Username 'meta' login problem

[phil-davis]

Steps to reproduce

1. Create a user named meta
2. Try to login on the webUI as user meta

Expected behaviour

Normal login, skeleton files displayed.

Actual behaviour

"Internal server error"

Note: I added some error_log() calls to the various newFolder() methods to see which one is being called and the value of $path

[Mon Sep  3 08:24:35 2018] PDD: AbstractFolder newFolder /files
[Mon Sep  3 08:24:35 2018] Exception: {"Exception":"OCP\\Files\\NotPermittedException","Message":"","Code":0,"Trace":"#0 \/home\/phil\/git\/owncloud\/core\/lib\/private\/Files\/Node\/Root.php(370): OC\\Files\\Node\\AbstractFolder->newFolder('\/files')\n#1 \/home\/phil\/git\/owncloud\/core\/lib\/private\/Server.php(1030): OC\\Files\\Node\\Root->getUserFolder('meta')\n#2 \/home\/phil\/git\/owncloud\/core\/lib\/private\/User\/Session.php(444): OC\\Server->getUserFolder('meta')\n#3 \/home\/phil\/git\/owncloud\/core\/lib\/private\/User\/Session.php(532): OC\\User\\Session->prepareUserLogin(true)\n#4 \/home\/phil\/git\/owncloud\/core\/lib\/private\/User\/Session.php(332): OC\\User\\Session->loginWithPassword(*** sensitive parameters replaced ***)\n#5 \/home\/phil\/git\/owncloud\/core\/core\/Controller\/LoginController.php(203): OC\\User\\Session->login(*** sensitive parameters replaced ***)\n#6 \/home\/phil\/git\/owncloud\/core\/lib\/private\/AppFramework\/Http\/Dispatcher.php(153): OC\\Core\\Controller\\LoginController->tryLogin(*** sensitive parameters replaced ***)\n#7 \/home\/phil\/git\/owncloud\/core\/lib\/private\/AppFramework\/Http\/Dispatcher.php(85): OC\\AppFramework\\Http\\Dispatcher->executeController(Object(OC\\Core\\Controller\\LoginController), 'tryLogin')\n#8 \/home\/phil\/git\/owncloud\/core\/lib\/private\/AppFramework\/App.php(100): OC\\AppFramework\\Http\\Dispatcher->dispatch(Object(OC\\Core\\Controller\\LoginController), 'tryLogin')\n#9 \/home\/phil\/git\/owncloud\/core\/lib\/private\/AppFramework\/Routing\/RouteActionHandler.php(47): OC\\AppFramework\\App::main('LoginController', 'tryLogin', Object(OC\\AppFramework\\DependencyInjection\\DIContainer), Array)\n#10 \/home\/phil\/git\/owncloud\/core\/lib\/private\/Route\/Router.php(342): OC\\AppFramework\\Routing\\RouteActionHandler->__invoke(Array)\n#11 \/home\/phil\/git\/owncloud\/core\/lib\/base.php(907): OC\\Route\\Router->match('\/login')\n#12 \/home\/phil\/git\/owncloud\/core\/index.php(54): OC::handleRequest()\n#13 {main}","File":"\/home\/phil\/git\/owncloud\/core\/lib\/private\/Files\/Node\/AbstractFolder.php","Line":82}

Server configuration

Operating system:
Ubuntu 18.04
Web server:
PHP dev server

Database:
mySQL

PHP version:
7.1.20

ownCloud version: (see ownCloud admin page)
Current core master from git

[phil-davis]

When logging in as another ordinary username like meta1 my error_log() shows:

[Mon Sep  3 08:30:05 2018] PDD: Folder newFolder /files
[Mon Sep  3 08:30:05 2018] PDD: Folder newFolder simple-folder
[Mon Sep  3 08:30:06 2018] PDD: Folder newFolder simple-empty-folder
[Mon Sep  3 08:30:08 2018] PDD: Folder newFolder strängé नेपाली folder
[Mon Sep  3 08:30:10 2018] PDD: Folder newFolder simple-empty-folder
[Mon Sep  3 08:30:11 2018] PDD: Folder newFolder simple-empty-folder
[Mon Sep  3 08:30:11 2018] PDD: Folder newFolder 'single'quotes
[Mon Sep  3 08:30:11 2018] PDD: Folder newFolder simple-empty-folder
[Mon Sep  3 08:30:12 2018] PDD: Folder newFolder strängé नेपाली folder empty
[Mon Sep  3 08:30:12 2018] PDD: Folder newFolder simple-empty-folder
[Mon Sep  3 08:30:12 2018] PDD: Folder newFolder folder with space
[Mon Sep  3 08:30:13 2018] PDD: Folder newFolder simple-empty-folder
[Mon Sep  3 08:30:15 2018] PDD: Folder newFolder 0

The code is finding the newFolder() method in lib/private/Files/Node/Folder.php and it happily creates the /files folder followed by each of the folders in my skeleton.

But when the username is meta it somehow ends up in lib/private/Files/Node/AbstractFolder.php and all that knows is to throw new NotPermittedException()

[phil-davis]

See initial user report in comment #29207 (comment)

[ownclouders]

GitMate.io thinks the contributor most likely able to help you is @PVince81.

Possibly related issues are #18565 (Securing login), #16431 (Recover login password), #27742 (Login Problem after upgrading), #3422 (Any login will work), and #16764 (Owncloud login problem).

[PVince81]

"meta" is now used in the node API to access versions and other things.

we need to:

• update documentation to mention reserved user names ("avatars" is also one of them on another level)
• fix user manager and account manager to disallow/skip such users

@DeepDiver1975 FYI

[bojanpog]

Hello!

I've spent 8 hours resolving this "meta" problem after 9.1.8 -> 10.0.10.4 upgrade

"meta" is my main user, admin and shares a ton of seperate folders to other 30 users.

What are my options. Why don't you make an upgrade script that auto renames "meta" username to something else.

Is it also possible that you don't make "meta" a reserved username?

Thanks, Bojan

[phil-davis]

Note: I'm sure there is another issue about other user names that do not work and should be prevented. But I am having trouble finding it right now.

User avatars

~/git/owncloud/core$ ls -l data/avatars/
total 100
drwxr-xr-x 3 phil phil 4096 Sep 15 20:19 21
drwxr-xr-x 3 phil phil 4096 Sep 15 21:03 24
drwxr-xr-x 3 phil phil 4096 Sep 28 18:50 25
drwxr-xr-x 3 phil phil 4096 Sep 15 20:56 3d
drwxr-xr-x 3 phil phil 4096 Oct  2 06:02 45
drwxr-xr-x 3 phil phil 4096 Sep 28 18:51 47
drwxr-xr-x 3 phil phil 4096 Sep 23 20:35 61
drwxr-xr-x 3 phil phil 4096 Oct  2 18:54 63
drwxr-xr-x 3 phil phil 4096 Sep 29 17:33 64
drwxr-xr-x 3 phil phil 4096 Oct  3 18:53 65
drwxr-xr-x 3 phil phil 4096 Sep 29 14:59 75
drwxr-xr-x 3 phil phil 4096 Sep 25 02:08 7e
drwxr-xr-x 3 phil phil 4096 Sep 25 02:09 92
drwxr-xr-x 3 phil phil 4096 Sep 25 02:01 ab
drwxr-xr-x 3 phil phil 4096 Oct  6 06:38 ae
drwxr-xr-x 3 phil phil 4096 Oct  2 06:02 c8
drwxr-xr-x 2 phil phil 4096 Oct  6 06:38 cache
drwxr-xr-x 3 phil phil 4096 Sep 28 18:50 d1
drwxr-xr-x 3 phil phil 4096 Sep 28 18:50 d6
drwxr-xr-x 3 phil phil 4096 Sep 27 21:46 f0
drwxr-xr-x 3 phil phil 4096 Sep 23 09:31 f3
drwxr-xr-x 3 phil phil 4096 Sep 27 21:51 f5
drwxr-xr-x 3 phil phil 4096 Sep 28 18:50 fe
drwxr-xr-x 9 phil phil 4096 Oct  6 06:38 files
drwxr-xr-x 2 phil phil 4096 Oct  6 06:38 files_zsync

It does not crash right away, but something bad is going to happen with the avatars user files folder(s) mixed in with the folders that store the avatars.

files_external looks like another one that would not be a good username - there is a files_external folder already in the data dir.

These ones are a problem because the storage of user's files sits in the same data folder as some other meta-data folders that store system-wide stuff. The user data folders should be a level lower, so that the username namespace is not polluted by these other meta-data folder names.

[bojanpog]

I think it is very dangerous to use such a common usernames for "system operations", expecially bloking them in version 10. If it would be version <=1.0 , the problem wouldn't great.

I suggest renaming for example "meta" to "oc_api_metadata" and block creating new usernames staring with "oc_.." . I am quite sure no username collisions would occure in the future.

BR, Bojan

[PVince81]

in general my suggestion would be to change the internal VFS and also the structure of the home folder to properly separate user data. Currently it's a legacy mess #18029.

and then have all the meta, avatars, etc stuff also in an own folder. this way there wouldn't be any conflicts.

so the homes would become "/users/vincent/files/..." instead of "/vincent/files".
and metadata would be "/metadata/meta/..." instead of "/meta"
and avatars would be "/metadata/avatars/..." instead of "/avatars"

@DeepDiver1975 @butonic

[butonic]

Everything should be an app. What about /<appname>/<userid>? files becomes /files/vincent. How stuff is organized underneath is up to the app.

[bojanpog]

Hello!

So, what is the best solution to solve this "meta" username problem?

• create new user
• migrate files with transfer-ownership command

Questions:

• is it possible to avoid copying files to new username and duplicate disk usage, because meta user has a lot of files

• in new user, all files are transfer to new folder: [transfered-date..] . How can I then move those files to root folder?

• old "meta" user has a lot of sharings made to other users. Will all sharings be keep with command transfer-ownership ??

[Mayeu]

Following my comment on #18029 I have change my ldap configuration to use the UUID instead of the username as the home folder, but the issue actually remain.

It seems to not only a path issue then but maybe also require that the user_id to not clash with those special folder?

If I go in the DB I see that my user has a UUID for his home:

MariaDB [nin-aurora-nothing-ch]> select home from oc_accounts where user_id='meta';
+----------------------------------------------------+
| home                                               |
+----------------------------------------------------+
| /mnt/owncloud/78a1e5d4-1834-11e7-a2b8-ce771b3d813f |
+----------------------------------------------------+
1 row in set (0.00 sec)

But when connecting I have the same issue has before:

{"reqId":"yT6CIPmMX7wXXyrw87KK","level":3,"time":"2019-06-22T05:14:52+00:00","remoteAddr":"192.168.10.2","user":"meta","app":"index","method":"POST","url":"\/index.php\/login","m
essage":"Exception: {\"Exception\":\"OCP\\\\Files\\\\NotPermittedException\",\"Message\":\"\",\"Code\":0,\"Trace\":\"#0 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Files\\\/N
ode\\\/Root.php(370): OC\\\\Files\\\\Node\\\\AbstractFolder->newFolder('\\\/files')\\n#1 \\\/var\\\/www\\\/owncloud\\\/lib\\\/private\\\/Server.php(1032): OC\\\\Files\\\\Node\\\\
Root->getUserFolder('meta')...

[phil-davis]

Do not create user names:

avatars
files_external (see issue #37267 )
files_encryption (see issue #37267 )
meta

and?

[phil-davis]

PR #37268 has been merged. It prevents creating any of these "special" user names. That should be released in 10.5.0

If you find other "special" user names that should be banned, then please open an issue and they can easily be added to the list.