better permission control for external storage (maybe bug)

[t1nux]

my scenario
I have a local directory exposed in NC21 as external storage. It is a normal filesystem (BTRFS) which can get pretty busy, meaning that other processes and users read and write there too. Let us say one of those other users is labsync. I want to make the data available (read and write) to NC as external storage. This works.
However, I also would like be able to add data with NC, ie. the user nextcloud, that can be fully edited using labsync. This does not seem possible without having to write for instance a cron job that takes care of permissions.

default permissions
For demonstration, I created a file asdf.md and a directory asdf in the NC webUI.

The default file creation permission on the external storage from NC seems to be rw for both user and group. With some appropriate access control for labsync (here setfacl -R -d -m u:labsync:rwX -m g:labsync:rwX), I get this

> getfacl asdf.md 
# file: asdf.md
# owner: nextcloud
# group: nextcloud
user::rw-
user:labsync:rwx		#effective:rw-
group::rwx			#effective:rw-
group:labsync:rwx		#effective:rw-
mask::rw-
other::---

which can be fully accessed by labsync.

However the defaults for directories seem to be rwx and r-x for user and group, respectively (and r-x for others), which results in

> getfacl asdf   
# file: asdf
# owner: nextcloud
# group: nextcloud
user::rwx
user:labsync:rwx		#effective:r-x
group::rwx			#effective:r-x
group:labsync:rwx		#effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:labsync:rwx
default:group::rwx
default:group:labsync:rwx
default:mask::rwx
default:other::---

This means labsync cannot change or delete directories because of the mask that NC is using.

I tried to change umask to 0002 for my php-fpm service which did not change the above permission. I thought this was weird, therefore the "(maybe bug)".

However, doing the following actually gives me the correct directory permissions (for labsync, ie. full access):

> sudo -u nextcloud mkdir asdf2
> getfacl asdf2
# file: asdf2
# owner: nextcloud
# group: nextcloud
user::rwx
user:labsync:rwx
group::rwx
group:labsync:rwx
mask::rwx
other::---
default:user::rwx
default:user:labsync:rwx
default:group::rwx
default:group:labsync:rwx
default:mask::rwx
default:other::---

conclusion
I wished it were possible to set the mask for external storage with a bit more control, if not at all. Right now, I do not see how to correct this issue (without a cron job) and where the permissions are actually set. Another interesting thing is that the permissions of personal files, ie. not in external storage, differ from the above for files, where they are -rw-r--r--.

[szaimen]

As this sounds like a nice feature, the requests for this are quite low. Currently there are no plans to implement such a feature. Thus I will close this ticket for now. This does not mean we don't want this feature, but it is simply not on our roadmap for the near future. If somebody wants to implement this feature nevertheless we are happy to assist and help out.If you wish to have this feature implemented by the Nextcloud GmbH there is the option for consulting work on top of your Nextcloud Enterprise subscription to get your features implemented.

[romlaum]

Hello

Same problem here, solved by editing nextcloud/lib/private/Files/Storage/Local.php
search this :
chmod($sourcePath, 0755);
and modify to 0775 or any other needed setting.

[tjwood100]

See also my bug #29041 . This didn't used to be an issue in older versions of Nextcloud, the chmod mentioned above was introduced within the past 12 months and it's not really clear from the commit messages why.