LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 07-19-2009, 02:01 PM   #1
hokie92grad
LQ Newbie
 
Registered: May 2009
Location: Virginia
Posts: 11

Rep: Reputation: 0
apache UserDir index.html permission denied


I am somewhat stumped here. I have just installed Fedora Core 11 and am trying to setup httpd to allow UserDir in ~foo/public_html. I cannot seem to access foo's home page index.html, I am getting
Quote:
403 Forbidden
You don't have permission to access /~foo/index.html on this server.
The index.html in /var/www/html works fine and all permissions on foo's home directory allow apache to read the file index.html.

Here are relevant pieces of httpd.conf:

Quote:
Listen 8080

<IfModule mod_userdir.c>
UserDir public_html
</IfModule>

<Directory /home/*/public_html>
AllowOverride All
</Directory>

DirectoryIndex index.html index.html.var
Here is the output in the error log:
Quote:
[Sun Jul 19 14:17:50 2009] [error] [client ::1] (13)Permission denied: file permissions deny server access: /home/foo/public_html/index.html
Here are the permissions of all of the relevant files:
Quote:
[foo@myhost ~]$ ll -d / /home /home/foo /home/foo/public_html /home/foo/public_html/index.html
drwxr-xr-x. 28 root root 4096 2009-07-18 09:51 /
drwxr-xr-x. 4 root root 4096 2009-07-19 13:48 /home
drwxr-xr-x. 6 foo foo 4096 2009-07-19 14:12 /home/foo
drwxr-xr-x. 2 foo foo 4096 2009-07-19 14:07 /home/foo/public_html
-rw-rw-r--. 1 foo foo 208 2009-07-19 14:07 /home/foo/public_html/index.html
The url that I am using is:
if I become the apache user I can access the file:
Quote:
[root@myhost foo]# su - apache
[apache@myhost ~]$ cat /home/foo/public_html/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>Foo's Home Page</title>
</head><body>
<h1>Foo's Home Page</h1>
<p>This is Foo's Home Page.</p>
<hr>
<address></address>
</body></html>
If I do an strace of the httpd process(es) I get:
Quote:
stat64("/home/foo/public_html/index.html", {st_mode=S_IFREG|0664, st_size=208, ...}) = 0
open("/home/foo/public_html/index.html", O_RDONLY|O_LARGEFILE) = -1 EACCES (Permission denied)
The httpd processes are owned by apache.


Clearly the user apache has permission to read the file, httpd is set correctly to read index.html and the url is finding the right file. It just seems that the httpd process has no permission to access it.

So what am I missing here?

Any hints or help would really be appreciated.

Thanks.
 
Old 07-19-2009, 04:57 PM   #2
bathory
Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 10,894

Rep: Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322Reputation: 1322
I guess it's a SELinux permissions problem.
 
Old 07-19-2009, 07:11 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by bathory View Post
I guess it's a SELinux permissions problem.
If that's the case then Setroubleshoot (or what they use now in F11?) or /var/log/audit/audit.log should show, or try as root: 'getsebool httpd_enable_homedirs'. If it's off turn it on with 'setsebool -P httpd_enable_homedirs=on'.
 
Old 07-20-2009, 07:54 AM   #4
hokie92grad
LQ Newbie
 
Registered: May 2009
Location: Virginia
Posts: 11

Original Poster
Rep: Reputation: 0
Thank you, that sounds like it might work, I will try that tonight....
 
Old 07-20-2009, 07:47 PM   #5
hokie92grad
LQ Newbie
 
Registered: May 2009
Location: Virginia
Posts: 11

Original Poster
Rep: Reputation: 0
Looks like that is not the issue:

Quote:
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_ssi_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
 
Old 07-20-2009, 08:07 PM   #6
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,226

Rep: Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022
Try

ls -Z

on the dir. It's prob not classified by SELinux as httpd_sys_content_t.
You can add that using

semanage fcontext -a -t httpd_sys_content_t '/home/foo/public_html(/.*)?'

and run

ls -Z

again.
http://www.linuxtopia.org/online_boo..._Problems.html
 
Old 07-20-2009, 08:16 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
...or else octal 0755 might be too much: try 'chmod 0711 /home/foo/'?
 
Old 07-20-2009, 11:06 PM   #8
hokie92grad
LQ Newbie
 
Registered: May 2009
Location: Virginia
Posts: 11

Original Poster
Rep: Reputation: 0
Ok that worked. (Well a slight variation).

The semanage rule was already there for
Quote:
/home/[^/]*/((www)|(web)|(public_html)|(public_git))(/.+)? unconfined_u:object_r:httpd_user_content_t:s0
so I just needed to
Quote:
/sbin/restorecon -R -v /home/*/public_html
Time to read the SELinux manual...

thanks again.

Now off to find out why I can get to port 8080 locally and not from another machine on the network.

Last edited by hokie92grad; 07-21-2009 at 08:03 AM. Reason: It's just annoying to have a smily where there shouln't be one.
 
Old 07-20-2009, 11:40 PM   #9
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,226

Rep: Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022Reputation: 2022
Quote:
Now off to find out why I can get to port 8080 locally and not from another machine on the network.
Probably the firewall (iptables), but best to start a new thread.
 
Old 10-20-2010, 03:04 AM   #10
guzabi
LQ Newbie
 
Registered: Apr 2010
Location: Belgium
Distribution: Gentoo/CentOS
Posts: 10

Rep: Reputation: 0
On my CentOS 5.5 box, I also had to do this, otherwise it would absolutely not work :
Code:
# /usr/sbin/setsebool -P httpd_read_user_content on
NB : The /usr/bin prefix is just because my PATH does not encompass this dir, I still have to work on it...
 
  


Reply

Tags
fc11, httpd, publichtml, selinux


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache index.html doesn't show up but index.php do zoffmann Linux - Server 5 01-28-2008 03:53 PM
403 You don't have permission to access /index.html on this server. xpucto Linux - Networking 6 06-06-2006 09:19 AM
Apache does not open index.html ekinox Linux - Software 15 05-01-2005 12:21 PM
Apache - Start with index.html muellerj Linux - Software 3 08-03-2004 10:01 AM
index.html renaming in Apache SSBN Linux - Networking 2 05-09-2003 07:57 PM


All times are GMT -5. The time now is 07:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration