| View previous topic :: View next topic |
| Author |
Message |
Seth
Apprentice
Joined: 25 May 2002
Posts: 156
Location: U.S.
|
 Posted: Wed Dec 25, 2002 6:29 pm Post subject: Apache access permissions again |
 |
|
Hi,
I've emerged apache 1.3.27_r1 and want to set it up so it serves me local web pages, especially php pages. Php works fine, but I'm having a lot of difficulty getting apache to serve pages outside DocumentRoot and nothing I do with <directory></directory> permissions seems to change that.
For example, I've experimentally set up what looks to me like completely unrestricted access to the document root directory (home/httpd/htdocs):
| Code: |
<Directory />
Options -Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
|
and copied that to a symlink in the /home/httpd/htdocs called Jones.
| Code: |
<Directory /Jones>
Options -Indexes FollowSymLinks
Order allow,deny
Allow from all
</Directory>
|
The symlink Jones points to /home/scsi/WWW/Jones and I've set permissions there to world-wide ability read, write, and execute. I know it's not safe, and I won't keep it that way, but I want to figure out what's happening.
At any rate, unrestricted permissions do not matter. When I try to access the files as
| Code: |
http://localhost/Jones/index.html
|
I get a 403.
The access log records the request and the 403 error messge. The error log doesn't contain any record.
What's going on? What am I missing?
Thanks,
Seth |
|
| Back to top |
|
 |
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Wed Dec 25, 2002 10:10 pm Post subject: |
|
|
<Directory> uses absolute paths, not relative to DocumentRoot.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Seth
Apprentice
Joined: 25 May 2002
Posts: 156
Location: U.S.
|
| Posted: Wed Dec 25, 2002 10:25 pm Post subject: |
|
|
| rac wrote: | | <Directory> uses absolute paths, not relative to DocumentRoot. |
That maybe, but when I use absolute paths I get the same results:
| Quote: |
Forbidden
You don't have permission to access /test/index.html on this server
________________________________________________________________________
Apache/1.3.27 Server at ring.onhand.org Port 80
|
Thanks,
Seth |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Wed Dec 25, 2002 10:35 pm Post subject: |
|
|
Did you edit the restrictive <Directory /> in commonapache.conf, or try to override it somewhere else? Might it be a case of dueling directives?
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Seth
Apprentice
Joined: 25 May 2002
Posts: 156
Location: U.S.
|
| Posted: Wed Dec 25, 2002 11:02 pm Post subject: |
|
|
| rac wrote: | | Did you edit the restrictive <Directory /> in commonapache.conf, or try to override it somewhere else? Might it be a case of dueling directives? |
That was a good thought so I double-checked and found a second directory setting for DocumentRoot down at the bottom of commonapache.conf. So I commented out the one I had done earlier and restarted apache.
No luck. I couldn't get apache to serve me a web page out of the tree. What's even more puzzling is that the symlink to the manual, which is also out of the DocumentRoot tree works perfectly. I can't figure it out.
Thanks again,
Seth |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Wed Dec 25, 2002 11:52 pm Post subject: |
|
|
Does the apache user have read and execute permissions on all directories leading down to the target file? In cases where Apache is actively denying something, it usually remarks "client denied by server configuration" in the error log. The fact that this is not happening leads me to believe that maybe apache itself is being forbidden from accessing the file somehow.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Seth
Apprentice
Joined: 25 May 2002
Posts: 156
Location: U.S.
|
| Posted: Wed Dec 25, 2002 11:58 pm Post subject: |
|
|
| rac wrote: | | Does the apache user have read and execute permissions on all directories leading down to the target file? |
Hmm. I could be messing up here. I changed permissions on all directory and files so that they belonged to sethr (me) and are in the apache group. Obviously, that isn't doing the trick. How would I make sure that the apache user has read and execute permissions on all relevant directories and files?
Seth |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Thu Dec 26, 2002 12:19 am Post subject: |
|
|
| Seth wrote: | | How would I make sure that the apache user has read and execute permissions on all relevant directories and files? |
I guess one way would be to change the apache user's shell to an actual shell, su to root, su from root to apache, and then cd / and cd to each of the directories underneath, and then try to cat the file.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
Seth
Apprentice
Joined: 25 May 2002
Posts: 156
Location: U.S.
|
| Posted: Thu Dec 26, 2002 8:16 am Post subject: |
|
|
| rac wrote: | | I guess one way would be to change the apache user's shell to an actual shell, su to root, su from root to apache, and then cd / and cd to each of the directories underneath, and then try to cat the file. |
Did that and discovered that as user apache I don't have permission to even enter the directory with the files I want served.
O.k. I've had similar setups with apache in the past, but never had these problems. Clearly I'm missing something basic, but what?
Thanks,
Seth |
|
| Back to top |
|
|
Xafloc
n00b
Joined: 19 Apr 2002
Posts: 48
Location: Wisconsin
|
| Posted: Tue Dec 31, 2002 7:43 pm Post subject: POssible fix |
|
|
I had a similar problem, due to the permissions of a users home directory.
By default, it seems a users directory is chmod'd to 700. I had to change that to 755 to get it to work. Not very good security, but might fix your problem.
Darren
_________________
Darren Greer
http://www.nod.to
http://www.alinuxbox.com |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Tue Dec 31, 2002 8:58 pm Post subject: |
|
|
| Seth wrote: | Did that and discovered that as user apache I don't have permission to even enter the directory with the files I want served.
O.k. I've had similar setups with apache in the past, but never had these problems. Clearly I'm missing something basic, but what? |
The best solution to this other the chmoding your homedir to 755 (which allows everyone to ls it), my suggestion is to make your user their own group. So, user nitro belongs to group nitro (+ others maybe). Now, add the user apache to the nitro group. Chmod your homedir to 750, and restart apache so it re-reads /etc/groups. Example output from ID:
| Code: | $ id nitro
uid=503(nitro) gid=507(nitro) groups=507(nitro), ...
$ id apache
uid=81(apache) gid=81(apache) groups=81(apache),507(nitro), ...
$ ls -ld /home/nitro
drwxr-x--- 32 nitro nitro 2048 Dec 28 20:24 /home/nitro/ |
In my scenario, apache accesses your home directory through the group privs, not the world privs (which include every other user on your system). Of course this won't protect you from stuff that runs as user apache (php(only if not in safe_mode) and CGI (only if CGI isn't running in suEXEC)).
Ideally, we would want apache to fork its child and run as the same userid as the files other then the master apache process, but we don't have this luxury.
Let me know what you think.
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
Seth
Apprentice
Joined: 25 May 2002
Posts: 156
Location: U.S.
|
| Posted: Wed Jan 01, 2003 4:55 pm Post subject: |
|
|
| Nitro wrote: |
The best solution to this other the chmoding your homedir to 755 (which allows everyone to ls it), my suggestion is to make your user their own group. So, user nitro belongs to group nitro (+ others maybe). Now, add the user apache to the nitro group. Chmod your homedir to 750, and restart apache so it re-reads /etc/groups. |
....
| Nitro wrote: | | Let me know what you think. |
Nitro, that's an elegant solution and way better than the one I was going to try, which was to change the user apache ran as to my regular user. I figured that would be o.k. as I was running apache privately. Nonetheless, I like your plan better. Besides, it works.
Many thanks and a happy new year.
Seth |
|
| Back to top |
|
|
btg308
n00b
Joined: 14 Aug 2002
Posts: 72
Location: Östersund, Sweden
|
| Posted: Thu Jan 02, 2003 9:46 pm Post subject: I did a forum search. :-) |
|
|
And found this https://forums.gentoo.org/viewtopic.php?t=22603 solution: Set the user's homedir to something like 701 or 751 - apache only needs x access, not r. IMHO even more elegant than Nitro's: If you have lots of users, it's a pain to add apache to all those groups (I thought it was easier to find another solution than to figure out a way to automate the process). :-)
_________________
Gentoo Linux - Feel the speed.
Kawasaki GPZ 1100 - The need for speed. |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Thu Jan 02, 2003 10:01 pm Post subject: Re: I did a forum search. :-) |
|
|
| btg308 wrote: | And found this https://forums.gentoo.org/viewtopic.php?t=22603 solution: Set the user's homedir to something like 701 or 751 - apache only needs x access, not r. IMHO even more elegant than Nitro's: If you have lots of users, it's a pain to add apache to all those groups (I thought it was easier to find another solution than to figure out a way to automate the process).  |
You made a good point, but perms with 701 still allow me (as a "world/other" user) to cd to that user's dir. And, if the files in it are 644 (based on default umask), I can then read those files. I would have to know the name of the file thought since I can't ls (no read bit). But, if there is another directory, lets say phpMyAdmin and that dir is default perms of 755, I can now cd to there, and read config.inc.php(is there an "inc" in it? not sure, it isn't significant anyway..) which stores the mysql connection info. Suprise, I now own that user's db.
So ultimately, the best solution is my method but instead set the user's home dir to mode 710. This is better yet, because it makes it a little harder for someone to do something harsh with php (not running in safe_mode) and cgi scripts (not running on suEXEC), since those scripts run as apache's uid.
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
btg308
n00b
Joined: 14 Aug 2002
Posts: 72
Location: Östersund, Sweden
|
| Posted: Sun Jan 05, 2003 5:42 pm Post subject: Re: I did a forum search. :-) |
|
|
| Nitro wrote: | perms with 701 still allow me (as a "world/other" user) to cd to that user's dir.
|
Point. Hm... How about this?
| Code: | cd /home
chown :apache *
chmod 710 *
|
That gives just apache cd access, no one else. The only concern would be if this breaks any other programs, but IIRC giving the user's own group access to $home is optional, even having that group for the users is a Red Hat thing. Anything else that may barf?
_________________
Gentoo Linux - Feel the speed.
Kawasaki GPZ 1100 - The need for speed. |
|
| Back to top |
|
|
|
Networking & Security
