LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-09-2004, 07:13 PM   #1
winslow
LQ Newbie
 
Registered: Aug 2004
Location: ..., Earth, Europe, Germany, ...
Distribution: RedHat
Posts: 6

Rep: Reputation: 0
Why this 403? - I have set all permissions


Hi all,

sorry for bothering you, but i'm next to jumping out of my 6th floor window.

---
i got the following problem
---
----------------------------------------------------------------------------------
by the browser request
wow.test.now and test
===> Forbidden
You don't have permission to access / on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.40 Server at wow.test.now(test) Port 80
----------------------------------------------------------------------------------
by the browser request
nbnbg252 and 192.168.1.252
===> the main ServerRoot index.html is ok
----------------------------------------------------------------------------------
---
After my last changes to establish name based vhost my conf looks like that
---
----------------------------------------------------------------------------------
/etc/httpd/conf/httpd.conf

NameVirtualHost 192.168.1.252
<VirtualHost 192.168.1.252>
DocumentRoot /var/www/html
Servername nbnbg252.localhost
ServerAlias nbnbg252
</VirtualHost>
<VirtualHost 192.168.1.252>
DocumentRoot /home/myhome/www
ServerName wow.test.now
ServerAlias test
ScriptAlias /cgi-bin/ "/home/myhome/www/cgi-bin/"
</VirtualHost>
----------------------------------------------------------------------------------
drwxrwxrwx 11 apache apache 4096 9. Aug 23:19 www
and below the
-rwxrwxrwx 1 apache apache 76 9. Aug 23:19 index.html
-----------------------------------------------------------------------------------
drwxr-xr-x 4 apache apache 4096 9. Aug 23:31 html
and below the
-rwxr-xr-x 1 apache apache 4105 6. Aug 00:04 index.html
----------------------------------------------------------------------------------
/etc/hosts at the server

127.0.0.1 nbnbg252.localhost wow.test.now nbnbg252
(there was a "test" alias, but i think there is no need to it)
----------------------------------------------------------------------------------
---
additional (don't know if that does matter?)
---
----------------------------------------------------------------------------------
/etc/hosts and C:\\WINNT\system32\drivers\etc\hosts at the clients

192.168.1.252 wow.test.now nbnbg252 test
----------------------------------------------------------------------------------
drwx------ 32 myuser myuser 4096 9. Aug 23:54 myhome

myuser were switched out of an old_myuser
myhome is the copied content of old_myhome
----------------------------------------------------------------------------------


ANY suggestion?
thanks ahead
winslow
 
Old 08-10-2004, 03:14 AM   #2
wijnands
Member
 
Registered: Mar 2004
Posts: 132

Rep: Reputation: 15
Does it work on the server itself? Keeping a tail on your access_log and error_log might provide clues.
 
Old 08-10-2004, 06:48 AM   #3
winslow
LQ Newbie
 
Registered: Aug 2004
Location: ..., Earth, Europe, Germany, ...
Distribution: RedHat
Posts: 6

Original Poster
Rep: Reputation: 0
access/error log

access_log contains
192.168.1.32 - - [10/Aug/2004:12:26:35 +0200] "GET / HTTP/1.1" 403 392 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
192.168.1.32 - - [10/Aug/2004:12:26:59 +0200] "GET / HTTP/1.1" 403 392 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
nbnbg32 - - [10/Aug/2004:12:27:14 +0200] "GET / HTTP/1.1" 200 4105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
nbnbg32 - - [10/Aug/2004:12:27:30 +0200] "GET / HTTP/1.1" 200 4105 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312"
after =>
1. request to test
2. request to wow.test.now
3. request nbnbg252
4. request 192.168.1.252

error_log contains
[Tue Aug 10 12:26:59 2004] [error] [client 192.168.1.32] (13)no permission: access to / denied
[Tue Aug 10 12:31:42 2004] [error] [client 192.168.1.32] (13)no permission: access to / denied
after =>
1. and 2. request

