[SOLVED] apache permission denied

Tw1stedT · 01-30-2012, 03:38 AM

This server was running fine, I haven't ran any updates until after the problem started.

log shows
[Mon Jan 30 01:34:00 2012] [error] [client x.x.x.x] (13)Permission denied: access to /index.php denied

www.advancedcreationsystems.net

The same error for all virtual hosts and files, but had been running fine for quite some time. No errors prior to accessing the machine. ssh'd to the machine and was going to add a geoip function to the server. I scp'd a few files over and copied them to a folder in the doc root
chown'd the folder apache:apache (shouldn't have any effect on other folders) and noticed errors around that time (not sure if that caused it)

yum update only installed chrome

checked the permissions and ownership of all the files, and they appeared OK

I eventually started ripping VirtualHost's out and removing everything down to the basics, and still can't figure out what started this and why it won't run right.

I hadn't changed any of my config files (at the time) and hadn't changed SELinux or any other settings. I will upgrade the server when I get back to it, but I only have remote access for the next couple days, and can't reboot it either, some stupid Press F1 to continue at POST (front USB disconnected-(which it is)).

2.6.35.14-106.fc14.i686.PAE #1 SMP Wed Nov 23 13:39:51 UTC 2011 i686 i686 i386 GNU/Linux

namei -l /var/www/html/acsllc-web/index.php
f: /var/www/html/acsllc-web/index.php
drwxr-xr-x root root /
drw-r--r-- root root var
drwxr-xr-x root root www
drwxr-xr-x root root html
drwxr-xr-x apache apache acsllc-web
-rw-r--r-- apache apache index.php

netstat -lp | grep -w LISTEN
tcp 0 0 SilverSurfer:x11-ssh-offset *:* LISTEN 20225/6
tcp 0 0 *:39358 *:* LISTEN 1097/rpc.statd
tcp 0 0 *:mysql *:* LISTEN 1477/mysqld
tcp 0 0 *:vnc-server *:* LISTEN 2011/vino-server
tcp 0 0 *:sunrpc *:* LISTEN 1010/rpcbind
tcp 0 0 *:ssh *:* LISTEN 1273/sshd
tcp 0 0 SilverSurfer2.advanced:smtp *:* LISTEN 1511/sendmail: acce
tcp 0 0 SilverSurfer:x11-ssh-offset *:* LISTEN 20225/6
tcp 0 0 *:https *:* LISTEN 27632/httpd
tcp 0 0 SilverSurfer2.adva:rtsp-alt *:* LISTEN 31711/gnome-dvb-dae
tcp 0 0 *:vnc-server *:* LISTEN 2011/vino-server
tcp 0 0 *:sunrpc *:* LISTEN 1010/rpcbind
tcp 0 0 *:http *:* LISTEN 27632/httpd
tcp 0 0 *:ssh *:* LISTEN 1273/sshd
tcp 0 0 *:37431 *:* LISTEN 1097/rpc.statd

ps -aux | grep httpd
root 27632 0.0 0.3 43728 15588 ? Ss 01:37 0:00 /usr/sbin/httpd
apache 27635 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27636 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27637 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27638 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27639 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27640 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27641 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd
apache 27642 0.0 0.1 43728 7720 ? S 01:37 0:00 /usr/sbin/httpd

httd.conf (it wasn't modified until I stripped everything and even with this?)

NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin advancedcreationsystems@gmail.com
DocumentRoot /var/www/html/acsllc-web/
DirectoryIndex index.php index.htm index.shtml
ServerName www.advancedcreationsystems.net
ServerAlias www.advancedcreationsystems.net
ErrorLog logs/advancedcreationsystems.com-error_log
CustomLog logs/advancedcreationsystems.com-access_log common
</VirtualHost>

The only other oddity that I see off hand is that when trying to restart avahi-daemon the log throws a:

[Mon Jan 30 02:28:26 2012] [info] removed PID file /etc/httpd/run/httpd.pid (pid=27632)
[Mon Jan 30 02:28:26 2012] [notice] caught SIGTERM, shutting down
[Mon Jan 30 02:28:26 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Mon Jan 30 02:28:26 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Jan 30 02:28:26 2012] [notice] SSL FIPS mode disabled
[Mon Jan 30 02:28:27 2012] [notice] Digest: generating secret for digest authentication ...
[Mon Jan 30 02:28:27 2012] [notice] Digest: done
[Mon Jan 30 02:28:27 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Mon Jan 30 02:28:27 2012] [notice] mod_python: using mutex_directory /tmp
[Mon Jan 30 02:28:27 2012] [notice] SSL FIPS mode disabled
[Mon Jan 30 02:28:27 2012] [error] avahi_client_new() failed: Access denied
[Mon Jan 30 02:28:27 2012] [notice] Apache/2.2.17 (Unix) DAV/2 PHP/5.3.8 mod_python/3.3.1 Python/2.7 mod_ssl/2.2.17 OpenSSL/1.0.0e-fips mod_perl/2.0.4 Perl/v5.12.4 configured -- resuming normal operations

and debug logging shows:
[Mon Jan 30 02:30:40 2012] [info] removed PID file /etc/httpd/run/httpd.pid (pid=27789)
[Mon Jan 30 02:30:40 2012] [notice] caught SIGTERM, shutting down
[Mon Jan 30 02:30:41 2012] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Mon Jan 30 02:30:41 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Jan 30 02:30:41 2012] [info] Init: Seeding PRNG with 256 bytes of entropy
[Mon Jan 30 02:30:41 2012] [notice] SSL FIPS mode disabled
[Mon Jan 30 02:30:41 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Mon Jan 30 02:30:41 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Mon Jan 30 02:30:41 2012] [info] Init: Initializing (virtual) servers for SSL
[Mon Jan 30 02:30:41 2012] [info] mod_ssl/2.2.17 compiled against Server: Apache/2.2.17, Library: OpenSSL/1.0.0a-fips
[Mon Jan 30 02:30:41 2012] [notice] Digest: generating secret for digest authentication ...
[Mon Jan 30 02:30:41 2012] [notice] Digest: done
[Mon Jan 30 02:30:41 2012] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x208dbf8 rmm=0x208dc28 for VHOST: www.advancedcreationsystems.net
[Mon Jan 30 02:30:41 2012] [debug] util_ldap.c(1990): LDAP merging Shared Cache conf: shm=0x208dbf8 rmm=0x208dc28 for VHOST: *
[Mon Jan 30 02:30:41 2012] [info] APR LDAP: Built with OpenLDAP LDAP SDK
[Mon Jan 30 02:30:41 2012] [info] LDAP: SSL support available
[Mon Jan 30 02:30:42 2012] [notice] mod_python: Creating 4 session mutexes based on 256 max processes and 0 max threads.
[Mon Jan 30 02:30:42 2012] [notice] mod_python: using mutex_directory /tmp
[Mon Jan 30 02:30:42 2012] [info] Init: Seeding PRNG with 256 bytes of entropy
[Mon Jan 30 02:30:42 2012] [notice] SSL FIPS mode disabled
[Mon Jan 30 02:30:42 2012] [info] Init: Generating temporary RSA private keys (512/1024 bits)
[Mon Jan 30 02:30:42 2012] [info] Init: Generating temporary DH parameters (512/1024 bits)
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(253): shmcb_init allocated 512000 bytes of shared memory
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(272): for 511952 bytes (512000 including header), recommending 32 subcaches, 133 indexes each
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(306): shmcb_init_memory choices follow
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(308): subcache_num = 32
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(310): subcache_size = 15996
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(312): subcache_data_offset = 2144
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(314): subcache_data_size = 13852
[Mon Jan 30 02:30:42 2012] [debug] ssl_scache_shmcb.c(316): index_num = 133
[Mon Jan 30 02:30:42 2012] [info] Shared memory session cache initialised
[Mon Jan 30 02:30:42 2012] [info] Init: Initializing (virtual) servers for SSL
[Mon Jan 30 02:30:42 2012] [info] mod_ssl/2.2.17 compiled against Server: Apache/2.2.17, Library: OpenSSL/1.0.0a-fips
[Mon Jan 30 02:30:42 2012] [error] avahi_client_new() failed: Access denied
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27826 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27826 for (*)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27827 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27827 for (*)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27828 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27828 for (*)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27829 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27829 for (*)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27830 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27830 for (*)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27831 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27831 for (*)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27832 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27832 for (*)
[Mon Jan 30 02:30:42 2012] [notice] Apache/2.2.17 (Unix) DAV/2 PHP/5.3.8 mod_python/3.3.1 Python/2.7 mod_ssl/2.2.17 OpenSSL/1.0.0e-fips mod_perl/2.0.4 Perl/v5.12.4 configured -- resuming normal operations
[Mon Jan 30 02:30:42 2012] [info] Server built: Oct 27 2010 10:04:08
[Mon Jan 30 02:30:42 2012] [debug] prefork.c(1018): AcceptMutex: sysvsem (default: sysvsem)
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 27833 for worker proxy:reverse
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
[Mon Jan 30 02:30:42 2012] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 27833 for (*)

I'm not sure if the [Mon Jan 30 02:30:42 2012] [error] avahi_client_new() failed: Access denied could be related or not

SELinux had been set to Permissive a long time ago, and I hadn't had trouble with it before this started?

------- The only two files left
so I have a .htaccess file of:

#Options +FollowSymLinks

#
# mod_rewrite in use

RewriteEngine On

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]
#

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

index.php:
<?php
//unknown errors just a basic file now
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb" dir="ltr">
<head>
</head>
<body>
<center>
<br>This System is Currently Offline.
<br>Thank You for your patience, we will be back online soon!!</p>
</center>
</body>
</html>

Any help or suggestions would be greatly appreciated.

bathory · 01-30-2012, 07:08 AM

Quote:

drw-r--r-- root root var

Somehow your /var has not the execute bit set. I don't know if it''s a plain directory, or a mounted partition, but for apache to be able to access directories and files under docroot, the parent directories must have +x permission
So run

Code:

chmod 755 /var

and see if it fixes your problem

Regards

Tw1stedT · 01-30-2012, 11:44 AM

You are correct, and same for /tmp and /usr

I saw the various errors when I finally rebooted, and all is well now.

I believe that a permission script for a VirtualHost storage folder ran a

Quote:

find -type d -exec chmod 644 {} \;

but executed from / it. It's totally an error on my part. The cron job replicates across several servers, and the folder the script wanted to cd into hadn't been created, blah blah blah.......

Fixing the Permissions on tmp var usr and various other folders allowed shell usr's to login, avahi to start, and just about everything else that needs the tmp dir.

Thanks for the Reply, it always help to have extra eyes.