[Bug]: Upgrading using `occ upgrade` with non-default `umask` breaks permissions

[lukmi15]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Upgrading Nextcloud via occ upgrade with a umask set to something more restrictive than the default, such as 0077 causes file permissions to be too restrictive, which breaks the web UI

Steps to reproduce

1. Set umask to something restrictive like 0077
2. Upgrade Nextcloud using occ upgrade

Expected behavior

I think setting a restrictive umask should be taken into consideration in the upgrade procedure. I would expect it to manually set the folder and file permissions correctly or set a umask that the developers expected to see before upgrading.

Nextcloud Server version

31

Operating system

Other

PHP engine version

PHP 8.2

Web server

Nginx

Database engine version

MariaDB

Is this bug present after an update or on a fresh install?

None

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

$ occ config:list system
PHP Warning:  Module "apcu" is already loaded in Unknown on line 0
{
    "system": {
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "logfile": "\/var\/log\/nextcloud\/nextcloud.log",
        "apps_paths": [
            {
                "path": "\/usr\/share\/webapps\/nextcloud\/apps",
                "url": "\/apps",
                "writable": false
            },
            {
                "path": "\/var\/lib\/nextcloud\/apps",
                "url": "\/wapps",
                "writable": true
            }
        ],
        "trusted_domains": [
            "cloud.************"
        ],
        "overwrite.cli.url": "https:\/\/cloud.************\/",
        "htaccess.RewriteBase": "\/",
        "maintenance_window_start": 0,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "31.0.4.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "maintenance": false,
        "theme": "",
        "loglevel": 0
    }
}

List of activated Apps

$ occ app:list
PHP Warning:  Module "apcu" is already loaded in Unknown on line 0
Enabled:
  - activity: 4.0.0
  - admin_audit: 1.21.0
  - app_api: 5.0.2
  - bruteforcesettings: 4.0.0
  - calendar: 5.2.2
  - circles: 31.0.0
  - cloud_federation_api: 1.14.0
  - comments: 1.21.0
  - contacts: 7.0.6
  - contactsinteraction: 1.12.0
  - dashboard: 7.11.0
  - dav: 1.33.0
  - deck: 1.15.0
  - federatedfilesharing: 1.21.0
  - federation: 1.21.0
  - files: 2.3.1
  - files_downloadlimit: 4.0.0
  - files_pdfviewer: 4.0.0
  - files_reminders: 1.4.0
  - files_sharing: 1.23.1
  - files_trashbin: 1.21.0
  - files_versions: 1.24.0
  - firstrunwizard: 4.0.0
  - logreader: 4.0.0
  - lookup_server_connector: 1.19.0
  - nextcloud_announcements: 3.0.0
  - notes: 4.12.0
  - notifications: 4.0.0
  - oauth2: 1.19.1
  - password_policy: 3.0.0
  - phonetrack: 0.8.2
  - photos: 4.0.0-dev.1
  - privacy: 3.0.0
  - profile: 1.0.0
  - provisioning_api: 1.21.0
  - recommendations: 4.0.0
  - related_resources: 2.0.0
  - serverinfo: 3.0.0
  - settings: 1.14.0
  - sharebymail: 1.21.0
  - support: 3.0.0
  - survey_client: 3.0.0
  - suspicious_login: 9.0.1
  - systemtags: 1.21.1
  - text: 5.0.0
  - theming: 2.6.1
  - twofactor_backupcodes: 1.20.0
  - twofactor_totp: 13.0.0-dev.0
  - twofactor_webauthn: 2.1.0
  - updatenotification: 1.21.0
  - user_status: 1.11.0
  - viewer: 4.0.0
  - weather_status: 1.11.0
  - webhook_listeners: 1.2.0
  - workflowengine: 2.13.0
Disabled:
  - encryption: 2.19.0
  - files_external: 1.23.0
  - twofactor_nextcloud_notification: 5.0.0
  - user_ldap: 1.22.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

//Nginx showed permission denied for certain apps in `*/wapps/*. `ls -l` showed that permissions were off

Additional info

OS: Arch Linux

There is a similar issue from years ago, apparently it was not addressed, that's why this bug report:
https://help.nextcloud.com/t/occ-no-longer-working-with-php-7-0-31/36674/2

[lukmi15]

If anyone wants to know how to fix this on their server, here is an example for notes:

umask 0022
occ app:remove notes #This does not delete your files; tested it with notes, contacts, and calendar
occ app:install notes

The files in wapps/ should be re-created with the correct permissions