File Firewall: No user-access and internal server error after the delete of a rule

help

#1

Steps to reproduce

  1. Install ownCloud Appliance
  2. Set-up the file-firewall with a rule to disable the login via webfront for a user group.
  3. Login should not be possible
  4. Delete the rule
  5. Try to login again.

Expected behaviour

Login should be possible for that user just like before the file-firewall-rule was created

Actual behaviour

User can’t login and a internal server error appears.

Server configuration

Operating system:
Univention Corporate Server 4.3-3 errata448

Web server:
Apache/2.4.25 (Univention)

Database:
10.1.37-MariaDB-0+deb9u1

PHP version:
PHP 7.0.33-0+deb9u1

ownCloud version: (see ownCloud admin page)
10.0.10

Updated from an older ownCloud or fresh install:
fresh install

Where did you install ownCloud from:
Univention Corporate Server

Signing status (ownCloud 9.0 and above):
No errors have been found.

The content of config/config.php:
{
“system”: {
“apps_paths”: [
{
“path”: “/var/www/owncloud/apps”,
“url”: “/apps”,
“writable”: false
},
{
“path”: “/var/www/owncloud/custom”,
“url”: “/custom”,
“writable”: true
}
],
“trusted_domains”: [
“localhost”
],
“datadirectory”: “/var/lib/univention-appcenter/apps/owncloud/data/files”,
“dbtype”: “mysql”,
“dbhost”: “REMOVED SENSITIVE VALUE”,
“dbname”: “owncloud”,
“dbuser”: “REMOVED SENSITIVE VALUE”,
“dbpassword”: “REMOVED SENSITIVE VALUE”,
“dbtableprefix”: “oc_”,
“log_type”: “owncloud”,
“logfile”: “/var/lib/univention-appcenter/apps/owncloud/data/files/owncloud.log”,
“loglevel”: 1,
“supportedDatabases”: [
“sqlite”,
“mysql”,
“pgsql”
],
“license-key”: “REMOVED SENSITIVE VALUE”,
“upgrade.disable-web”: true,
“default_language”: “de”,
“overwrite.cli.url”: “REMOVED SENSITIVE VALUE”,
“htaccess.RewriteBase”: “/owncloud”,
“memcache.local”: “\OC\Memcache\APCu”,
“filelocking.enabled”: true,
“passwordsalt”: “REMOVED SENSITIVE VALUE”,
“secret”: “REMOVED SENSITIVE VALUE”,
“version”: “10.0.10.4”,
“logtimezone”: “Europe/Berlin”,
“installed”: true,
“instanceid”: “ocdr3494t3mn”,
“ldapIgnoreNamingRules”: false,
“log_rotate_size”: 104857600,
“onlyoffice”: {
“verify_peer_off”: true
},
“singleuser”: false,
“firewall.debug”: 3,
“trusted_proxies”: [
REMOVED SENSITIVE VALUE
],
“forwarded_for_headers”: [
“HTTP_X_FORWARDED_FOR”,
“HTTP_FORWARDED_FOR”
],
“maintenance”: false,
“lost_password_link”: “true”,
“mail_domain”: “REMOVED SENSITIVE VALUE”,
“mail_from_address”: “REMOVED SENSITIVE VALUE”,
“mail_smtpmode”: “smtp”,
“mail_smtphost”: “REMOVED SENSITIVE VALUE”,
“mail_smtpport”: “25”,
“version.hide”: true,
“token_auth_enforced”: true,
“firewall.rules”: “[]”
}
}

List of activated apps:

Enabled:

  • activity: 2.4.2
  • admin_audit: 1.0.2
  • brute_force_protection: 1.0.1
  • comments: 0.3.0
  • configreport: 0.1.1
  • customgroups: 0.4.0
  • dav: 0.4.0
  • encryption: 1.3.1
  • enterprise_key: 0.2.0
  • federatedfilesharing: 0.3.1
  • files: 1.5.1
  • files_external: 0.7.1
  • files_sharing: 0.11.0
  • files_trashbin: 0.9.1
  • files_versions: 1.3.0
  • files_videoplayer: 0.9.8
  • firewall: 2.7.0
  • firstrunwizard: 1.1
  • gallery: 16.1.1
  • market: 0.3.0
  • notifications: 0.3.5
  • provisioning_api: 0.5.0
  • ransomware_protection: 1.1.0
  • systemtags: 0.3.0
  • updatenotification: 0.2.1
  • user_ldap: 0.13.0
  • windows_network_drive: 0.7.4

Are you using external storage, if yes which one:

Are you using encryption: yes

Are you using an external user-backend, if yes which one: LDAP (of the Univention Corporate Server)

LDAP configuration (delete this part if not used)

±------------------------------±---------------------------------------------------------------------------------+
| Configuration | s01 |
±------------------------------±---------------------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | |
| lastJpegPhotoLookup | 0 |
| ldapAgentName |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | |
| ldapBaseGroups | |
| ldapBaseUsers | |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mailPrimaryAddress |
| ldapExperiencedAdmin | 0 |
| ldapExpertUUIDGroupAttr | gidNumber |
| ldapExpertUUIDUserAttr | uid |
| ldapExpertUsernameAttr | uid |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(objectclass=posixGroup)(ownCloudEnabled=1)) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | |
| ldapGroupMemberAssocAttr | memberUid |
| ldapHost | |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(objectclass=person)(ownCloudEnabled=1)(|(uid=%uid)(mailPrimaryAddress=%uid))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 500 |
| ldapPort | 7389 |
| ldapQuotaAttribute | ownCloudQuota |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | displayName |
| ldapUserDisplayName2 | |
| ldapUserFilter | (&(objectclass=person)(ownCloudEnabled=1)) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | |
| ldapUserName | samaccountname |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 0 |
±------------------------------±---------------------------------------------------------------------------------+

Client configuration

Browser:
Firefox 65.0.2 (64-Bit)
Operating system:
Windows 7 64bit

Logs

Web server error log

ownCloud log (data/owncloud.log)

The message to the request-id provided by the internal server error:

Exception: {“Exception”:“OCP\Files\NotFoundException”,“Message”:"",“Code”:0,“Trace”:"#0 /var/www/owncloud/apps/files/lib/Controller/ViewController.php(134): OC_Helper::getStorageInfo(’/’, false)\n#1 /var/www/owncloud/apps/files/lib/Controller/ViewController.php(205): OCA\Files\Controller\ViewController->getStorageInfo()\n#2 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(153): OCA\Files\Controller\ViewController->index(’’, ‘’, NULL, NULL)\n#3 /var/www/owncloud/lib/private/AppFramework/Http/Dispatcher.php(85): OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Files\Controller\ViewController), ‘index’)\n#4 /var/www/owncloud/lib/private/AppFramework/App.php(100): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Files\Controller\ViewController), ‘index’)\n#5 /var/www/owncloud/lib/private/AppFramework/Routing/RouteActionHandler.php(46): OC\AppFramework\App::main(‘ViewController’, ‘index’, Object(OC\AppFramework\DependencyInjection\DIContainer), Array)\n#6 /var/www/owncloud/lib/private/Route/Router.php(342): OC\AppFramework\Routing\RouteActionHandler->__invoke(Array)\n#7 /var/www/owncloud/lib/base.php(909): OC\Route\Router->match(’/apps/files/’)\n#8 /var/www/owncloud/index.php(54): OC::handleRequest()\n#9 {main}",“File”:"/var/www/owncloud/lib/private/legacy/helper.php",“Line”:585}

Browser log


#2

Have you forgotten to fill this out or are you not using one?


#3

I’m not using an external storage.


#4

Due to another thing I’m working on at the moment I used this occ-command:

occ files:checksums:verify

After the completion of this command I was able to login again. Is this a coincedence?

I’ll try to reproduce this soon.


#5

I tried to reproduce the “solution” by using the “occ files:checksums:verify”-command but before that even the File-Firewall-Rule itself didn’t work. The user could login as normal. Very confusing.


#6

So now I reproduced and analyzed the bug and I’d like to share the result:

  1. Create a new user in the ActiveDirectory of the Univention Corporate Server
  2. Log into ownCloud as admin and add the newly created user to the group that is affected by the filefirewall-rule so that the user shouldn’t be able to login.
  3. Try to login as the user and see that the filefirewall-rule works
  4. Delete the user from the affected group and try to login again: Login isn’t possible and it shows an internal server error message like the one I mentioned in the first post.
  5. Execute the following command: occ files:checksums:verify
  6. Login is now successfull
  7. Add the user to the affected group again and the login should not be possible again but instead the user can login just as normal.
  8. Now if you add another user to that group, but one that has already been created and hasn’t logged into the cloud already, the rule works. If you then delete the user from that group he can login again without an internal server error.

Because of that I have two conclusions as my result:

  1. The internal server message error only occures when a fresh user is created in the ActiveDirectory of the Univention Corporate Server an then added to the firewall-rule-affected group and then deleted from that group again.

  2. As soon as the user logged into the cloud once the firewall-rule does not work anymore for that user, even if he is added to the affected group again.

I think this could be a bug because our configuration is nothing special and everything else just works fine.

I don’t know what I can further do.


#7

Hey,

if you think this is a bug then i think you could report something like this to the ownCloud bugtrackers.