Apache Permissions keep resetting

pazu · 10-09-2014, 11:03 PM

Hi all,

I'm having a hard time fixing my webserver and can't for the life of me work out what is going on.

I've been messing with Linux for a few years now, so I know my way around the system, but am in no way a pro or expert.

My setup is a little unique, but nothing 'out there'.

Server is running ClearOS 6 which is also my firewall/router. It is based on CentOS 6.5

Issues appears to have started occuring after I installed OwnCloud.

I have installed OwnCloud 7 from the Suse repository and it installed ok.

Web server is Apache 2.2

SElinux is disabled on this box (which is default for ClearOS I believe).

The issue only started happening after owncloud was installed.

I run a number of websites off this box which are as well as a few redirected sites hosted on other boxes on the internal network set as virtual hosts.

The webserver conf files are autoconfigured originally then I have customized them afterwards, everything has been working fine until I installed OwnCloud.

Since I have installed Owncloud, the owncloud URL works, my redirected sites work fine, but I can not access any other website on the server.

The 80.conf and 443.conf are below, as is the extra OwnCloud conf that it installed. IP's and domain names have been removed.

HTTP/80 CONF File

Code:

#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------


# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup

# -----------------------------------------------#
# Web Site
# -----------------------------------------------#

ScriptAlias /flexshare/portal.#####.net/cgi-bin/ /var/flexshare/shares/portal.#####.net/cgi-bin/
<VirtualHost *:80>
	ServerName portal.#####.net
	ScriptAlias /cgi-bin/ /var/flexshare/shares/portal.#####.net/cgi-bin/
	ErrorLog /var/log/httpd/error_log
	CustomLog /var/log/httpd/access_log combined

	Redirect / h#tps://portal.#####.net/
</VirtualHost>


<VirtualHost *:80>
	ServerName marryme.#####.net
	DocumentRoot /var/www/html/marryme
	ScriptAlias /cgi-bin/ /var/flexshare/shares/portal.#####.net/cgi-bin/
	ErrorLog /var/log/httpd/error_log
	CustomLog /var/log/httpd/access_log combined

	<Location />
  		Options Indexes FollowSymLinks MultiViews
		Satisfy Any
		Allow from all
	</Location>

</VirtualHost>

<VirtualHost *:80>
	ServerName #####.net
	DocumentRoot /var/www/html
	ScriptAlias /cgi-bin/ /var/flexshare/shares/portal.#####.net/cgi-bin/
	ErrorLog /var/log/httpd/error_log
	CustomLog /var/log/httpd/access_log combined

	<Location />
		Options Indexes FollowSymLinks MultiViews
		Satisfy Any
		Allow from all
	</Location>

</VirtualHost>

<Directory /var/www/html/cgi-bin>
	Options +ExecCGI
</Directory>

<Directory /var/www/html>
	Options -Indexes +FollowSymLinks +IncludesNOExec
	AllowOverride All
	Order deny,allow
	Allow from all
	AddType text/html .php
	AddHandler php5-script .php
</Directory>

HTTPS/442 CONF File

Code:

#----------------------------------------------------------------
# WARNING: This file is automatically created by webconfig.
#----------------------------------------------------------------

NameVirtualHost *:443

# Authentication mechanism
DefineExternalAuth pwauth pipe /usr/bin/pwauth
DefineExternalGroup pwauth pipe /usr/bin/unixgroup

# -----------------------------------------------#
# Web Site
# -----------------------------------------------#

<VirtualHost *:443>
	ServerName portal.#####.net
	DocumentRoot /var/www/html/portal
	ScriptAlias /cgi-bin/ /var/flexshare/shares/portal.#####.net/cgi-bin/
	ErrorLog /var/log/httpd/error_log
	CustomLog /var/log/httpd/access_log combined

	ProxyPreserveHost On
	ProxyRequests off

	ProxyPass /cp/ h#tp://0.0.0.0:8082/cp/
	ProxyPassReverse /cp/ h#tp://0.0.0.0:8082/cp/

	ProxyPass /sb/ h#tp://0.0.0.0:8081/sb/
	ProxyPassReverse /sb/ h#tp://0.0.0.0:8081/sb/

	ProxyPass /blue/ h#tp://0.0.0.0:80/
	ProxyPassReverse /blue/ h#tp://0.0.0.0:80/

	ProxyPass /sab/ h#tp://0.0.0.0:8080/
	ProxyPassReverse /sab/ h#tp://0.0.0.0:8080/

	ProxyPass /nzbdrone/ h#tp://0.0.0.0:8989/nzbdrone/
	ProxyPassReverse /nzbdrone/ h#tp://0.0.0.0:8989/nzbdrone/

	SSLEngine On
	SSLProxyEngine On
	SSLCertificateKeyFile /etc/ssl/ssl.key/portal_#####_net.key
	SSLCertificateFile /etc/ssl/ssl.crt/portal_#####_net.crt
	SSLCertificateChainFile /etc/ssl/ssl.crt/portal_#####_net.ca-bundle

	# No weak export crypto allowed
	# SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
	SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!EXP:+eNULL
	SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0



<Location />

	Options Indexes FollowSymLinks MultiViews
	Order allow,deny
	allow from all
	AuthType Basic
	#AuthType form
	#AuthFormLoginRequiredLocation h#tps://portal.#####.net/login.html
	#Session On
	#SessionCookieName session path=/
	#SessionCryptoPassphrase secret
 
	AuthName "Restricted - #####.net Portal"
	AuthBasicProvider file
	AuthUserFile /etc/httpd/passwd/passwords
	Require user #####

</Location>

#<Location /login.html>
	#SetHandler form-login-handler
	#AuthFormLoginRequiredLocation h#tps://portal.#####.net/login.html
	#AuthFormLoginSuccessLocation h#tps://portal.#####.net/index.html
	#AuthName "Restricted - #####.net Portal"
	#AuthBasicProvider file
	#AuthUserFile /etc/httpd/passwd/passwords
	#AuthType form
	#Session On
	#SessionCookieName session path=/
	#SessionCryptoPassphrase secret
#</Location>



</VirtualHost>

OwnCloud CONF File

Code:

<IfModule mod_alias.c>
Alias /owncloud /usr/share/owncloud/
</IfModule>

<Directory /usr/share/owncloud/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
</Directory>

Accessing these sites:

/var/www/html/portal - h#tps://portal.#####.net
/var/www/html - h#tps://#####.net

Gives me a 403 forbidden:

Forbidden

You don't have permission to access / on this server.

I went through a bunch of testing, and I worked out that if I set permissions on /var/www/html/ to 0771 (so execute for everyone) everything starts working again.

This works for a while, for example if I set it now, it will be fine for the rest of the day, I log in again tomorrow and the permissions have reset again back to 0770. The server hasn't rebooted so something is resetting the permissons.

The only thing that has changed is that I installed OwnCloud.

Would welcome any assistance

vishesh · 10-10-2014, 12:52 AM

I think you should search , if some crontab entry or shell script running through cron is changing the permission. Find the time when file permission had changed using command stat or ls -l and then search of crontab entry. Also no need to set perm to 1777 , you can make your Apache user as owner of /var/www/html/*

Thanks

rhoekstra · 10-10-2014, 01:51 AM

Try figuring out if this disappears again after removing owncloud. And as vishesh mentions, it smells like a daily cron that keeps sanity of your directory structure.

Next to that.. I see you approach your server on https to both ###.net and portal.###.net, while there's only one virtualhost on :443 configured. ###.net is only on 'http' configured.

Check your /var/log/httpd/error_log or access_log to see additional error information on why access has been prohibited. What are the ownerships on /var/www/html? is /etc/httpd/passwd/passwords a symlink to a file in /var/www/html perhaps or is it an ordinary file?

pazu · 10-10-2014, 04:29 AM

thanks for the quick replies, I'm just going to look at cron jobs now. I did look at the access logs and didn't get anything very useful

under error.log is just a heap of denies:

[Fri Oct 10 16:54:37 2014] [error] [client 192.99.149.88] (13)Permission denied: access to /index.php denied
[Fri Oct 10 16:54:37 2014] [error] [client 192.99.149.88] (13)Permission denied: access to /index.htm denied
[Fri Oct 10 16:54:37 2014] [error] [client 192.99.149.88] (13)Permission denied: access to /index.html denied
[Fri Oct 10 16:54:37 2014] [error] [client 192.99.149.88] (13)Permission denied: access to /index.html.var denied

rhoekstra, in answer to you question, the portal.####.net can only be accessed over https (hitting the http site will redirect), under ####.net it has a basic landing page that the user can choose to go to two specific pages under portal.###.net (hope that made sense!) The SSL Cert is only for portal.###.net hence why ####.net isn't https.

/etc/httpd/passwd/passwords is a flat file (not a symlink) and has been working fine prior to owncloud installing (for months if not a year or so now).

I'm kinda trying to avoid removing owncloud as I want to use the system, and this started happening as soon as it was installed, so I'm quite convinced the install caused it, and removing it won't leave me any closer to resolving the issue.

I haven't played much with cron jobs so I'll find my way through that and report back with those results and file ownership details, thanks again for the quick replies.

pazu · 10-10-2014, 04:34 AM

ok just a quick report, root is the owner of that folder

result of stat is as follows:

File: `/var/www/html'
Size: 4096 Blocks: 8 IO Block: 4096 directory
Device: fd00h/64768d Inode: 263375 Links: 8
Access: (0770/drwxrwx---) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2014-10-10 04:30:44.376663126 +1000
Modify: 2011-12-07 05:23:23.000000000 +1000
Change: 2014-10-10 04:15:02.134520375 +1000

Looking at that I'm looking for a cron job that ran at 4:15am

On to looking at cron jobs!

pazu · 10-10-2014, 04:51 AM

ok getting closer now, so looking at the cron enteries, at exactly 04:15 there is an entry called

Oct 10 04:15:01 Gallifrey CROND[13499]: (root) CMD (/usr/clearos/apps/flexshare/deploy/set-file-permissions >/dev/null 2>&1)

which looks like I'm on the money, looking at that file it does indeed set that as default system permissions 0770 (library it links to has a set of variables set as 0770)

Interestingly enough, Flexshare has been running fine (its another name for Apache under ClearOS), so not sure why it is playing up now.

I changed that variable to 0771 and re-ran the cronjob command and bang its working again.

BUT my question is this:

I can edit the library file will fix the issue, but they won't help if the system is updated in the future and resets it again. Is it possible to grant ownership or set permissions for apache at a higher level?

Thanks for the pointers, got me right to the bottom of it quickly

rhoekstra · 10-10-2014, 06:03 AM

Perhaps, for unknown reasons, owncloud did a change ownership of /var/www/html?... it could be owned by the group httpd.. ?
if the script just sets permissions and not ownerships, your change of group ownership could resolve your issue