after booting the following is in the error_log
[Tue Aug 10 11:37:48 2004] [info] Init: Initializing OpenSSL library
[Tue Aug 10 11:37:49 2004] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 10 11:37:49 2004] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 10 11:37:49 2004] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 10 11:37:49 2004] [debug] /usr/src/build/288112-i386/BUILD/httpd-2.0.40/modules/ssl/ssl_scache_dbm.c(416): Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Tue Aug 10 11:37:49 2004] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 10 11:37:49 2004] [info] Server: Apache/2.0.40, Interface: mod_ssl/2.0.40, Library: OpenSSL/0.9.7a
[Tue Aug 10 11:37:49 2004] [info] mod_unique_id: using ip addr 127.0.0.1
PHP Warning: Function registration failed - duplicate name - imap_open in Unknown on line 0
......................lots more of these php stuff that i don't need--------------------
PHP Warning: ldap: Unable to register functions, unable to load in Unknown on line 0
[Tue Aug 10 11:37:53 2004] [info] Init: Initializing OpenSSL library
[Tue Aug 10 11:37:53 2004] [info] Init: Seeding PRNG with 136 bytes of entropy
[Tue Aug 10 11:37:53 2004] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Tue Aug 10 11:37:53 2004] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Tue Aug 10 11:37:53 2004] [debug] /usr/src/build/288112-i386/BUILD/httpd-2.0.40/modules/ssl/ssl_scache_dbm.c(416): Inter-Process Session Cache (DBM) Expiry: old: 0, new: 0, removed: 0
[Tue Aug 10 11:37:53 2004] [info] Init: Initializing (virtual) servers for SSL
[Tue Aug 10 11:37:53 2004] [info] Server: Apache/2.0.40, Interface: mod_ssl/2.0.40, Library: OpenSSL/0.9.7a
[Tue Aug 10 11:37:53 2004] [notice] Digest: generating secret for digest authentication ...
[Tue Aug 10 11:37:53 2004] [notice] Digest: done
[Tue Aug 10 11:37:53 2004] [info] mod_unique_id: using ip addr 127.0.0.1
[Tue Aug 10 11:37:54 2004] [notice] Apache/2.0.40 (Red Hat Linux) mod_perl/1.99_07-dev Perl/v5.8.0 PHP/4.2.2 mod_python/3.0.1 Python/2.2.2 mod_ssl/2.0.40 OpenSSL/0.9.7a DAV/2 configured -- resuming normal operations
[Tue Aug 10 11:37:54 2004] [info] Server built: Jul 31 2003 11:36:14
[Tue Aug 10 11:37:54 2004] [debug] /usr/src/build/288112-i386/BUILD/httpd-2.0.40/server/mpm/prefork/prefork.c(1037): AcceptMutex: sysvsem (default: sysvsem)

i can't see a case which disturbs permissions
 
Old 08-10-2004, 08:15 AM   #4
wijnands
Member
 
Registered: Mar 2004
Posts: 132

Rep: Reputation: 15
No but it does seem to be a permission problem. Out of my skill level though, sorry.
 
Old 08-10-2004, 08:30 AM   #5
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Can you get to /index.html or any other index page? If yes, look for these terms in your httpd.conf: Options Indexes.
 
Old 08-10-2004, 09:07 AM   #6
winslow
LQ Newbie
 
Registered: Aug 2004
Location: ..., Earth, Europe, Germany, ...
Distribution: RedHat
Posts: 6

Original Poster
Rep: Reputation: 0
tp wijnands: what did you exactly mean with:
Does it work on the server itself?

the deamon is up, i checked via ssh the logs error/access and the respond

to stickman
"Can you get to /index.html or any other index page?"
I get my main index page
DocumentRoot /var/www/html
"If yes, look for these terms in your httpd.conf: Options Indexes"
I read in the apache.org tutorial something about its more save not to use
Options Indexes!?
So i deleted these entries.

I tried it with Options Indexes in the "/" , but there was no difference.
i can allways see the nbnbg/192.168.1.252
but never the test/wow.test.now

here is my actuall setting on Directories
# important to security
<Directory "/">
Options FollowSymlinks
AllowOverride None
</Directory>

# DocRoot Directives
<Directory "/var/www/html">
Options IncludesNoexec FollowSymLinks
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
<Directory "/var/www/icons">
Options MultiViews
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
<Directory "/var/www/cgi-bin">
Options ExecCGI
AllowOverride None
Allow from from all
Order allow,deny
</Directory>

# VHost Directives
<Directory "/home/myhome/www">
Options IncludesNoexec FollowSymLinks Multiviews
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
<Directory "/home/myhome/www/cgi-bin">
Options ExecCGI
AllowOverride None
Allow from from all
Order allow,deny
</Directory>
 
Old 08-10-2004, 10:55 AM   #7
winslow
LQ Newbie
 
Registered: Aug 2004
Location: ..., Earth, Europe, Germany, ...
Distribution: RedHat
Posts: 6

Original Poster
Rep: Reputation: 0
i opened mozilla via ssh and tried to reach my sites (Preferences - proxy - direct connection)

"192.168.1.252" - was the main DocumentRoot => ok

"test" was redirected to www.test.com, which i didn't wanted to go, the alias seems not to be ok, could be because of the missing /etc/hosts entry?

wow.test.now, "The connection was refused when attempting to connect to wow.test.now", the vhost is not ok
nbnbg252, the same as with wow.test.now, the alias to my main address is not ok, i could only reac id via IP

access_log noticed the ip of the server
error_log gives me new [Tue Aug 10 15:03:08 2004] [error] [client 192.168.1.32] (13)no permission: access to / denied

What do you think?
 
Old 08-10-2004, 03:09 PM   #8
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by winslow
to stickman
"Can you get to /index.html or any other index page?"
I get my main index page
DocumentRoot /var/www/html
"If yes, look for these terms in your httpd.conf: Options Indexes"
I read in the apache.org tutorial something about its more save not to use
Options Indexes!?
So i deleted these entries.
What do you have specified for the DirectoryIndex in your httpd.conf? Does it match the index page that you expect to use? If you don't have a matching index page in that directory and you are not using "Options Indexes", then your server is exhibiting the correct behavior.

Also are the permission on /home/myhome set to 700 or some other setting that restricts access to other?

Last edited by stickman; 08-10-2004 at 03:10 PM.
 
Old 08-10-2004, 05:49 PM   #9
winslow
LQ Newbie
 
Registered: Aug 2004
Location: ..., Earth, Europe, Germany, ...
Distribution: RedHat
Posts: 6

Original Poster
Rep: Reputation: 0
Quote:
What do you have specified for the DirectoryIndex in your httpd.conf? Does it match the index page that you expect to use? If you don't have a matching index page in that directory and you are not using "Options Indexes", then your server is exhibiting the correct behavior.

Also are the permission on /home/myhome set to 700 or some other setting that restricts access to other?
htpd.conf:
DirectoryIndex index.html index.htm index.xml

i have in all DocumentRoot directories an index.html with at least 755
in the case of the vhost DocumentRoot (while testing) i have 777
to the directorie and the index.html


Quote:
"and you are not using "Options Indexes", then your server is exhibiting the correct behavio"
please could you go in more detail, i don't understand that point
where have this "Options Indexes" to be,
<Directory "/">
or
<Directory "/var/www/html">
or
<Directory "/home/myhome/www">
or not at all in a <Directory "/foo/bar">

thx
 
Old 08-11-2004, 08:48 AM   #10
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
Quote:
Originally posted by winslow
i have in all DocumentRoot directories an index.html with at least 755
in the case of the vhost DocumentRoot (while testing) i have 777
to the directorie and the index.html
Ok, so you have /home/myhome/www set to 777, but what are the permissions on /home/myhome? You need to make sure that whatever user your Apache runs as can read the directory tree to your DocumentRoot (ie /home, /home/myhome, and /home/myhome/www). Redhat usually creates user directories with default perms of 700 which means apache or www can't read the contents of them.

The "Options Indexes" is a feature that when their is no matching index present and the directory is requested, it will present a file list as the index page. This is a security concern if you do not want the contents of that particular directortory presented.
 
Old 08-11-2004, 06:35 PM   #11
winslow
LQ Newbie
 
Registered: Aug 2004
Location: ..., Earth, Europe, Germany, ...
Distribution: RedHat
Posts: 6

Original Poster
Rep: Reputation: 0
Originally posted by stickman
Quote:
Ok, so you have /home/myhome/www set to 777, but what are the permissions on /home/myhome? You need to make sure that whatever user your Apache runs as can read the directory tree to your DocumentRoot (ie /home, /home/myhome, and /home/myhome/www). Redhat usually creates user directories with default perms of 700 which means apache or www can't read the contents of them.
/home was allready setted to 755
/home/myhome was setted to 700 is now 755
/home/myhome/www was setted to 777 is now 755

and it was a small step to mankind but a big to myself,
the clients(not the server) get access to the vhost,
thanks a lot to stickman

there are some minor problems left

I get results only when my browser preferences are setted to
Proxy - Direct connection
Any ideas what to tell the squid proxy to ignore these intranet requests???
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
APACHE Problem 2 dirs, identical permissions and security contexts, one gives 403? tones Linux - Software 2 03-13-2005 09:45 AM
Set Execute Permissions? scottlyter Linux - Software 3 10-19-2004 05:42 PM
Apache 403 Permissions Boffy Linux - Networking 9 08-21-2004 12:36 PM
How can I set up xhost permissions again? David the H. Debian 12 07-16-2004 01:01 PM
How to set Permissions ? jamaso Linux - Newbie 1 12-04-2001 05:15 PM


All times are GMT -5. The time now is 06:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration