Prevent multiple accounts from sharing a sync folder

[TheOneRing]

Since 838c072 we allow that multiple accounts share the same sync folder.

• In combination with virtual files it leads to data loss
• Security risk by allowing mirroring to an external server
• We don't warn that we mirror to an external server

[pmaier1]

• Write down reasoning why to drop the feature => deprecation note
• Alternatives?
• Drop with 2.9

[jnweiger]

Tested with testpilotcloud-client-2.9.0-beta3 and owncloud-client 2.9.0-beta3 on Fedora-33

• connect testpilotcloud to [email protected] without using vfs
• rename the Photos folder to demo-Photos
• wait for the sync to finish
• connect owncloud to [email protected] with using vfs and re-using the folder ~/testpilotcloud as syncroot.
• wait for the sync to finish.

No error messages occur, both accounts on the server now have the same files and folders. admin's Photos folder appears at user demo. Demo's demo-Photos folder appars at user admin.

Expected behaviour, sharing of sync root folders should not be possible when using VFS.

---

However, when configuring the second account with the same client, sharing of the sync root folder is not possible, as expected.

[TheOneRing]

This should prevented in https://github.com/owncloud/client/blob/master/src/gui/folderman.cpp#L1332
@erikjv could you have a look?

[erikjv]

@jnweiger can you trigger the message "The folder %1 is used in a folder sync connection!" at all?

Also: can you check what the exact name is of the .sync files? Is there a ._sync* in there?

[jnweiger]

It is named .sync_journal.db (without the underscore after the dot.)

Hmm, when I try a second connection with the same client using the same sync root folder, I get a slightly different message:

Not sure, how to actually provoke the message you quote.

[erikjv]

Never mind, I think I already found the issue.

[jnweiger]

Retested in an update scenario on Linux Mint:

• testpilotcloud 2.9.0-beta3 and owncloud 2.9.0-beta3 configured a remote connection to different servers using the shared ~/ownCloud4 sync folder.
• the servers start sharing data in a confusing way. To be expected. This is before @erikjv 's fix came in.
• stop both clients. Upgrade both to 2.9.0-rc1 to bring in that fix.
• start testpilotcloud client. Wait for sync to complete
• start owncloud client -- it hangs frozen.
• killall owncloud, to be really sure there is nothing old.
• Try inf foreground from the shell as follows, window frame is drawn without contents, Place for tray icon is created without content, we get only these few lines of output then it hangs:

$ owncloud --debug -s --logflush --logfile -
08-30 17:20:41:171 [ debug default ]    [ OCC::Logger::setLogRules ]:   "gui.*.debug=true\nsync.*.debug=true\nsync.httplogger=true"
08-30 17:20:41:171 [ debug default ]    [ OCC::Logger::setLogRules ]:   "gui.*.debug=true\nsync.httplogger=true\nsync.*.debug=true\nsync.httplogger=true"
08-30 17:20:41:197 [ info gui.application ]:    ################## "ownCloud" locale: "en_US" version: "ownCloud 2.9.0rc1 (build 5070) 49cfb1 Aug 27 2021 17:26:42 Libraries Qt 5.12.10, OpenSSL 1.1.1f  31 Mar 2020 Using virtual files plugin: off linuxmint-5.4.0-81-generic"
08-30 17:20:41:197 [ info gui.application ]:    Arguments: ("owncloud", "--debug", "-s", "--logflush", "--logfile", "-")
08-30 17:20:41:198 [ info gui.application ]:    Using "en_US" translation
08-30 17:20:41:198 [ info gui.application ]:    Adding extra plugin search path: "/opt/ownCloud/ownCloud/bin/../lib/x86_64-linux-gnu/plugins"
08-30 17:20:41:200 [ info gui.application ]:    VFS suffix plugin is available
08-30 17:20:41:200 [ info gui.socketapi ]:      server started, listening at  "/run/user/1000/ownCloud/socket"
08-30 17:20:41:258 [ info gui.account.manager ]:        Restored:  0  unknown certs.
08-30 17:20:41:258 [ info gui.account.manager ]:        Restored:  0  unknown certs.
08-30 17:20:41:258 [ info gui.account.manager ]:        Restored:  0  unknown certs.
08-30 17:20:41:259 [ info gui.account.manager ]:        Restored:  1  unknown certs.
08-30 17:20:41:283 [ debug gui.activity ]       [ OCC::ActivitySettings::setNotificationRefreshInterval ]:      Starting Notification refresh timer with  300  sec interval
08-30 17:20:41:298 [ debug gui.application ]    [ OCC::GeneralSettings::loadLanguageNamesIntoDropdown ]:        Warning: could not find native language name for locale "TW"
08-30 17:20:41:394 [ debug gui.updater ]        [ OCC::Updater::getSystemInfo ]:        Sys Info size:  83
08-30 17:20:41:394 [ debug gui.updater ]        [ OCC::Updater::create ]:       QUrl("https://updates.owncloud.com/client/?client=RGlzdHJpYnV0b3IgSUQ6CUxpbnV4bWludApEZXNjcmlwdGlvbjoJTGludXggTWludCAyMC4yClJlbGVhc2U6CTIwLjIKQ29kZW5hbWU6CXVtYQo%3D&version=2.9.0.5070&platform=linux&oem=ownCloud&buildArch=x86_64&currentArch=x86_64&versionsuffix=rc1")
08-30 17:20:41:470 [ info gui.application ]:    Tray menu workarounds: noabouttoshow: false fakedoubleclick: false showhide: false manualvisibility: false
08-30 17:20:41:479 [ info gui.folder.manager ]: Setup folders from settings file
08-30 17:20:41:479 [ info plugins ]:    Created VFS instance from plugin "owncloudsync_vfs_suffix"
08-30 17:20:41:479 [ debug gui.folder ] [ OCC::Folder::checkLocalPath ]:        Checked local path ok
08-30 17:20:41:479 [ info sync.configfile ]:    Adding system ignore list to csync: "/etc/ownCloud/sync-exclude.lst"

