always keep the app up to date because I get notifications. If you didn't release a App about 3 days before the 2018.9 i should had updated from the last store-app to 2018.9
2. I really don't remember: The first entry in my browser's history is https://my.domain.is.cool/index.php/apps/passwords/#/security/1 24.02.18. Please keep in mind that this is the last date where this URL was called not the first so it's possible, that I visited it before.
3. NC 13.0.6 (luckily I didn't upgrade yesterday 😅)
4. I use "Cron", not Webcron or ajax (Cron was executed 13 mins ago)
5. Upgraded via Appstore
6. I acutally don't know but I think it the App disappeared from the App-updates-list and the list was empty like always after upgrade
7. Please tell me the Store-release date and time. I have the logs and know that I upgraded 8h after your release but i don't remember the time.
8. No it's set to "Nie" (Never) (If I changed it, then for trial and error after passwords 2018.9 doesn't work)
9. Yeah i have multiple users but I think I am the only person who uses passwords
10. No
11. No
    Sorry I heard about docker but I cannot handle it. I'll ask a friend if he has time. I delete backups I did after successful NC upgrade 😢
    Tomorrow I'll try the repair command

Good Night together

[Biont]

1. Which version of the app did you upgrade from?

I'm also pretty up to date, so it must have been the previous release, as per your releases page: 2018.7.0

2. Which version of the app did you start with?

I honestly don't know as well. I also checked my browser history and the according release would be 2018.5.1 but I am pretty sure I've been using it longer than that. But I definetely started using it in 2018

3. Which version of Nextcloud (all three numbers) were you running when you upgraded?

13.0.6.1 (I actually thought it was after I upgraded to 14, but I got the errors before as well)

4. Are you using ajax or webcron for background jobs?

System cron as well

5. Did you upgrade using the Appstore or manually?

App store

6. Did you see the Upgrade page afterwards?

I don't remember anything like that. It was a regular app update and then when I checked the app failed to load.

7. Were there any errors during the upgrade?

No user-facing ones. Logs don't show anything as well.

8. Do you use the "delete old objects from database" option?

I'm sorry I don't know what that is. I have nothing like that in my config.php and could not find anything in my admin settings as well.

9. Are you having multiple users on your Nextcloud?

Yes, 3

10. Did you delete an user?

No

11. Did you share passwords?

Yes

I checked the current SSEv1ServerKey against a backup and the entries match

Lastly, here is my output of occ maintenance:repair:

 - Repair MySQL collation
     - All tables already have the correct collation -> nothing to do
 - Repair mime types
 - Clean tags and favorites
     - 0 tags of deleted users have been removed.
     - 0 tags for delete files have been removed.
     - 0 tag entries for deleted tags have been removed.
     - 0 tags with no entries have been removed.
 - Repair invalid shares
 - Remove shares of a users root folder
 - Move .step file of updater to backup location
 - Fix potential broken mount points
     - No mounts updated
 - Repair invalid paths in file cache
 - Add log rotate job
 - Clear frontend caches
     - Image cache cleared
     - SCSS cache cleared
     - JS cache cleared
 - Add preview background cleanup job
 - Queue a one-time job to cleanup old backups of the updater
 - Repair pending cron jobs
     - No need to repair pending cron jobs.
 - Fix component of birthday calendars
     - 3 birthday calendars updated.
 - Fix broken values of calendar objects
    0 [>---------------------------]
 - Registering building of calendar search index as background job
     - Repair step already executed
 - Delete orphaned ACL rules
 - Write default encryption module configuration to the database
 - Fix the share type of guest shares when migrating from ownCloud
 - Copy the share password into the dedicated column
 - Purify and migrate collected mail addresses
 26 [============================]
 - Migrate binary status into separate boolean fields
 - Update OAuth token expiration times
 - Passwords Legacy Database Migration
     - Legacy migration not available for version 2018.9.0
 - Fix invalid password status when hibp enabled
 - Repair Passwords Database Objects
     - Checking 0 tag revisions
    0 [>---------------------------]
     - Fixed 0 tag revisions
     - Checking 2 folder revisions
 2 [============================]
     - Fixed 0 folder revisions
     - Checking 76 password revisions
 76 [============================]
     - Fixed 0 password revisions
     - Checking 0 tag models
    0 [>---------------------------]
     - Fixed 0 tag models
     - Checking 2 folder models
 2 [============================]
     - Fixed 0 folder models
     - Checking 64 password models
 64 [============================]
     - Fixed 0 password models
     - Checking 0 password tag relations
    0 [>---------------------------]
     - Fixed 0 password tag relations

[marius-wieschollek]

@Somebodyisnobody I think the release was on 13.09.2018 around 20:00 MESZ

@Biont Thanks for running the command. Can you check your database if the table passwords_entity_password_revision has any entry where the column custom_fields contains the value '{}'. The SQL would be something like

SELECT COUNT(*) FROM `**YOUR_TABLE_PREFIX**passwords_entity_password_revision` WHERE `custom_fields` = '{}'

[Somebodyisnobody]

@Biont

8. Do you use the "delete old objects from database" option?

I'm sorry I don't know what that is. I have nothing like that in my config.php and could not find anything in my admin settings as well.

