Sysadministrivia

Linux, Lagers, and Late Nights

This is Why Lying is Bad, Jthan

Posted
Modified
Comments 0

Jthan was trying to figure out where Nextcloud stores its private keys for encrypting files.

I ask him a question during debugging, he lies (“accidentally”); I confirm with him, he lies again.

As a result, an ensuing wild goose chase and 55 minutes of my life wasted.

[12:21 AM] jthan: I hate shit that isn't transparent about encryption
[12:22 AM] jthan: Like I cannot for the life of me
[12:22 AM] jthan: figure out how nextcloud encrypts files
[12:23 AM] jthan: and furthermore
[12:23 AM] jthan: I can't figure out how the fuck I would recover them if nextcloud shit itself
[12:49 AM] jthan: https://[REDACTED]
[12:49 AM] jthan: can you click that and download it?
[1:15 AM] r00t^2: https://nextcloud.com/blog/encryption-in-nextcloud/
https://nextcloud.com/encryption/
https://docs.nextcloud.com/server/latest/admin_manual/configuration_files/encryption_details.html
[1:16 AM] r00t^2: last one has tech details (docs... link)
[1:16 AM] jthan: Yeah I've read them, but...
[1:16 AM] jthan: It still isn't clear where the key is stored to backup
[1:16 AM] r00t^2: RSA keypairs with AES-256-CTR algo/cipher
[1:17 AM] r00t^2: there is literally a section
[1:17 AM] r00t^2: on that same page
[1:17 AM] r00t^2: titled "File locations"
[1:17 AM] r00t^2: i thought jthan not reading docs was a meme
[1:18 AM] paden: It's never a meme.
[1:18 AM] jthan: Yeah, so...
[1:18 AM] jthan: I agree
[1:18 AM] jthan: But I have no files with those names on my system
[1:18 AM] r00t^2: and before you complain,

                  | These conventions apply throughout this document:
                  | Given file paths in this document are relative to the Nextcloud data directory that can be retrieved as datadirectory from the config.php.
[1:19 AM] jthan: I have a weird secret key in my config.php and I'm wondering if that's all they're using to encrypt the files now
**[1:19 AM] r00t^2: `find / -type f -iname "*.publickey"`
[1:20 AM] jthan: Because also https://help.nextcloud.com/t/recover-encrypted-files-after-lost-config-php/73297
**[1:20 AM] jthan: Yeah. There's nothing.
[1:20 AM] r00t^2: that sounds like a *session* key
[1:20 AM] r00t^2: which is different
[1:20 AM] jthan: It's also possible they're in the database?
[1:20 AM] r00t^2: not according to the docs
[1:20 AM] jthan: I know. I read them
[1:21 AM] jthan: But I'm telling you.. I just ran your find. Nothing
[1:21 AM] jthan: I had checked myself with mlocate
[1:22 AM] jthan: I just wanna make sure I know how to recover. Like could I stand up a docker version and add my external storage and get my shit back
[1:22 AM] jthan: That's all I care about
[1:23 AM] r00t^2: is your Nc stored on a mounted datadirectory or is it on / disk
[1:23 AM] jthan: It's on /, but my user's storage is actually s3 backed
[1:23 AM] jthan: I did verify the files in s3 are definitely encrypted. Can't read them worth shit
[1:23 AM] r00t^2: mlocate will be disappointing 99/100 times. it's fast but severely limited.
[1:24 AM] jthan: Oh. That's why you ask
[1:24 AM] jthan: I see
[1:24 AM] jthan: Yeah it has its place
[1:25 AM] r00t^2: but yeah, use find, not *locate tools
**[1:25 AM] r00t^2: and you copy-pasted the find i gave, right?
**[1:25 AM] jthan: Yeah. Literally no results
[1:26 AM] jthan: I read the same doc and was like 'oh okay so just backup those keys and life is good' but apparently not
[1:26 AM] r00t^2: what Nc version are you on
[1:27 AM] jthan: Uhhh... 21? Whatever latest is.
[1:27 AM] jthan: Installed from arch repos
[1:27 AM] r00t^2: okay. because there's a lot of caveats in those docs for >15
[1:27 AM] r00t^2: (that's for latest though)
[1:27 AM] jthan: Yeah. Their docs are a fucking mess imo
[1:27 AM] r00t^2: (which is probably 21 or..whatever)
[1:27 AM] jthan: I hate when they maintain 40 versions back
[1:28 AM] jthan: Like... Python does but maybe for better reason?
[1:28 AM] jthan: Who's still using nextcloud 15?
[1:28 AM] r00t^2: alright whatever. so did you enable encryption (iirc it's not enabled by default) and it's using the defaut method of the default encryption plugin, right?
[1:28 AM] r00t^2: (there are two `defaults` in that sentence, note)
[1:29 AM] jthan: Yup.
[1:29 AM] jthan: To both
[1:29 AM] r00t^2: what's your `datadirectory`?
[1:29 AM] jthan: Uhh... I'd have to check. I closed my laptop now. /usr/share/nextcloud I think. Or somewhere in there
[1:30 AM] r00t^2: `fgrep datadirectory <path/to/nc's>/config.php` will tell you
[1:31 AM] jthan: /var/lib/nextcloud/data apparently
[1:31 AM] r00t^2: makes a lot more sense than /usr/share
[1:32 AM] r00t^2: ls -la /var/lib/nextcloud/data
[1:33 AM] jthan: It's just the sample files
[1:33 AM] r00t^2: well there's your problem. presumably the user the Nc daemon, web app, whatever is running as doesn't have write perms
[1:34 AM] jthan: It's running as nextcloud
[1:34 AM] jthan: Also, why would that be indicative?
[1:34 AM] r00t^2: because it didn't write anything
[1:34 AM] r00t^2: i'd imagine it'd confirm in the logs
[1:35 AM] r00t^2: but you'd probably have to look near the very beginning of them unless it tries to init missing components on every start/login/whatever
[1:36 AM] jthan: The logs are clean... Pretty sure it'd only be putting things there if I uploaded files.
[1:36 AM] r00t^2: or it can't write to the logs either :upside_down:
[1:37 AM] jthan: It's logging
[1:37 AM] jthan: But no errors
[1:37 AM] r00t^2: does it drop privs to nextcloud or does it invoke as the user?
[1:37 AM] jthan: It invokes as the user a la uwsgi
[1:37 AM] r00t^2: okay. so also check the uwsgi logs and journalctl as well
[1:38 AM] r00t^2: but barring that, what is the actual output of that ls -la
[1:38 AM] jthan: Still it's encrypting the files.....
[1:38 AM] r00t^2: have you confirmed it's encrypting?
[1:38 AM] jthan: Yeah
[1:38 AM] r00t^2: or does it SAY it's encrypting?
[1:38 AM] jthan: I downloaded one outside of nextcloud
[1:38 AM] jthan: It's fucking gibberish
[1:39 AM] r00t^2: btw your firewall for port 443 on IPv4 is knackered, only IPv6 is open:
[bts@dawid tmp]$ curl -vIL "https://[REDACTED]"
*   Trying [REDACTED]:443...
* connect to [REDACTED] port 443 failed: No route to host
*   Trying [REDACTED]...
* Immediate connect fail for [REDACTED]: Network is unreachable
* Failed to connect to [REDACTED] port 443: No route to host
* Closing connection 0
curl: (7) Failed to connect to [REDACTED] port 443: No route to host
[1:39 AM] r00t^2: which is why i got that error on android
[1:39 AM] jthan: Ipv6 should be closed also
[1:40 AM] r00t^2: well, not sure since i don't have my ipv6 stack running locally :stuck_out_tongue:
[1:40 AM] r00t^2: but
[1:40 AM] jthan: Yeah. Turns out I didn't persist my firewall rules. Lol
[1:40 AM] r00t^2: why did you have me try that link if it's firewalled lol
[1:40 AM] jthan: Well... It wasn't
[1:40 AM] jthan: But I rebooted
[1:40 AM] r00t^2: hence the persist, i see
[1:40 AM] r00t^2: okay, so back to the matter at hand,
[1:41 AM] jthan: Yeah I need to sleep badly because I basically didn't last night.
[1:41 AM] r00t^2: what's this output
[1:41 AM] r00t^2: i know, i know, sample dirs
[1:41 AM] r00t^2: but i want to see what it actually has populated
[1:41 AM] jthan: Yeah, well, my laptop isn't here anymore.
[1:42 AM] r00t^2: how did you run the find?
[1:42 AM] jthan: I still had my laptop
[1:43 AM] r00t^2: how did your laptop disappear over the course of 24 minutes
[1:43 AM] r00t^2: anyways, i'd start with the permissions. that's why i want the `ls -la` - ownership/perms
[1:43 AM] jthan: Lol I closed it!
[1:44 AM] r00t^2: well, it's still THERE, then, it's just closed
[1:44 AM] r00t^2: anyways x2, it's possible the keys are somewhere else and i'd presume that's something in config.php
[1:45 AM] r00t^2: i'll see if i can install it and find where they are. how quick was it to install in arch?
[1:45 AM] r00t^2: and what package(s) did you install? (i.e. nextcloud, nextcloud-foo, etc.)
[1:46 AM] jthan: Extremely fast. Nextcloud, php, php-plugin-uwsgi, database of choice
[1:46 AM] jthan: I can just keep digging into it tomorrow. Or I may just stand up a second and see if the config alone is enough
[1:47 AM] jthan: You can probably just get a container
[1:47 AM] jthan: :-))))))))
[1:48 AM] r00t^2: well no, because people change the defaults in containers
[1:48 AM] r00t^2: (by necessity, quite often, since services won't start without it usually)
[1:48 AM] jthan: There's some weird shit though that's not documented in the arch wiki. Like the package includes a uwsgi conf. I didn't create one
[1:49 AM] r00t^2: eh, my arch test vm is knackered - the efi image is fucked. don't feel like fixing it; was hoping to do some more coding tonight. but maybe if i finish that early
[1:49 AM] jthan: Lol I'll figure it out tomorrow and write a full report
[1:49 AM] r00t^2: but i'd suspect it's using a default key that's autogenerated on install
[1:49 AM] jthan: Well that's fucking dumb
[1:50 AM] jthan: If there's no way to retrieve it
[1:50 AM] jthan: But that's why I think it's just the config file
[1:50 AM] r00t^2: i highly doubt that. this isn't vault. the Nc guys don't strike me as that thorough.
[1:53 AM] r00t^2: so the pkgbuild doesn't generate anything. occ might
[1:54 AM] jthan: Yeah it's definitely not the pkgbuild
[1:54 AM] jthan: But occ shouldn't because encryption is not the default
[1:55 AM] r00t^2: hrm
[1:55 AM] jthan: And you don't really get any feedback when you turn it on
[1:56 AM] r00t^2: you know,
[1:57 AM] r00t^2: i'm pretty sure the data dir is owned by root
[1:57 AM] r00t^2: i don't see a chown or a user-specified install in the PKGBUILD
[1:58 AM] r00t^2:
```
  # state dir for data and writable apps
  install -vdm 755 "${pkgdir}/var/lib/${pkgname}/"
  install -vdm 770 "${pkgdir}/var/lib/${pkgname}/data"
  install -vdm 755 "${pkgdir}/var/lib/${pkgname}/apps"
```
[1:58 AM] jthan: That would be absolutely fucked
[2:00 AM] r00t^2: AGREED
[2:00 AM] r00t^2: and yeah
[2:00 AM] r00t^2: i don't see anything that chowns, chrgrps, etc. those dirs
[2:00 AM] r00t^2: so
[2:00 AM] r00t^2: i'm calling it now
[2:01 AM] jthan: but
[2:01 AM] jthan:
[REDACTED]@[REDACTED]:~$ ssh [REDACTED]
Last login: Tue May  4 22:55:44 2021 from [REDACTED]
[[REDACTED]@[REDACTED] ~]$ sudo su - 
[sudo] password for [REDACTED]: 
[root@[REDACTED] ~]# ls -lart /var/lib/nextcloud/
total 16
drwxr-xr-x  2 nextcloud nextcloud 4096 Apr 22 01:41 apps
drwxr-xr-x  4 nextcloud nextcloud 4096 May  4 19:25 .
drwxr-xr-x 15 root      root      4096 May  4 21:35 ..
drwxrwx---  6 nextcloud nextcloud 4096 May  4 22:26 data
[2:01 AM] r00t^2: how... does it chown them
[2:01 AM] jthan: there's no way it wouldn't have complained at me already
[2:01 AM] r00t^2: because the pkgbuild ain't doing it
[2:02 AM] r00t^2: uhhhh
[2:02 AM] r00t^2: oh
[2:02 AM] r00t^2: it's... doing it via tmpfiles
[2:02 AM] r00t^2: which is immensely fucking fucked
[2:02 AM] r00t^2: https://github.com/archlinux/svntogit-community/blob/packages/nextcloud/trunk/nextcloud.tmpfiles#L8
[2:03 AM] jthan: ah shit
**[2:03 AM] jthan: I figured it out
[2:04 AM] r00t^2: uwsgi vassal not running as nextcloud?
[2:04 AM] jthan: no.
[2:04 AM] r00t^2: php not running as nextcloud?
**[2:04 AM] jthan: `-iname` vs `-name`
[2:04 AM] r00t^2: jthan
[2:04 AM] r00t^2: fucking
[2:04 AM] r00t^2: gorram
[2:04 AM] r00t^2: it
[2:04 AM] jthan: and it's called publicKey
[2:04 AM] jthan:
[root@[REDACTED] OC_DEFAULT_MODULE]# ls -lart
total 40
-rw-r--r-- 1 nextcloud nextcloud  2372 May  4 22:05 pubShare_[REDACTED].publicKey
-rw-r--r-- 1 nextcloud nextcloud 12228 May  4 22:05 pubShare_[REDACTED].privateKey
-rw-r--r-- 1 nextcloud nextcloud  2372 May  4 22:05 master_[REDACTED].publicKey
-rw-r--r-- 1 nextcloud nextcloud 12228 May  4 22:05 master_[REDACTED].privateKey
drwxr-xr-x 2 nextcloud nextcloud  4096 May  4 22:05 .
drwxr-xr-x 4 nextcloud nextcloud  4096 May  4 22:35 ..
[2:04 AM] jthan: now you can hack me
[2:04 AM] r00t^2: this is why
                 | [1:19 AM] r00t^2: `find / -type f -iname "*.publickey"`
[2:04 AM] jthan: yeah, I mean.. I see now.
[2:05 AM] r00t^2: i even *said*
                 | [1:25 AM] r00t^2: and you copy-pasted the find i gave, right?
[2:05 AM] jthan: yea, well.. fucking... I didn't sleep lsat night
[2:05 AM] jthan: bout 3 hours
[2:05 AM] jthan: what do you expect?
[2:05 AM] r00t^2:
                 | [1:25 AM] r00t^2: and you copy-pasted the find i gave, right?
                 | [1:25 AM] jthan: Yeah. Literally no results
[2:05 AM] jthan: :brain:
[2:05 AM] r00t^2:
                 | the user is always lying
[2:06 AM] jthan: JTHAN IS THE USER
[2:06 AM] jthan: fuck
[2:06 AM] jthan: so THOSE keys I want to stick in vault
[2:06 AM] r00t^2: we could have wasted a lot less time if you didn't lie when i ask you questions
[2:06 AM] jthan: I'm assuming they never change?
[2:06 AM] r00t^2: they shouldn't, no; it'd render the encrypted files completely irrecoverable
[2:06 AM] jthan: unless it somehow rotates
[2:07 AM] jthan: renecrypts with new key inplace
[2:07 AM] jthan: yeah, I dind't actually copy-pasta, I typed it.
[2:07 AM] r00t^2: i doubt it does that, because again - seems above Nc's level of awareness
[2:07 AM] r00t^2: but if it does, just cron it or something
[2:07 AM] jthan: for this I am sorry and if you want to publicly shame me you can.
[2:07 AM] r00t^2: oh, i am

Author
Categories ,

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.