[jnweiger]

I'd venture a guess:

• Beta3 already uses the new naming scheme, but did not detect the collision correctly.
• When rc1 gets installed, the client tries an exclusive flock() on its sqlite db, while the same file is already flock()ed exclusively by the alread running client?
• this situation is probably unrealistic, as we don't expect beta3 out in the wild.

TODO:

• retest upgrade with shared sync root on a fresh system
• retest on windows

[jnweiger]

Retested the upgrade scenario in Fedora 33

• install both testpilot cand owncloud client in verison 2.8.2,
• connect both with different accounts to servers, using the same e.g. ~/testpilotcloud3 sync folder
• wait for (chaotic) cross sync to finish. quit both, upgrade both to 2.9.0 rc1
• both continue happily to sync. BAD
• The new name .sync_journal.db is not used. We retain the two differently named .sync_....db files. BAD

testpilotcloud-logdir.zip
ownCloud-logdir.zip

[jnweiger]

Regarding charotic syncing:

• Using VFS on Linux (Placeholder mode) in one client, and physical mode in the other client, bad things happen.
  • placeholder files are uploaded to the server (seen in 2.9.0-rc1)
    

[jnweiger]

Retested the upgrade scenario in Windows 10

• install both testpilot cand owncloud client in verison 2.8.2,
• connect both with different accounts to servers, using the same sync folder
• wait for (chaotic) cross sync to finish. quit both, upgrade both to 2.9.0 rc1
• same as on Fedora33 above, both clients happily sync.
  

A third sync folder connetcion (fresh, not from an upgrade) cannot be added to the same sync folder:

[jnweiger]

I am not sure what the expected behaviour should be:

a) Detect the folder sharing and prevent using that with 2.9.0 and later.
b) Allow it as a legacy configuration so to not disrupt the user too much. But disallow the creation of the same.

Currently we do b) -- this has two disadvantages

1. the user might experience some misbehaviour
2. the user is not aware that the same sharing cannot b recreated with 2.9.0

To make b) nice and safe, I suggest to at least have a pop up a warning dialog, e.g. like this:

"Warning: Legacy shared sync folder detected: Folder testpilotcloud3 is connected to [email protected] and [email protected] -- this can lead to bad side effects including data loss, especially when using VFS. Please resolve this as soon as possible. [Remove Account] [Continue for now]"

Maybe (also) a pemanent red warning....

[TheOneRing]

At the moment the behavior is ok, we didn't plan to break existing setups we just want that never to happen again.