LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 02-01-2012, 05:44 PM   #1
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Rep: Reputation: 23
Question Drupal installed on CentOS 6.2 with Apache (permissions problem)


I need some help in setting permissions on a CentOS 6.2 server running Apache from the channel.

Presently, the current directory for Drupal has these permissions on the directory listed below. It has 755 on it, however with Drupal it needs 750 on the directory to prevent access to sub-directories on the server.

Here is a link from Drupal on Security:
http://drupal.org/node/244924



By default when I created the directory it has 755 on it. I changed the sub-directories to 751, however this breaks Drupal.

pwd
/var/www
[root@www www]# ls -lad webdata
drwxr-xr-x. 10 web01 web01 4096 Feb 1 10:26 webdata

When I change the permissions on the webdata directory to 750 I receive this error:

Forbidden

You don't have permission to access / on this server.


The company building the website is running Debian and their permissions on this directory are 750.

Can anyone shed anylight on this and/or have installed/secured Drupal on RHEL/CentOS Servers before?

When I change the webdata directory back to 755 it works fine as it did in the beginning, however the sub-directories that include 'themes, modules, profiles, includes, scripts ect are exposed since they are 755. Changing them to 751 breaks Drupal causing it to lose the theme. How is the Debian server running 750 on the directory and not failing???

I am at a loss on what to do.

any help/advice would be greatly appreciated below is the only configuration that seems to work, however it exposes directories


[root@www www]# pwd;ls -lad webdata
/var/www
drwxr-xr-x. 10 web01 web01 4096 Feb 1 10:26 webdata


[root@www webdata]# ls -lad *
-rw-r--r--. 1 web01 web01 746 Jun 8 2011 cron.php
drwxr-xr-x. 4 web01 web01 4096 Jan 30 15:59 includes
-rw-r--r--. 1 web01 web01 550 Jun 8 2011 index.php
drwxr-xr-x. 4 web01 web01 4096 Jan 30 15:59 misc
drwxr-xr-x. 56 web01 web01 4096 Feb 1 10:45 modules
drwxr-xr-x. 5 web01 web01 4096 Jan 30 15:59 profiles
-rw-r--r--. 1 web01 web01 1537 Jun 8 2011 robots.txt
drwxr-xr-x. 2 web01 web01 4096 Jan 30 15:59 scripts
drwxr-xr-x. 4 web01 web01 4096 Jan 30 15:59 sites
drwxr-xr-x. 9 web01 web01 4096 Jan 30 15:59 themes
drwxr-xr-x. 2 web01 web01 4096 Jan 30 15:59 tutorial

Last edited by rhbegin; 02-01-2012 at 05:50 PM. Reason: Debian server has 750 on the directory...
 
Old 02-01-2012, 05:58 PM   #2
brentaar
LQ Newbie
 
Registered: Dec 2011
Location: Portland, OR
Distribution: Fedora 16, Ubuntu 10.04
Posts: 21
Blog Entries: 1

Rep: Reputation: Disabled
What user/group is running your Apache server?

It usually is www-data.
If this is the case then you need to change the group of files and directories to www-data, for the 750 to work.

Last edited by brentaar; 02-01-2012 at 06:00 PM.
 
Old 02-01-2012, 06:03 PM   #3
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I am running CentOS 6.2 (I did a yum install httpd and the rest of the dependencies).

On other servers I have chown'd the directory to where you could ftp to the directory with a regular user account.

I believe it is apache when I do a top I see this:

[root@www webdata]# id apache
uid=48(apache) gid=48(apache) groups=48(apache)

[root@www webdata]# cat /etc/passwd|grep apache
apache:x:48:48:Apache:/var/www:/sbin/nologin

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
4788 apache 20 0 349m 6408 1228 S 0.0 0.3 0:00.00 httpd
4789 apache 20 0 374m 65m 35m S 0.0 3.3 0:00.79 httpd
4790 apache 20 0 354m 33m 22m S 0.0 1.6 0:00.27 httpd
4791 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd
4792 apache 20 0 354m 33m 22m S 0.0 1.6 0:00.28 httpd
4793 apache 20 0 349m 6408 1228 S 0.0 0.3 0:00.00 httpd
4794 apache 20 0 354m 26m 16m S 0.0 1.3 0:00.16 httpd
4795 apache 20 0 354m 33m 22m S 0.0 1.7 0:00.27 httpd
4798 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd
4799 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd
4800 apache 20 0 349m 6404 1224 S 0.0 0.3 0:00.00 httpd


so would I need to rename the directory www-data

and change the group/owner?

I created a user of web01 and chown -R web01:web01 /var/www/webdata

I am open to any ideas to secure the server

I would like to make it work with 750 (but I get permission denied)...

otherwise when you go to the server you can do www.sitename.com/modules and list everything

If I change the /var/www/ (webdata) directory I get permission denied, but from Drupal it says to change it to this?

Last edited by rhbegin; 02-01-2012 at 06:09 PM. Reason: apache group id
 
Old 02-01-2012, 06:10 PM   #4
brentaar
LQ Newbie
 
Registered: Dec 2011
Location: Portland, OR
Distribution: Fedora 16, Ubuntu 10.04
Posts: 21
Blog Entries: 1

Rep: Reputation: Disabled
If it is working with the 755, just change the group to apache

Code:
chgrp -R apache /var/www/webdata/
That'll change the group of webdata directory and everything under it to apache.
or
Code:
chown -R web01:apache /var/www/webdata/
Since the Apache server is running as the apache user it does not have access to the files unless they are apart of a group they have access to or the world has access.
 
1 members found this post helpful.
Old 02-01-2012, 06:21 PM   #5
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Would Apache run with the 750 permissions on the /var/www/webdata directory?

presently this directory has 755 and it exposes all of the contents like /modules ect..

Last edited by rhbegin; 02-01-2012 at 06:22 PM.
 
Old 02-01-2012, 06:24 PM   #6
brentaar
LQ Newbie
 
Registered: Dec 2011
Location: Portland, OR
Distribution: Fedora 16, Ubuntu 10.04
Posts: 21
Blog Entries: 1

Rep: Reputation: Disabled
If your out put looked something like this
Quote:
[root@www www]# pwd;ls -lad webdata
/var/www
drwxr-xr-x. 10 web01 apache 4096 Feb 1 10:26 webdata


[root@www webdata]# ls -lad *
-rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 includes
-rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 misc
drwxr-xr-x. 56 web01 apache 4096 Feb 1 10:45 modules
drwxr-xr-x. 5 web01 apache 4096 Jan 30 15:59 profiles
-rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt
drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 scripts
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 sites
drwxr-xr-x. 9 web01 apache 4096 Jan 30 15:59 themes
drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 tutorial
with the group set to apache it should.
 
Old 02-01-2012, 06:29 PM   #7
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I did the command:


[root@www www]# chown -R web01:apache /var/www/webdata/



pwd;ls -lad webdata
/var/www
drwxr-x---. 10 web01 apache 4096 Feb 1 10:26 webdata


However, I can still view the contents of www.servername.com/modules


[root@www www]# cd webdata
[root@www webdata]# ls -lad *
-rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 includes
-rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 misc
drwxr-xr-x. 56 web01 apache 4096 Feb 1 10:45 modules
drwxr-xr-x. 5 web01 apache 4096 Jan 30 15:59 profiles
-rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt
drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 scripts
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 sites
drwxr-xr-x. 9 web01 apache 4096 Jan 30 15:59 themes
drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 tutorial
-rw-r--r--. 1 web01 apache 435 Jun 8 2011 xmlrpc.php


I have read through this entire page:

http://drupal.org/node/244924

and still perplexed

Last edited by rhbegin; 02-01-2012 at 06:31 PM.
 
Old 02-01-2012, 06:33 PM   #8
brentaar
LQ Newbie
 
Registered: Dec 2011
Location: Portland, OR
Distribution: Fedora 16, Ubuntu 10.04
Posts: 21
Blog Entries: 1

Rep: Reputation: Disabled
Where is the .htaccess file that is supposed to be in the Drupal install?
And the permissions for your files still have read (and some execute) permissions set. So you still need to change the permissions to 750.
 
Old 02-01-2012, 06:35 PM   #9
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
So would I need to set the permissions on the files inside the

/var/www/webdata directory to 750 as well?

the only .htaccess I know of is in the /etc/httpd/conf (httpd.conf) file


so change these to 750 in here?


[root@www webdata]# ls -lad *
-rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 includes
-rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 misc
drwxr-xr-x. 56 web01 apache 4096 Feb 1 10:45 modules
drwxr-xr-x. 5 web01 apache 4096 Jan 30 15:59 profiles
-rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt
drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 scripts
drwxr-xr-x. 4 web01 apache 4096 Jan 30 15:59 sites
drwxr-xr-x. 9 web01 apache 4096 Jan 30 15:59 themes
drwxr-xr-x. 2 web01 apache 4096 Jan 30 15:59 tutorial
-rw-r--r--. 1 web01 apache 435 Jun 8 2011 xmlrpc.php

Last edited by rhbegin; 02-01-2012 at 06:38 PM.
 
Old 02-01-2012, 06:40 PM   #10
brentaar
LQ Newbie
 
Registered: Dec 2011
Location: Portland, OR
Distribution: Fedora 16, Ubuntu 10.04
Posts: 21
Blog Entries: 1

Rep: Reputation: Disabled
Yes, the rest of the files/directories would need to have the same permissions.

There should have been a .htaccess file that came with your Drupal install and it is setup to stop web access to certain directories, and do other useful things.
 
Old 02-01-2012, 06:49 PM   #11
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I did a locate on .htaccess and it is here:


/var/www/webdata/.htaccess
/var/www/webdata/sites/default/files/.htaccess


I will chmod 750 the rest of the directories under /var/www/webdata
 
Old 02-01-2012, 06:52 PM   #12
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
I did chmod 750 on the rest in the sub-directories

however it still allows viewing access to the /var/www/webdata/modules


[root@www webdata]# ls -lad *
-rw-r--r--. 1 web01 apache 746 Jun 8 2011 cron.php
drwxr-x---. 4 web01 apache 4096 Jan 30 15:59 includes
-rw-r--r--. 1 web01 apache 550 Jun 8 2011 index.php
drwxr-x---. 4 web01 apache 4096 Jan 30 15:59 misc
drwxr-x---. 56 web01 apache 4096 Feb 1 10:45 modules
drwxr-x---. 5 web01 apache 4096 Jan 30 15:59 profiles
-rw-r--r--. 1 web01 apache 1537 Jun 8 2011 robots.txt
drwxr-x---. 2 web01 apache 4096 Jan 30 15:59 scripts
drwxr-x---. 4 web01 apache 4096 Jan 30 15:59 sites
drwxr-x---. 9 web01 apache 4096 Jan 30 15:59 themes
drwxr-x---. 2 web01 apache 4096 Jan 30 15:59 tutorial
-rw-r--r--. 1 web01 apache 435 Jun 8 2011 xmlrpc.php
 
Old 02-01-2012, 07:00 PM   #13
brentaar
LQ Newbie
 
Registered: Dec 2011
Location: Portland, OR
Distribution: Fedora 16, Ubuntu 10.04
Posts: 21
Blog Entries: 1

Rep: Reputation: Disabled
So the 750 was to keep other users of the system out of the code.

Now you need the .htaccess file that ships with Drupal to cover the web side. Since the web server has access to the directory who ever uses the web server through a browser will also have access, unless there are rules set in place to tell the web server not to allow permission to those areas.

If need be download a copy of Drupal to another directory and copy the .htaccess to the /var/www/webdata/ directory
 
Old 02-01-2012, 07:02 PM   #14
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
Inside of this directory on the server:


[root@www webdata]# pwd;ls -lash .htaccess
/var/www/webdata
8.0K -rw-r--r--. 1 web01 apache 5.3K Jun 8 2011 .htaccess

would this be the one?
 
Old 02-01-2012, 07:07 PM   #15
rhbegin
Member
 
Registered: Oct 2003
Location: Arkansas, NWA
Distribution: Fedora/CentOS/SL6
Posts: 381

Original Poster
Rep: Reputation: 23
[root@www webdata]# cat .htaccess
#
# Apache/PHP/Drupal settings:
#

# Protect files and directories from prying eyes.
<FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(\..*|En tries.*|Repository|Root|Tag|Template)$">
Order allow,deny
</FilesMatch>

# Don't show directory listings for URLs which map to a directory.
Options -Indexes

# Follow symbolic links in this directory.
Options +FollowSymLinks

# Make Drupal handle any 404 errors.
ErrorDocument 404 /index.php

# Force simple error message for requests for non-existent favicon.ico.
<Files favicon.ico>
# There is no end quote below, for compatibility with Apache 1.3.
ErrorDocument 404 "The requested file favicon.ico was not found.
</Files>

# Set the default handler.
DirectoryIndex index.php index.html index.htm

# Override PHP settings that cannot be changed at runtime. See
# sites/default/default.settings.php and drupal_initialize_variables() in
# includes/bootstrap.inc for settings that can be changed at runtime.

# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_flag magic_quotes_gpc off
php_flag magic_quotes_sybase off
php_flag register_globals off
php_flag session.auto_start off
php_value mbstring.http_input pass
php_value mbstring.http_output pass
php_flag mbstring.encoding_translation off
</IfModule>

# Requires mod_expires to be enabled.
<IfModule mod_expires.c>
# Enable expirations.
ExpiresActive On

# Cache all files for 2 weeks after access (A).
ExpiresDefault A1209600

<FilesMatch \.php$>
# Do not allow PHP scripts to be cached unless they explicitly send cache
# headers themselves. Otherwise all scripts would have to overwrite the
# headers set by mod_expires if they want another caching behavior. This may
# fail if an error occurs early in the bootstrap process, and it may cause
# problems if a non-Drupal PHP file is installed in a subdirectory.
ExpiresActive Off
</FilesMatch>
</IfModule>

# Various rewrite rules.
<IfModule mod_rewrite.c>
RewriteEngine on

# Block access to "hidden" directories whose names begin with a period. This
# includes directories used by version control systems such as Subversion or
# Git to store control files. Files whose names begin with a period, as well
# as the control files used by CVS, are protected by the FilesMatch directive
# above.
#
# NOTE: This only works when mod_rewrite is loaded. Without mod_rewrite, it is
# not possible to block access to entire directories from .htaccess, because
# <DirectoryMatch> is not allowed here.
#
# If you do not have mod_rewrite installed, you should remove these
# directories from your webroot or otherwise protect them from being
# downloaded.
RewriteRule "(^|/)\." - [F]

# If your site can be accessed both with and without the 'www.' prefix, you
# can use one of the following settings to redirect users to your preferred
# URL, either WITH or WITHOUT the 'www.' prefix. Choose ONLY one option:
#
# To redirect all users to access the site WITH the 'www.' prefix,
# (http://example.com/... will be redirected to http://www.example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} !^www\. [NC]
# RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
#
# To redirect all users to access the site WITHOUT the 'www.' prefix,
# (http://www.example.com/... will be redirected to http://example.com/...)
# uncomment the following:
# RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
# RewriteRule ^ http://%1%{REQUEST_URI} [L,R=301]

# Modify the RewriteBase if you are using Drupal in a subdirectory or in a
# VirtualDocumentRoot and the rewrite rules are not working properly.
# For example if your site is at http://example.com/drupal uncomment and
# modify the following line:
# RewriteBase /drupal
#
# If your site is running in a VirtualDocumentRoot at http://example.com/,
# uncomment the following line:
# RewriteBase /

# Pass all requests not referring directly to files in the filesystem to
# index.php. Clean URLs are handled in drupal_environment_initialize().
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]

# Rules to correctly serve gzip compressed CSS and JS files.
# Requires both mod_rewrite and mod_headers to be enabled.
<IfModule mod_headers.c>
# Serve gzip compressed CSS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.css $1\.css\.gz [QSA]

# Serve gzip compressed JS files if they exist and the client accepts gzip.
RewriteCond %{HTTP:Accept-encoding} gzip
RewriteCond %{REQUEST_FILENAME}\.gz -s
RewriteRule ^(.*)\.js $1\.js\.gz [QSA]

# Serve correct content types, and prevent mod_deflate double gzip.
RewriteRule \.css\.gz$ - [T=text/css,E=no-gzip:1]
RewriteRule \.js\.gz$ - [T=text/javascript,E=no-gzip:1]

<FilesMatch "(\.js\.gz|\.css\.gz)$">
# Serve correct encoding type.
Header append Content-Encoding gzip
# Force proxies to cache gzipped & non-gzipped css/js files separately.
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
</IfModule>
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
My server came with apache and centos 5 installed but need help. shadiadiph Linux - Server 11 07-05-2009 09:25 PM
Apache/PHP CMS (Drupal) problem KrazyKanuk Linux - Software 1 11-23-2008 02:59 AM
Permissions Apache and CentOS Mr. Slappy Linux - Server 1 07-09-2007 03:57 PM
repost - Apache 2.2.3 on Centos 5 (RHEL5) permissions issue djjoshuad Red Hat 2 04-19-2007 04:47 AM
Drupal Apache Config problem - incorrect URLS TippExed Linux - Software 0 06-02-2005 06:38 PM


All times are GMT -5. The time now is 02:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration