Drupal installed on CentOS 6.2 with Apache (permissions problem)
I need some help in setting permissions on a CentOS 6.2 server running Apache from the channel.
Presently, the current directory for Drupal has these permissions on the directory listed below. It has 755 on it, however with Drupal it needs 750 on the directory to prevent access to sub-directories on the server. Here is a link from Drupal on Security: http://drupal.org/node/244924 By default when I created the directory it has 755 on it. I changed the sub-directories to 751, however this breaks Drupal. pwd /var/www [root@www www]# ls -lad webdata drwxr-xr-x. 10 web01 web01 4096 Feb 1 10:26 webdata When I change the permissions on the webdata directory to 750 I receive this error: Forbidden You don't have permission to access / on this server. The company building the website is running Debian and their permissions on this directory are 750. Can anyone shed anylight on this and/or have installed/secured Drupal on RHEL/CentOS Servers before? When I change the webdata directory back to 755 it works fine as it did in the beginning, however the sub-directories that include 'themes, modules, profiles, includes, scripts ect are exposed since they are 755. Changing them to 751 breaks Drupal causing it to lose the theme. How is the Debian server running 750 on the directory and not failing??? I am at a loss on what to do. any help/advice would be greatly appreciated below is the only configuration that seems to work, however it exposes directories [root@www www]# pwd;ls -lad webdata /var/www drwxr-xr-x. 10 web01 web01 4096 Feb 1 10:26 webdata [root@www webdata]# ls -lad * -rw-r--r--. 1 web01 web01 746 Jun 8 2011 cron.php drwxr-xr-x. 4 web01 web01 4096 Jan 30 15:59 includes -rw-r--r--. 1 web01 web01 550 Jun 8 2011 index.php drwxr-xr-x. 4 web01 web01 4096 Jan 30 15:59 misc drwxr-xr-x. 56 web01 web01 4096 Feb 1 10:45 modules drwxr-xr-x. 5 web01 web01 4096 Jan 30 15:59 profiles -rw-r--r--. 1 web01 web01 1537 Jun 8 2011 robots.txt drwxr-xr-x. 2 web01 web01 4096 Jan 30 15:59 scripts drwxr-xr-x. 4 web01 web01 4096 Jan 30 15:59 sites drwxr-xr-x. 9 web01 web01 4096 Jan 30 15:59 themes drwxr-xr-x. 2 web01 web01 4096 Jan 30 15:59 tutorial |
What user/group is running your Apache server?
It usually is www-data. If this is the case then you need to change the group of files and directories to www-data, for the 750 to work. |
I am running CentOS 6.2 (I did a yum install httpd and the rest of the dependencies).
On other servers I have chown'd the directory to where you could ftp to the directory with a regular user account. I believe it is apache when I do a top I see this: [root@www webdata]# id apache uid=48(apache) gid=48(apache) groups=48(apache) [root@www webdata]# cat /etc/passwd|grep apache apache:x:48:48:Apache:/var/www:/sbin/nologin PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 4788 apache 20 0 349m 6408 1228 S 0.0 0.3 0:00.00 httpd 4789 apache 20 0 374m 65m 35m S 0.0 3.3 0:00.79 httpd 4790 apache 20 0 354m 33m 22m S 0.0 1.6 0:00.27 httpd 4791 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd 4792 apache 20 0 354m 33m 22m S 0.0 1.6 0:00.28 httpd 4793 apache 20 0 349m 6408 1228 S 0.0 0.3 0:00.00 httpd 4794 apache 20 0 354m 26m 16m S 0.0 1.3 0:00.16 httpd 4795 apache 20 0 354m 33m 22m S 0.0 1.7 0:00.27 httpd 4798 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd 4799 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd 4800 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd so would I need to rename the directory www-data and change the group/owner? I created a user of web01 and chown -R web01:web01 /var/www/webdata I am open to any ideas to secure the server I would like to make it work with 750 (but I get permission denied)... otherwise when you go to the server you can do www.sitename.com/modules and list everything If I change the /var/www/ (webdata) directory I get permission denied, but from Drupal it says to change it to this? |
If it is working with the 755, just change the group to apache
Code:
chgrp -R apache /var/www/webdata/ or Code:
chown -R web01:apache /var/www/webdata/ |
Would Apache run with the 750 permissions on the /var/www/webdata directory?
presently this directory has 755 and it exposes all of the contents like /modules ect.. |
If your out put looked something like this
Quote:
|
I did the command:
[root@www www]# chown -R web01:apache /var/www/webdata/ pwd;ls -lad webdata /var/www drwxr-x---. 10 web01 apache 4096 Feb 1 10:26 webdata However, I can still view the contents of www.servername.com/modules [root@www www]# cd webdata [root@www webdata]# ls -lad * -rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 includes -rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 misc drwxr-xr-x. 56 web01 apache 4096 Feb 1 10:45 modules drwxr-xr-x. 5 web01 apache 4096 Jan 30 15:59 profiles -rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 scripts drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 sites drwxr-xr-x. 9 web01 apache 4096 Jan 30 15:59 themes drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 tutorial -rw-r--r--. 1 web01 apache 435 Jun 8 2011 xmlrpc.php I have read through this entire page: http://drupal.org/node/244924 and still perplexed |
Where is the .htaccess file that is supposed to be in the Drupal install?
And the permissions for your files still have read (and some execute) permissions set. So you still need to change the permissions to 750. |
So would I need to set the permissions on the files inside the
/var/www/webdata directory to 750 as well? the only .htaccess I know of is in the /etc/httpd/conf (httpd.conf) file so change these to 750 in here? [root@www webdata]# ls -lad * -rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 includes -rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 misc drwxr-xr-x. 56 web01 apache 4096 Feb 1 10:45 modules drwxr-xr-x. 5 web01 apache 4096 Jan 30 15:59 profiles -rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 scripts drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 sites drwxr-xr-x. 9 web01 apache 4096 Jan 30 15:59 themes drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 tutorial -rw-r--r--. 1 web01 apache 435 Jun 8 2011 xmlrpc.php |
Yes, the rest of the files/directories would need to have the same permissions.
There should have been a .htaccess file that came with your Drupal install and it is setup to stop web access to certain directories, and do other useful things. |
I did a locate on .htaccess and it is here:
/var/www/webdata/.htaccess /var/www/webdata/sites/default/files/.htaccess I will chmod 750 the rest of the directories under /var/www/webdata |
I did chmod 750 on the rest in the sub-directories
however it still allows viewing access to the /var/www/webdata/modules [root@www webdata]# ls -lad * -rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php drwxr-x---. 4 web01 apache 4096 Jan 30 15:59 includes -rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php drwxr-x---. 4 web01 apache 4096 Jan 30 15:59 misc drwxr-x---. 56 web01 apache 4096 Feb 1 10:45 modules drwxr-x---. 5 web01 apache 4096 Jan 30 15:59 profiles -rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt drwxr-x---. 2 web01 apache 4096 Jan 30 15:59 scripts drwxr-x---. 4 web01 apache 4096 Jan 30 15:59 sites drwxr-x---. 9 web01 apache 4096 Jan 30 15:59 themes drwxr-x---. 2 web01 apache 4096 Jan 30 15:59 tutorial -rw-r--r--. 1 web01 apache 435 Jun 8 2011 xmlrpc.php |
So the 750 was to keep other users of the system out of the code.
Now you need the .htaccess file that ships with Drupal to cover the web side. Since the web server has access to the directory who ever uses the web server through a browser will also have access, unless there are rules set in place to tell the web server not to allow permission to those areas. If need be download a copy of Drupal to another directory and copy the .htaccess to the /var/www/webdata/ directory |
Inside of this directory on the server:
[root@www webdata]# pwd;ls -lash .htaccess /var/www/webdata 8.0K -rw-r--r--. 1 web01 apache 5.3K Jun 8 2011 .htaccess would this be the one? |
[root@www webdata]# cat .htaccess
# # Apache/PHP/Drupal settings: # # Protect files and directories from prying eyes. <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|En tries.*|Repository|Root|Tag|Template)$"> Order allow,deny </FilesMatch> # Don't show directory listings for URLs which map to a directory. Options -Indexes # Follow symbolic links in this directory. Options +FollowSymLinks # Make Drupal handle any 404 errors. ErrorDocument 404 /index.php # Force simple error message for requests for non-existent favicon.ico. <Files favicon.ico> # There is no end quote below, for compatibility with Apache 1.3. ErrorDocument 404 "The requested file favicon.ico was not found. </Files> # Set the default handler. DirectoryIndex index.php index.html index.htm # Override PHP settings that cannot be changed at runtime. See # sites/default/default.settings.php and drupal_initialize_variables() in # includes/bootstrap.inc for settings that can be changed at runtime. # PHP 5, Apache 1 and 2. <IfModule mod_php5.c> php_flag magic_quotes_gpc off php_flag magic_quotes_sybase off php_flag register_globals off php_flag session.auto_start off php_value mbstring.http_input pass php_value mbstring.http_output pass php_flag mbstring.encoding_translation off </IfModule> # Requires mod_expires to be enabled. <IfModule mod_expires.c> # Enable expirations. ExpiresActive On # Cache all files for 2 weeks after access (A). ExpiresDefault A1209600 <FilesMatch \.php$> # Do not allow PHP scripts to be cached unless they explicitly send cache # headers themselves. Otherwise all scripts would have to overwrite the # headers set by mod_expires if they want another caching behavior. This may # fail if an error occurs early in the bootstrap process, and it may cause # problems if a non-Drupal PHP file is installed in a subdirectory. ExpiresActive Off </FilesMatch> </IfModule> # Various rewrite rules. <IfModule mod_rewrite.c> RewriteEngine on # Block access to "hidden" directories whose names begin with a period. This # includes directories used by version control systems such as Subversion or # Git to store control files. Files whose names begin with a period, as well # as the control files used by CVS, are protected by the FilesMatch directive # above. # # NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is # not possible to block access to entire directories from .htaccess, because # <DirectoryMatch> is not allowed here. # # If you do not have mod_rewrite installed, you should remove these # directories from your webroot or otherwise protect them from being # downloaded. RewriteRule "(^|/)\." - [F] # If your site can be accessed both with and without the 'www.' prefix, you # can use one of the following settings to redirect users to your preferred # URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option: # # To redirect all users to access the site WITH the 'www.' prefix, # (http://example.com/... will be redirected to http://www.example.com/...) # uncomment the following: # RewriteCond %{HTTP_HOST} !^www\. [NC] # RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301] # # To redirect all users to access the site WITHOUT the 'www.' prefix, # (http://www.example.com/... will be redirected to http://example.com/...) # uncomment the following: # RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC] # RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301] # Modify the RewriteBase if you are using Drupal in a subdirectory or in a # VirtualDocumentRoot and the rewrite rules are not working properly. # For example if your site is at http://example.com/drupal uncomment and # modify the following line: # RewriteBase /drupal # # If your site is running in a VirtualDocumentRoot at http://example.com/, # uncomment the following line: # RewriteBase / # Pass all requests not referring directly to files in the filesystem to # index.php. Clean URLs are handled in drupal_environment_initialize(). RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteRule ^ index.php [L] # Rules to correctly serve gzip compressed CSS and JS files. # Requires both mod_rewrite and mod_headers to be enabled. <IfModule mod_headers.c> # Serve gzip compressed CSS files if they exist and the client accepts gzip. RewriteCond %{HTTP:Accept-encoding} gzip RewriteCond %{REQUEST_FILENAME}\.gz -s RewriteRule ^(.*)\.css $1\.css\.gz [QSA] # Serve gzip compressed JS files if they exist and the client accepts gzip. RewriteCond %{HTTP:Accept-encoding} gzip RewriteCond %{REQUEST_FILENAME}\.gz -s RewriteRule ^(.*)\.js $1\.js\.gz [QSA] # Serve correct content types, and prevent mod_deflate double gzip. RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1] RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1] <FilesMatch "(\.js\.gz|\.css\.gz)$"> # Serve correct encoding type. Header append Content-Encoding gzip # Force proxies to cache gzipped & non-gzipped css/js files separately. Header append Vary Accept-Encoding </FilesMatch> </IfModule> </IfModule> |
All times are GMT -5. The time now is 04:43 AM. |