File Firewall: No user-access and internal server error after the delete of a rule

Steps to reproduce

1. Install ownCloud Appliance
2. Set-up the file-firewall with a rule to disable the login via webfront for a user group.
3. Login should not be possible
4. Delete the rule
5. Try to login again.

Expected behaviour

Login should be possible for that user just like before the file-firewall-rule was created

Actual behaviour

User can’t login and a internal server error appears.

Server configuration

Operating system:
Univention Corporate Server 4.3-3 errata448

Web server:
Apache/2.4.25 (Univention)

Database:
10.1.37-MariaDB-0+deb9u1

PHP version:
PHP 7.0.33-0+deb9u1

ownCloud version: (see ownCloud admin page)
10.0.10

Updated from an older ownCloud or fresh install:
fresh install

Where did you install ownCloud from:
Univention Corporate Server

Signing status (ownCloud 9.0 and above):
No errors have been found.

The content of config/config.php:
{
“system”: {
“apps_paths”: [
{
“path”: “/var/www/owncloud/apps”,
“url”: “/apps”,
“writable”: false
},
{
“path”: “/var/www/owncloud/custom”,
“url”: “/custom”,
“writable”: true
}
],
“trusted_domains”: [
“localhost”
],
“datadirectory”: “/var/lib/univention-appcenter/apps/owncloud/data/files”,
“dbtype”: “mysql”,
“dbhost”: “REMOVED SENSITIVE VALUE”,
“dbname”: “owncloud”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“dbtableprefix”: “oc_”,
“log_type”: “owncloud”,
“logfile”: “/var/lib/univention-appcenter/apps/owncloud/data/files/owncloud.log”,
“loglevel”: 1,
“supportedDatabases”: [
“sqlite”,
“mysql”,
“pgsql”
],
“license-key”: “REMOVED SENSITIVE VALUE”,
“upgrade.disable-web”: true,
“default_language”: “de”,
“overwrite.cli.url”: “REMOVED SENSITIVE VALUE”,
“htaccess.RewriteBase”: “/owncloud”,
“memcache.local”: “\OC\Memcache\APCu”,
“filelocking.enabled”: true,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“version”: “10.0.10.4”,
“logtimezone”: “Europe/Berlin”,
“installed”: true,
“instanceid”: “ocdr3494t3mn”,
“ldapIgnoreNamingRules”: false,
“log_rotate_size”: 104857600,
“onlyoffice”: {
“verify_peer_off”: true
},
“singleuser”: false,
“firewall.debug”: 3,
“trusted_proxies”: [
“REMOVED SENSITIVE VALUE”
],
“forwarded_for_headers”: [
“HTTP_X_FORWARDED_FOR”,
“HTTP_FORWARDED_FOR”
],
“maintenance”: false,
“lost_password_link”: “true”,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “smtp”,
“mail_smtphost”: “REMOVED SENSITIVE VALUE”,
“mail_smtpport”: “25”,
“version.hide”: true,
“token_auth_enforced”: true,
“firewall.rules”: “[]”
}
}

List of activated apps:

Enabled:

• activity: 2.4.2
• admin_audit: 1.0.2
• brute_force_protection: 1.0.1
• comments: 0.3.0
• configreport: 0.1.1
• customgroups: 0.4.0
• dav: 0.4.0
• encryption: 1.3.1
• enterprise_key: 0.2.0
• federatedfilesharing: 0.3.1
• files: 1.5.1
• files_external: 0.7.1
• files_sharing: 0.11.0
• files_trashbin: 0.9.1
• files_versions: 1.3.0
• files_videoplayer: 0.9.8
• firewall: 2.7.0
• firstrunwizard: 1.1
• gallery: 16.1.1
• market: 0.3.0
• notifications: 0.3.5
• provisioning_api: 0.5.0
• ransomware_protection: 1.1.0
• systemtags: 0.3.0
• updatenotification: 0.2.1
• user_ldap: 0.13.0
• windows_network_drive: 0.7.4

Are you using external storage, if yes which one:

Are you using encryption: yes

Are you using an external user-backend, if yes which one: LDAP (of the Univention Corporate Server)

LDAP configuration (delete this part if not used)

±------------------------------±---------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±---------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mailPrimaryAddress |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | gidNumber |
| ldapExpertUUIDUserAttr | uid |
| ldapExpertUsernameAttr | uid |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(objectclass=posixGroup)(ownCloudEnabled=1)) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectclass=person)(ownCloudEnabled=1)(|(uid=%uid)(mailPrimaryAddress=%uid))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 7389 |
| ldapQuotaAttribute | ownCloudQuota |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=person)(ownCloudEnabled=1)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUserName | samaccountname |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 0 |
±------------------------------±---------------------------------------------------------------------------------+

Client configuration

Browser:
Firefox 65.0.2 (64-Bit)
Operating system:
Windows 7 64bit

Logs

Web server error log

ownCloud log (data/owncloud.log)

The message to the request-id provided by the internal server error:

Exception: {“Exception”:“OCP\Files\NotFoundException”,“Message”:"",“Code”:0,“Trace”:"#0 /var/www/owncloud/apps/files/lib/Controller/ViewController.php(134): OC_Helper::getStorageInfo(’/’, false)\n#1 /var/www/owncloud/apps/files/lib/Controller/ViewController.php(205): OCA\Files\Controller\ViewController->getStorageInfo()\n#2 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(153): OCA\Files\Controller\ViewController->index(’’, ‘’, NULL, NULL)\n#3 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(85): OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Files\Controller\ViewController), ‘index’)\n#4 /var/www/owncloud/lib/private/AppFramework/App.php(100): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Files\Controller\ViewController), ‘index’)\n#5 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC\AppFramework\App::main(‘ViewController’, ‘index’, Object(OC\AppFramework\DependencyInjection\DIContainer), Array)\n#6 /var/www/owncloud/lib/private/Route/Router.php(342): OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)\n#7 /var/www/owncloud/lib/base.php(909): OC\Route\Router->match(’/apps/files/’)\n#8 /var/www/owncloud/index.php(54): OC::handleRequest()\n#9 {main}",“File”:"/var/www/owncloud/lib/private/legacy/helper.php",“Line”:585}

Browser log

Have you forgotten to fill this out or are you not using one?

I’m not using an external storage.

Due to another thing I’m working on at the moment I used this occ-command:

occ files:checksums:verify

After the completion of this command I was able to login again. Is this a coincedence?

I’ll try to reproduce this soon.

I tried to reproduce the “solution” by using the “occ files:checksums:verify”-command but before that even the File-Firewall-Rule itself didn’t work. The user could login as normal. Very confusing.

So now I reproduced and analyzed the bug and I’d like to share the result:

1. Create a new user in the ActiveDirectory of the Univention Corporate Server
2. Log into ownCloud as admin and add the newly created user to the group that is affected by the filefirewall-rule so that the user shouldn’t be able to login.
3. Try to login as the user and see that the filefirewall-rule works
4. Delete the user from the affected group and try to login again: Login isn’t possible and it shows an internal server error message like the one I mentioned in the first post.
5. Execute the following command: occ files:checksums:verify
6. Login is now successfull
7. Add the user to the affected group again and the login should not be possible again but instead the user can login just as normal.
8. Now if you add another user to that group, but one that has already been created and hasn’t logged into the cloud already, the rule works. If you then delete the user from that group he can login again without an internal server error.

Because of that I have two conclusions as my result:

1. The internal server message error only occures when a fresh user is created in the ActiveDirectory of the Univention Corporate Server an then added to the firewall-rule-affected group and then deleted from that group again.

2. As soon as the user logged into the cloud once the firewall-rule does not work anymore for that user, even if he is added to the affected group again.

I think this could be a bug because our configuration is nothing special and everything else just works fine.

I don’t know what I can further do.

Hey,

if you think this is a bug then i think you could report something like this to the ownCloud bugtrackers.

We now updated to FileFirewall Version 2.8 but the problem still remains. I’ve got really no idea how this problem occurs.

@tom42 I checked the ownCloud github but haven’t found a way to report this bug. Can you provide me some help with this?

Maybe it’s too much to ask, but can you reproduce this issue on a standard ownCloud installation?

If yes, then you could open up a ticket in core, so our engineers can have a look at.

Right now we have univention between the bug and ownCloud

Tried to install the app in our old owncloud-setup but it lead to an internal server error as I tried to re-enter the cloud after the installation.

I than tried to use the occ-command to deactivate the firewall-app but I can’t execute it. Instead I get the following exception: " enterprise_key can’t be enabled since it is not installed. "

Placing our enterprise-key in the config of our old owncloud-installation wouldn’t make any sense because we need it in our current installation.

Should I directly open up a ticket?

Yes, I would recommend opening a ticket if you have a support sub

Can you tell me the rule exactly? maybe screenshot?

Have just now tried to reproduce and I am failing.

I set the following rule:

saved it.

Tried to login as user in the group - can’t

then I deleted the rules, not the rule group, saved it, tried to login as user of that group - works.

can you execute following command on your host?

univention-app info

that’s my output:

root@ucs-1050:~# univention-app info
UCS: 4.4-0 errata90
Installed: 4.3/owncloud=10.0.10-2019-02-18
Upgradable: owncloud

My output is:

root@oc:~# univention-app info
UCS: 4.4-0 errata5
Installed: letsencrypt=1.2.2-8 4.3/owncloud=10.0.10-2019-02-18
Upgradable:

I’ve set the rule the same as you.

That’s weird. Can you try to look for updates in the univention system for the univention stuff?

So now I installed the latest updates available in univention but it still doesn’t work. Since the user’s are in two groups (one from the univention active directory which was activated for owncloud and one owncloud-internal group “KWZ” which is for the users that should not be able to access the cloud via browser) I also added the group from the univention-ad to the rule. But nonetheless it doesn’t work either.

Can you open a support case with all the information that is available to you?

I’ve now opened a support case. Thanks for your help!