Admin settings -> Passwords -> "Gelöschte Objekte aus der Datenbank entfernen" ("Remove deleted objects from the database.")

passwords/src/l10n/de.json

Line 45 in 3e60a93

"Remove deleted objects from database" : "Gelöschte Objekte aus der Datenbank entfernen",

@marius-wieschollek Okay I had another idea to find it out: The first error (Ciphertext [...]) appeared at "time:"2018-09-13T19:54:02+02:00"". So I upgraded between 17:45:03 and 17:54:02 MESZ
I found at 17:45:03 following "message", which still floods the log. Maybe it's helpful:

message:"Memcache \OC\Memcache\APCu not available for local cache"
message:"Memcache \OC\Memcache\APCu not available for distributed cache"
message:"Deleted 0 orphaned password(s)"
message:"Deleted 0 expired share(s)"
message:"Created 0 new share(s)"
message:"Removed shared attribute from 0 password(s)"
message:"Updated 0 share(s)"
message:"Deleted 0 user(s)"
message:"Deleted 0 object(s) permanently"

[marius-wieschollek]

@Somebodyisnobody the message in the log is normal, it's the cronjob.

You can run the SQL statement from my last post and check if it returns anything but '0'.
If that is the case you can upgrade to the nightly build Passwords 2018.10.0-build2410 to see if this fixes your issue.

[Somebodyisnobody]

@Somebodyisnobody the message in the log is normal, it's the cronjob.

You can run the SQL statement from my last post and check if it returns anything but '0'.
If that is the case you can upgrade to the nightly build Passwords 2018.10.0-build2410 to see if this fixes your issue.

The table "nc_passwords_entity_password_revision" does not exist (my prefix is nc_) is that good or bad?

[marius-wieschollek]

@Somebodyisnobody make a SHOW TABLES;, and make sure you have the right database selected. That table contains the passwords so it's better not missing.

[Somebodyisnobody]

SHOW TABLES; worked, table exists and now SELECT also works
Overmore I didn't realize that phpmyadmin made a second page for these tables

COUNT(*)
11

Edit: how to upgrade the app manually? (Have shell access)

[Biont]

@marius-wieschollek I got sick, so I am just on my phone now. I quickly ssh'd into my server and ran the query, which returned the following:

MariaDB [nextcloud]> SELECT COUNT(*) FROM `oc_passwords_entity_password_revision` WHERE `custom_fields` = '{}';
+----------+
| COUNT(*) |
+----------+
|       59 |
+----------+
1 row in set (0.00 sec)

Good to see the progress here. I was really nervous about this

[marius-wieschollek]

Ok, then i think we have found the bug.
You can install the nightly release and that should already fix the issue. If not, check the SQL statement again. There should be zero entries matching the query. If not, run ./occ maintenance:repair manually.

[Somebodyisnobody]

@marius-wieschollek could you fast explain how to upgrade manually? Just putting the folder into the apps-folder?

[marius-wieschollek]

yes, that is essentially it. You will see the Nextcloud Upgrade screen afterwards.

[Biont]

@marius-wieschollek I can confirm that the nightly build fixes the issue for me. Thanks for solving this so quickly.

[virusbrain]

@marius-wieschollek I have also tested the nigthly build. It fixes the issue for me too! Great work, thanks!

[marius-wieschollek]

Great to hear that. If i do not get any negative responses, i will publish this as 2018.9.1 tomorrow.

[Somebodyisnobody]

I'll test it at evening and give you a feedback.
What was the bug?

[marius-wieschollek]

@Somebodyisnobody It was a mix of two bugs.

Because of Nextcloud bug #9781, the appstore will initialize an app before upgrading it. That also means that it will only run migrations defined in the old info.xml and ignore new migrations defined in the info.xml of the update. (Bug 1)

In passwords 2018.5, the field custom_fields and a migration to initialize this field was added.
In 2018.6 this migration was merged with another migration and renamed.
In 2018.7 the "Repair Passwords Database Objects" migration was added, which can fix a lot of structural database issues. The initialization for custom_fields was now done by that migration. But since that migration usually only works with metadata (like folder ids), it does not decrypt the passwords. So it just added the default value for custom_fields to the encrypted password object and saved it. (Bug 2)
When the app tries to decrypt the password object, it will try to decrypt the custom_fields and fail.
But because of the appstore bug, none of the migrations were ever executed on your machines. Since the encryption can handle an empty field, the decrypting worked just fine.
All new passwords added after 2018.5 also included the field by default.
In 2018.9, when the "Repair Passwords Database Objects" migration was actually executed for the first time, it finally caused the problem.

I had assumed that a migration (or a cronjob) was to blame, but did not know what exactly happened. I originally assumed that something messed up the ownership of passwords and therefore the decryption fails. When @Biont ran the maintenance command and did not get any errors, i realized that the migration does not decrypt the passwords.
It was quite hard to reproduce the error, because essentially you need to start with 2018.4 and then trick the appstore into installing old updates.
Now the migration checks if the encrypted object contains the {} value, removes it, then decrypts it and initializes it correctly.

After all i'm pretty happy that it was only something "minor" and the keys did not get damaged or deleted. I will probably add a backup option for the keys in a future release.

[Somebodyisnobody]

@marius-wieschollek Thanks for this detailed describtion, bad things happens in live :)
Finally I can confirm that the nightly works.

Thank you!

[marius-wieschollek]

Version 2018.9.1 has been released to fix this issue. Thanks everyone for reporting and helping.