[SOLVED] apache UserDir index.html permission denied

hokie92grad · 07-19-2009, 02:01 PM

I am somewhat stumped here. I have just installed Fedora Core 11 and am trying to setup httpd to allow UserDir in ~foo/public_html. I cannot seem to access foo's home page index.html, I am getting

Quote:

403 Forbidden
You don't have permission to access /~foo/index.html on this server.

The index.html in /var/www/html works fine and all permissions on foo's home directory allow apache to read the file index.html.

Here are relevant pieces of httpd.conf:

Quote:

Listen 8080

<IfModule mod_userdir.c>
UserDir public_html
</IfModule>

<Directory /home/*/public_html>
AllowOverride All
</Directory>

DirectoryIndex index.html index.html.var

Here is the output in the error log:

Quote:

[Sun Jul 19 14:17:50 2009] [error] [client ::1] (13)Permission denied: file permissions deny server access: /home/foo/public_html/index.html

Here are the permissions of all of the relevant files:

Quote:

[foo@myhost ~]$ ll -d / /home /home/foo /home/foo/public_html /home/foo/public_html/index.html
drwxr-xr-x. 28 root root 4096 2009-07-18 09:51 /
drwxr-xr-x. 4 root root 4096 2009-07-19 13:48 /home
drwxr-xr-x. 6 foo foo 4096 2009-07-19 14:12 /home/foo
drwxr-xr-x. 2 foo foo 4096 2009-07-19 14:07 /home/foo/public_html
-rw-rw-r--. 1 foo foo 208 2009-07-19 14:07 /home/foo/public_html/index.html

The url that I am using is:

Quote:

http://localhost:8080/~foo/

if I become the apache user I can access the file:

Quote:

[root@myhost foo]# su - apache
[apache@myhost ~]$ cat /home/foo/public_html/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>Foo's Home Page</title>
</head><body>
<h1>Foo's Home Page</h1>
<p>This is Foo's Home Page.</p>
<hr>
<address></address>
</body></html>

If I do an strace of the httpd process(es) I get:

Quote:

stat64("/home/foo/public_html/index.html", {st_mode=S_IFREG|0664, st_size=208, ...}) = 0
open("/home/foo/public_html/index.html", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)

The httpd processes are owned by apache.

Clearly the user apache has permission to read the file, httpd is set correctly to read index.html and the url is finding the right file. It just seems that the httpd process has no permission to access it.

So what am I missing here?

Any hints or help would really be appreciated.

Thanks.

bathory · 07-19-2009, 04:57 PM

I guess it's a SELinux permissions problem.

unSpawn · 07-19-2009, 07:11 PM

Quote:

Originally Posted by bathory

I guess it's a SELinux permissions problem.

If that's the case then Setroubleshoot (or what they use now in F11?) or /var/log/audit/audit.log should show, or try as root: 'getsebool httpd_enable_homedirs'. If it's off turn it on with 'setsebool -P httpd_enable_homedirs=on'.

hokie92grad · 07-20-2009, 07:54 AM

Thank you, that sounds like it might work, I will try that tonight....

hokie92grad · 07-20-2009, 07:47 PM

Looks like that is not the issue:

Quote:

httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off

chrism01 · 07-20-2009, 08:07 PM

Try

ls -Z

on the dir. It's prob not classified by SELinux as httpd_sys_content_t.
You can add that using

semanage fcontext -a -t httpd_sys_content_t '/home/foo/public_html(/.*)?'

and run

ls -Z

again.
http://www.linuxtopia.org/online_boo..._Problems.html

unSpawn · 07-20-2009, 08:16 PM

...or else octal 0755 might be too much: try 'chmod 0711 /home/foo/'?

hokie92grad · 07-20-2009, 11:06 PM

Ok that worked. (Well a slight variation).

The semanage rule was already there for

Quote:

/home/[^/]*/((www)|(web)|(public_html)|(public_git))(/.+)? unconfined_u:object_r:httpd_user_content_t:s0

so I just needed to

Quote:

/sbin/restorecon -R -v /home/*/public_html

Time to read the SELinux manual...

thanks again.

Now off to find out why I can get to port 8080 locally and not from another machine on the network.

chrism01 · 07-20-2009, 11:40 PM

Quote:

Now off to find out why I can get to port 8080 locally and not from another machine on the network.

Probably the firewall (iptables), but best to start a new thread.

guzabi · 10-20-2010, 03:04 AM

On my CentOS 5.5 box, I also had to do this, otherwise it would absolutely not work :

Code:

# /usr/sbin/setsebool -P httpd_read_user_content on

NB : The /usr/bin prefix is just because my PATH does not encompass this dir, I still have to work on it...