LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 02-10-2005, 08:25 PM   #1
m3rajk
LQ Newbie
 
Registered: Dec 2003
Distribution: red hat (7.1 and 9.0)
Posts: 9

Rep: Reputation: 0
apache 403 for dir in /var/www/html/


running LAMP

FEDORA CORE 3

should be able to access only sub dirs of /var/www/html/

have three dirs. one is 755 the other two are 775.

all come up as 403. the two that are 775 havee apache in the group that owns the group rights.

still not working.

everything i have found talks about .htaccess.
that is apparently set up right according to all of them (including the apache site)


i'm looking for any suggesstions tat will get ti to work

port 80 is open AND the apache test page does load, as do files in the base directory
 
Old 02-11-2005, 03:49 AM   #2
shazam75
Member
 
Registered: Oct 2004
Location: Australia, Brisbane
Distribution: Gentoo
Posts: 296

Rep: Reputation: 30
Edit the following file commonhttpd.conf

Now find this part of the code
#Restricted set of options
<Directory />
Options -All -Multiviews
AllowOverride None
<IfModule mod_access.c>
Order deny,allow
Deny from all
</IfModule>
</Directory>

Uncomment as listed above and add the following changes to the appropriate line

<Directory /PATH/TO/YOUR/DIRECTORY>
* this correspondes to the line immediately below the
#Restricted set of options


Also the line Order deny,allow should be changed to

Order allow,deny

That should do it - le me know how you go

Regards
Shelton.

Last edited by shazam75; 02-11-2005 at 03:51 AM.
 
Old 02-11-2005, 04:52 AM   #3
shazam75
Member
 
Registered: Oct 2004
Location: Australia, Brisbane
Distribution: Gentoo
Posts: 296

Rep: Reputation: 30
This is your ANSWER

Security Contexts For Web Pages

Fedora Core 3 introduced the concept of security contexts as part of the Security Enhanced Linux (SELinux) definition. (See Appendix I, "Miscellaneous Linux Topics," for details.) A Web page may have the right permissions, but the Apache httpd daemon to read it unless you assign it the correct security context or daemon access permissions. Context-related configuration errors will give "403 Forbidden" browser messages, and in some cases, you will get the default Fedora Apache page where your expected Web page should be.

When a file is created, it inherits the security context of its parent directory. If you decide to place your Web pages in the default /var/www/ directory, then they will inherit the context of that directory and you should have very few problems.

The context of a file depends on the SELinux label it is given. The most important types of security label are listed in Table 20-1.

Table 20-1 SELinux Security Context File Labels

HTTP

Code

Description

httpd_sys_content_t



The type used by regular static web pages with .html and .htm extensions.

httpd_sys_script_ro_t

Required for CGI scripts to read files and directories.

httpd_sys_script_ra_t

Same as the httpd_sys_script_ro_t type but also allows appending data to files by the CGI script.

httpd_sys_script_rw_t

Files with this type may be changed by a CGI script in any way, including deletion.

httpd_sys_script_exec_t

The type required for the execution of CGI scripts



As expected, security contexts become important when Web pages need to be placed in directories that are not the Apache defaults. In this example, user root creates a directory /home/www/site1 in which the pages for a new Web site will be placed. Using the ls -Z command, you can see that the user_home_t security label has been assigned to the directory and the index.html page created in it. This label is not accessible by Apache.



[root@bigboy tmp]# mkdir /home/www/site1

[root@bigboy tmp]# ls -Z /home/www/

drwxr-xr-x root root rootbject_r:user_home_t site1

[root@bigboy tmp]# touch /home/www/site1/index.html

[root@bigboy tmp]# ls -Z /home/www/site1/index.html

-rw-r--r-- root root rootbject_r:user_home_t /home/www/site1/index.html

[root@bigboy tmp]#



Accessing the index.html file via a Web browser gets a "Forbidden 403" error on your screen, even though the permissions are correct. Viewing the /var/log/httpd/error_log gives a "Permission Denied" message and the /var/log/messages file shows kernel audit errors.



[root@bigboy tmp]# tail /var/log/httpd/error_log

[Fri Dec 24 17:59:24 2004] [error] [client 216.10.119.250] (13)Permission denied: access to / denied

[root@bigboy tmp]# tail /var/log/messages

Dec 24 17:59:24 bigboy kernel: audit(1103939964.444:0): avc: denied { getattr } for pid=2188 exe=/usr/sbin/httpd path=/home/www/site1 dev=hda5 ino=73659 scontext=system_u:system_r:httpd_t tcontext=rootbject_r:user_home_t tclass=dir

[root@bigboy tmp]#



SELinux security context labels can be modified using the chcon command. Recognizing the error, user root uses chcon with the -R (recursive) and -h (modify symbolic links) qualifiers to modify the label of the directory to httpd_sys_content_t with the -t qualifier.



[root@bigboy tmp]# chcon -R -h -t httpd_sys_content_t /home/www/site1

[root@bigboy tmp]# ls -Z /home/www/site1/

-rw-r--r-- root root rootbject_r:httpd_sys_content_t index.html

[root@bigboy tmp]#



Browsing now works without errors. User root won't have to run the chcon command again for the directory, because new files created in the directory will inherit the SELinux security label of the parent directory. You can see this when the file /home/www/site1/test.txt is created.



[root@bigboy tmp]# touch /home/www/site1/test.txt

[root@bigboy tmp]# ls -Z /home/www/site1/

-rw-r--r-- root root rootbject_r:httpd_sys_content_t index.html

-rw-r--r-- root root rootbject_r:httpd_sys_content_t test.txt

[root@bigboy tmp]#

source: http://www.siliconvalleyccie.com/lin...pachebasic.htm
 
Old 04-04-2005, 06:46 PM   #4
vmaxx
LQ Newbie
 
Registered: Jan 2005
Posts: 1

Rep: Reputation: 0
Thumbs up

Shazam, you da MAN. That was it. The funny thing was that I ran across the chcon when I was surfing for an answer. I tried a few commands I thought might do it, but didn't spend enough time on it.

Thanks again..

vm
 
Old 04-24-2005, 11:46 PM   #5
shazam75
Member
 
Registered: Oct 2004
Location: Australia, Brisbane
Distribution: Gentoo
Posts: 296

Rep: Reputation: 30
No problems - glad to help!

Regards
Shelton.
 
Old 05-31-2005, 01:06 PM   #6
jeffreybluml
Member
 
Registered: Mar 2004
Location: Minnesota
Distribution: Fedora Core 1, Mandrake 10
Posts: 405

Rep: Reputation: 30
shazam75,

I realize this is an older thread, but you seriously helped where nobody else seemed able.

Thanks for this explanation/tutorial!!!
 
Old 06-01-2005, 02:02 AM   #7
shazam75
Member
 
Registered: Oct 2004
Location: Australia, Brisbane
Distribution: Gentoo
Posts: 296

Rep: Reputation: 30
Hey Jeff

No THANKYOU for appreciating and taking the time to write! Have fun with Linux!!

Regards
Shelton.
 
Old 10-11-2005, 01:31 PM   #8
DevNRG
LQ Newbie
 
Registered: Sep 2005
Posts: 6

Rep: Reputation: 0
Thanks for the tutorial but now I run into this.

chcon: can't apply partial context to unlabeled file /usr/local/apache2/htdocs/utstats

Any ideas?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
help in /var/www/html/!! chidomen Linux - Newbie 4 01-13-2005 11:02 AM
apache server setup and how to place files in the var/www/html directory dramous Linux - Newbie 7 09-28-2004 04:18 AM
apache server setup and how to place files in the var/www/html directory dramous Linux - Software 3 09-25-2004 02:38 AM
apache server setup and how to place files in the var/www/html directory dramous Linux - General 2 09-25-2004 01:29 AM
ownership of /var/www/html haobaba1 Linux - Security 1 08-04-2003 02:58 PM


All times are GMT -5. The time now is 10:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration