LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-10-2006, 10:10 PM   #1
SparceMatrix
Member
 
Registered: Aug 2002
Distribution: SME Server, CentOS
Posts: 212

Rep: Reputation: 30
Apache User Directories problem in Fedora 5 Core upgrade


Apache User Directories problem in Fedora 5 Core upgrade

I have confronted all the usual issues in trying to correct this problem. I have recently upgraded to Fedora 5.

There are three previous users with public_html directories that can be reached easily, but when I tried to create a new user, I get the usual

Quote:
Forbidden
You don't have permission to access /~MyNewUser/ on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.0 (Fedora) Server at cubie Port 80
I once had the problem in a previous installation and simply disabled SELinux to fix it after posting the problem here:

http://www.linuxquestions.org/questi...00#post1870600

I have chmod'ed permissions of all the files to 777. After reintroducing SELinux I have tried all the usual chcon command as explained here,

http://www.linuxquestions.org/questi...56#post1831456

and here,

http://www.linuxquestions.org/questi...04#post1355004

If I ls -lZ those new /NewUser/public_html/ directories, I see the usual indication SELinux permissions:

rwxrwxrwx MyNewUser MyNewUser user_ubject_r:httpd_sys_content_t public_html

What is going on? How do I correct this problem?

The httpd error and access logs just repeat the 403 error. Where else do I look for clues as to what is going on?
 
Old 04-10-2006, 11:05 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Did you enable the homedirs boolean (setsebool -P httpd_enable_homedirs true) along with doing chcon?

Do you see any "avc" or other selinux-related messages in the system logs?
 
Old 04-10-2006, 11:47 PM   #3
SparceMatrix
Member
 
Registered: Aug 2002
Distribution: SME Server, CentOS
Posts: 212

Original Poster
Rep: Reputation: 30
Yes, I tried setsebool like you and others have posted before I tried the other command that changes directories directly. I have also tried disabling SELinux and this doesn't change anything like it did the first time I had problems with it.

I have tried all the /var/httpd/logs. Is there any other place I should look?
 
Old 04-11-2006, 10:24 AM   #4
SparceMatrix
Member
 
Registered: Aug 2002
Distribution: SME Server, CentOS
Posts: 212

Original Poster
Rep: Reputation: 30
Here is what fixed it:

Code:
chmod -R 755 /home
Why?? Why does the user's root directory have to have access permission, when all you want is access to the /public_html folder inside of it? I'm not sure if I like that. Why is it supposed to be that way?

Last edited by SparceMatrix; 04-23-2006 at 11:10 AM.
 
Old 04-11-2006, 05:50 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You shouldn't have to do that. The dirs (inicluding public_html) should have 755 permissions while the content itself should be 744. Also make sure that the UserDir directive is set to public_html in the Apache config. You never really want to set anything with global write-execute as it's a big security risk, especially for anything that Apache has access to. If you are still having problems, post the perms on everything from / to the public_html and the content itself.

This is also a good tutorial that I found worked on getting home_dirs working with Apache under Fedora:
http://fedora.redhat.com/docs/selinu...r-homedir.html

Last edited by Capt_Caveman; 04-11-2006 at 05:51 PM.
 
Old 04-23-2006, 11:19 AM   #6
SparceMatrix
Member
 
Registered: Aug 2002
Distribution: SME Server, CentOS
Posts: 212

Original Poster
Rep: Reputation: 30
I ommitted "755" in the above code. I have also found if I changed the content of /public_html to 744, I can't reach my HTML, which seems kind of strange since that allows read access to non-owners.
 
Old 04-25-2006, 10:15 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
From the apache config:

#"UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.

The execute bit allows Apache to list the contents of that dir, but to be honest I'm not really sure exactly why it needs to do that. Possibly so it knows what content is there before serving requests.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Upgrade Fedora Core 4 (FC4) to Fedora Core 5 (FC5) hangs vogelap Fedora - Installation 10 05-22-2006 09:00 AM
Fedora Core 5 upgrade - problem with Flash Thermodynamic Linux - Software 2 03-28-2006 08:32 PM
Multiple website on Apache with User Directories Mr_Oz Red Hat 2 01-16-2006 07:20 AM
Apache CGI problem in Fedora Core 4 DaveVT5 Linux - Software 3 01-04-2006 09:33 AM
apache problem in fedora core 3 BloodyCat Linux - Software 1 09-20-2005 02:00 PM


All times are GMT -5. The time now is 08:52 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration