Group sharing not working with encryption for newly added users

[flokru]

Steps to reproduce

1. Enable encryption
2. Create a group
3. Share file/folder with group
4. Register a new user
5. Add user to group (from 2.)
6. User cannot access shared files

Expected behaviour

Ideally, the user should be able to access the files right away after being added to the group. I am aware this is a known caveat of encryption with group sharing. I am also aware that I need to re-share the item with the specific user (and even after un-sharing it, the user can access the files correctly via the group share). However, we have a large directory structure with many group-dependent shares and are regularly adding (and removing) users. Thus, the proposed workaround is too cumbersome for our use case.

I don't know the encryption details of Nextcloud and I can imagine the proposed workaround is necessary to avoid making the encryption unsecure. Therefore, if it is intrinsically not possible to automatically make the files readable for the new group member, I propose the following solutions to make it easier:

• Whenever a member is added to a group, check for all shares with this group and do the necessary crypto steps internally (i.e. whatever happens when I share with the user in the proposed workaround)
• If this cannot be done automatically, put the necessary steps into a cron run (e.g. check which group-shared files are not readable although they should be readable, do the necessary steps…)
• add a command to occ to let me do these steps myself without having to do it manually in the browser; i.e. add a group-sharing-with-encryption-consistency-run action

Actual behaviour

The user cannot access the shared files, depending on file type gets weird and unhelpful error messages (ranging from PDF viewer giving 500 Server errors to image gallery giving another error and other types downloading as 500 Server error HTML file to my local machine).

Server configuration

Operating system: Ubuntu 16.04 LTS

Web server: Apache2 2.4.18

Database: MariaDB 10.0.29

PHP version: 7.0.18

Nextcloud version: 12.0.0

Updated from an older Nextcloud/ownCloud or fresh install: Fresh install

Where did you install Nextcloud from: Web

Signing status:

Signing status

No errors have been found.

List of activated apps:

App list

Enabled:
  - activity: 2.5.2
  - admin_notifications: 1.0.0
  - announcementcenter: 3.1.0
  - comments: 1.2.0
  - dav: 1.3.0
  - encryption: 1.6.0
  - federatedfilesharing: 1.2.0
  - federation: 1.2.0
  - files: 1.7.2
  - files_pdfviewer: 1.1.1
  - files_retention: 1.1.2
  - files_sharing: 1.4.0
  - files_texteditor: 2.4.1
  - files_trashbin: 1.2.0
  - files_versions: 1.5.0
  - files_videoplayer: 1.1.0
  - firstrunwizard: 2.1
  - gallery: 17.0.0
  - logreader: 2.0.0
  - lookup_server_connector: 1.0.0
  - nextcloud_announcements: 1.1
  - notifications: 2.0.0
  - oauth2: 1.0.5
  - password_policy: 1.2.2
  - provisioning_api: 1.2.0
  - registration: 0.2.3
  - serverinfo: 1.2.0
  - sharebymail: 1.2.0
  - survey_client: 1.0.0
  - systemtags: 1.2.0
  - theming: 1.3.0
  - twofactor_backupcodes: 1.1.1
  - updatenotification: 1.2.0
  - workflowengine: 1.2.0
Disabled:
  - admin_audit
  - files_external
  - user_external
  - user_ldap

Nextcloud configuration:

Config report

If you have access to your command line run e.g.:
{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": [
            "localhost",
            "cloud.point-8.de"
        ],
        "datadirectory": "\/var\/nextcloud-storage\/ncdata",
        "overwrite.cli.url": "http:\/\/localhost",
        "dbtype": "mysql",
        "version": "12.0.0.29",
        "dbname": "nextcloud",
        "dbhost": "127.0.0.1",
        "dbport": "",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "memcache.local": "\\OC\\Memcache\\APCu",
        "open_basedir": "\/dev\/urandom",
        "instanceid": "ocdf3mcmx4my",
        "mail_from_address": "nextcloud",
        "mail_smtpmode": "php",
        "mail_domain": "post.point-8.de"
    }
}

Are you using external storage, if yes which one: No.

Are you using encryption: Yes.

Are you using an external user-backend, if yes which one: No.

Client configuration

Browser: Safari, Chrome, Nextcloud App on iOS

Operating system: macOS, iOS

[rullzer]

So what you describe is not possible. As we can't decrypt the file without a user (that has access) password. So a cron job would not solve the issue.

This should all work if you just have a master key. But @schiessle can probably tell more about the encryption app.

[flokru]

Okay, I see. As I said, I do not insist on my proposals. My point is: the current workaround of sharing all group-shared objects individually with the newly added group member manually (and removing the user afterwards) is both extremely time-consuming, inconvenient and error-prone. It would be no problem if user A (the one sharing the files) needs to log in after a new user was added and could click on a button magically working through all his shares and doing the necessary "magic" to allow the newly added user B to be able to access the files.

[schiessle]

As said by @rullzer this can't be automated. Just think for a second what this would mean about the security of encryption if Nextcloud could magically give other people access to your files.

As @rullzer I would recommend to use the master key, but this is only possible with a system which doesn't contain any encrypted files yet. Then you can enable server-side encryption, the default encryption module an then execute ./occ encryption:enable-master-key.

This will also be the default from Nextclodu 13 on: #5174

[machinekoder]

Thanks, decrypting and re-encrypting after enabling the master key also works.