Permissions on Owncloud data folder keep reverting

somethingcorporate · June 30, 2020, 3:50pm

The big question and TLDR: What is changing the permissions on my owncloud_data folder and how can I keep those permissions from changing?
I do not think this is a “bug” but rather just a setting I am unaware of. I believe I have provided the necessary information below. Thank you in advance

Background:
My organization would like to leverage Symantec DLP to ensure no sensitive information is being stored and shared within our Owncloud data. Our proposed way of accomplishing this is to setup a NFS share from the Linux gluster server and mount it on the Windows Symantec DLP machine. The owncloud data folder is on a mount point aka /mnt/OwnCloud_Data
On the Gluster server the current permissions of the Owncloud data folder are 770 and the ownership is user 48 group 48.
If I change the permissions on the folder to 775 (yes, I know this is relatively insecure but absolutely no one has access to the gluster server except administrators) I can successfully mount the folder and view the contents in windows. Keeping in mind that access to the NFS share is restricted to explicitly defined IP addresses.
My issue is the permissions on the Owncloud data folder keep automatically reverting back to 770, which breaks the ability to view the files and I am unsure why the permissions are reverting.

Additional information:
Owncloud 10.2.0
RHEL 7.1
Windows 10 NFS client
Gluster server and Apache (WWW) server are separate. No user with UID or GUID 48 exists on Gluster server but this matches the UID and GUID of the apache user on the WWW server which has ownership of these files. These servers are in production and I do not have a lower environment to test on and am wary of changing any of the ownership or adding new users/groups. I would rather expand permissions to Other than modify any of the existing User/Group.
I have attempted to do things such as change the anonymousUID/GUID in my windows registry to be “48” but that did not allow me to view the files.

eneubauer · July 3, 2020, 7:09am

Are you writing with Windows into the NFS backend? Perhaps that’s what’s changing the permissions?
ownCloud itself is only able to write with the Apache server user / group permissions.
So it needs to be something in your infrastructure that does it, or e.g. wrong NFS configuration ([u/g]id mapping?)

somethingcorporate · July 8, 2020, 4:58pm

I found this wasn’t an issue related to owncloud. There was cronjob that I thought was related to apache/owncloud but was related to my root users instead. This root run cronjob was performing an action which changed the permissions in the process.

Hello, Thanks for the reply.
We are NOT writing with NFS on the backend. I can mount a “test” folder just fine and permissions don’t change and all functions properly. It is only with this specific folder that I have issues. I tried mapping the U/GID in windows to the 48 that the gluster sees/ 48 is the number of apache. This did not work.

Noticing the connection between the permissions on the Gluster file system servers and the Owncloud WWW web servers. I have started looking at the WWW server. The WWW server has the data folder /storage. I have noticed that the permissions are 770 here, and if I switch them to 775 they change themselves back, exactly as it happens on the Gluster servers.

Using the command below
auditctl -w /storage -p a
I can log messages to my audit.log to tell me what is changing the permissions on the /storage folder

Apache was running cron.php in a cronjob, but my issue was a separate unrelated cronjob run by root.
So! Thanks!