All apps do not start after update (permission denied)

mavori · May 18, 2025, 12:49am

What type of hardware are you using: VPS bought online
What YunoHost version are you running: 12.0.16
How are you able to access your server: SSH
Are you in a special context or did you perform specific tweaking on your YunoHost instance ?: no

Describe your issue

Upgraded today the system. After this, the services of the installed apps does not start anymore. Log shows Permission denied., same for all apps: forgejo, hedgedoc, minetest, open-web-calendar, wekan
All apps in /var/www have www-data as user and group
I post this here and not in app, as it is a general problem after update of base system

Share relevant logs or error messages

Changing to the requested working directory failed: Permission denied
forgejo.service: Failed at step CHDIR spawning /var/www/forgejo/forgejo: Permission
hastebin

wekan.service: Changing to the requested working directory failed: Permission denied
wekan.service: Failed at step CHDIR spawning /opt/node_n/n/versions/node/14/bin/node: Permission denied

jarod5001 · May 18, 2025, 11:05am

Did you chown your www folder?
Some apps have $app:$app ownership.

mavori · May 18, 2025, 12:38pm

Actually, all apps have www-data as owner and as group. I did just run the first the system update, after this the update of the apps. This resulted from the update.

jarod5001 · May 18, 2025, 3:33pm

You’ll have to check the package repo for every app you have to know which is the right ownership to set.
For example forgejo :

github.com/YunoHost-Apps/forgejo_ynh

scripts/install

9cd976884


      
          ynh_script_progression "Setting up source files..."
          
          ynh_setup_source --dest_dir="$install_dir"
          
          xz -d "$install_dir/forgejo.xz"
          chmod +x "$install_dir/forgejo"
          
          mkdir -p "$install_dir/custom/conf" "$install_dir/.ssh"
          
          chmod -R o-rwx "$install_dir/custom"
          chown -R "$app:$app" "$install_dir/custom"
          
          #=================================================
          # KEYS GENERATION
          #=================================================
          
          secret_key=$("$install_dir/forgejo" generate secret SECRET_KEY)
          lfs_jwt_secret=$("$install_dir/forgejo" generate secret JWT_SECRET)
          internal_token=$("$install_dir/forgejo" generate secret INTERNAL_TOKEN)
          oauth2_jwt_secret=$("$install_dir/forgejo" generate secret JWT_SECRET)
          ynh_app_setting_set --key=secret_key --value="$secret_key"

chown -R "$app:$app".

mavori · May 18, 2025, 5:05pm

I changed owner/user of forgejo into forgejo:

drwxrwx---+ 3 forgejo forgejo      4096 12 mars  15:38 custom
-rwxrwx---+ 1 forgejo forgejo 109815496  2 mai   19:10 forgejo

But starting the service, I have still the same error:

forgejo.service: Changing to the requested working directory failed: Permission denied
forgejo.service: Failed at step CHDIR spawning /var/www/forgejo/forgejo: Permission denied

/home/yunohost.app/forgejo is on forgejo:forgejo as well

mavori · May 18, 2025, 10:31pm

Tried to reinstall webcalendar, as update has deleted the app.
https://paste.yunohost.org/raw/odejoguwam
Friend having his own yunohost checked my system, said, that there is a problem with ACL records for /var/www. Oh, web interface runs, but klick on Groups and permissions hangs

otm33 · May 18, 2025, 10:51pm

Hi @mavori

…yes:
drwxrwx—+ 3 forgejo forgejo 4096 12 mars 15:38 custom
-rwxrwx—+ 1 forgejo forgejo 109815496 2 mai 19:10 forgejo

What’s the output of getfacl /var/www/forgejo ?

mavori · May 18, 2025, 11:12pm

file: var/www/forgejo
owner: forgejo
group: forgejo
user::rwx
user:forgejo:rwx
user:yunomavori:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:forgejo:rwx
default:user:yunomavori:rwx
default:group::r-x
default:mask::rwx

To add: VPS hoster has changed IP few days ago and said, “they had to reorganize the system” – but no idea, what they did. It’s a VPS with preconfigured Yunohost

otm33 · May 19, 2025, 8:30am

Bonjour,

Est-ce que tu as une quelconque erreur ou warning dans les logs de l’upgrade ? Que toutes les apps du dossiers /var/www appartiennent à www-data après la mise à jour est le signe que qqch ne s’est pas bien passé.

Pour forgejo, les droits ont l’air correctement rétablis mais quelque chose bloque encore: soit ce sont les permissions sur /var/www, soit c’est autre chose.
Regarde ce que dit namei -l /var/www/forgejo/*, getfacl /var/www et essaie un démarrage à la main avec l’tulisateur forgejo sudo -u forgejo /var/www/forgejo/forgejoet regarde si c’est bien lui qui est censé exécuter le service: sudo systemctl cat forgejo.service.

mavori · May 19, 2025, 9:55am

f: /var/www/forgejo/custom
drwxr-xr-x root    root    /
drwxr-xr-x root    root    var
drwxrwx--- root    root    www
drwxrwx--- forgejo forgejo forgejo
drwxrwx--- forgejo forgejo custom
f: /var/www/forgejo/forgejo
drwxr-xr-x root    root    /
drwxr-xr-x root    root    var
drwxrwx--- root    root    www
drwxrwx--- forgejo forgejo forgejo
-rwxrwx--- forgejo forgejo forgejo

# file: var/www
# owner: root
# group: root
user::rwx
user:www-data:rwx
user:yunomavori:rwx
group::r-x
group:www-data:rwx
group:all_users:---
mask::rwx
other::---

Démarrage à la main avec l’utilisateur forgejo donne:

forgejo n'est pas autorisé à exécuter sudo sur mavori.

otm33 · May 19, 2025, 10:46am

Es-tu en root?

Pour le reste, essaie ceci:
-droits 755 sur le dossier /var/www (sans récursivité) et sur le dossier /var/www/forgejo avec récursivité et essaie de démarrer le service. Ça doit venir de là : le répertoire /var/www n’est pas accessible aux autres.

mavori · May 19, 2025, 11:05am

Halleluja. after setting the rights as you said, service started. So, I have to do the same for the other apps I suppose.

otm33 · May 19, 2025, 11:21am

Yes. I think that 750 rights might be enough for the apps. Check fisrt their rights : may be it’s not worth changing them.

mavori · May 19, 2025, 1:19pm

Hedgedoc, Wekan and Minetest runs as well. THANKS A LOT.

system · June 18, 2025, 1:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.