Apache UserDir Problem

sbb · 07-30-2005, 08:36 AM

Hi, i'm trying to make the userdir function on Apache work, so that my users can have their website at http://mydomain/~user/

I have created a public_html directory in my home dir, but it still doesn't seem to work. I chmod-ed it to a+rx, and the contents of the dir to a+rx. The dir also contains an index.html file. When trying to surf to the dir I get the error "You don't have permission to access /~sbb on this server."

Here is the section from my httpd conf

Code:

# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid.  This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disable" line above, and uncomment
    # the following line instead:
    #
UserDir public_html

</IfModule>

#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
#    AllowOverride FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#    <Limit GET POST OPTIONS>
#        Order allow,deny
#        Allow from all
#    </Limit>
#    <LimitExcept GET POST OPTIONS>
#        Order deny,allow
#        Deny from all
#    </LimitExcept>
#</Directory>

Thanks in advance
SBB

SteveK1979 · 07-30-2005, 09:05 AM

You've enabled the userDir module, but you haven't actually configured any access permissions for the /home/*/public_html directory.

See that commented out text you've pasted under the </IfModule> tag? That's some default config for the public_html directory. Uncommenting the <Directory> tags and everything in between will allow Apache to access /home/*/public_html directory (i.e. the public_html directory in the users home dir) with the default permissions that are installed on your system.

Cheers,

Steve

sbb · 07-30-2005, 09:34 AM

I uncommented the section and it still doesn't work! Same error as before...

SteveK1979 · 07-30-2005, 02:16 PM

What about the permissions on your home directory?

Some operating systems set these to rw for owner, or owner and group only, but as it says in the extract you posted, ~ will need permissions of 0711 to allow the user that apache runs as to be able to access the public_html directory.

sbb · 07-30-2005, 06:24 PM

Sorry, I'm confused by "0711"

guideweb · 07-30-2005, 09:19 PM

if permissions are not 711 in user home directory apache will not be able to read the files. You can try :

# chmod 711 /home/* -fr
(as root)

hlyrad · 07-31-2005, 01:56 AM

Do you have selinux enabled? Check /var/log/messages for entries like...

Jul 26 12:25:50 server kernel: audit(1122402350.937:0): avc: denied { add_name } for pid=4581 exe=/bin/ln name=liblnxfv.so.4 scontext=root:system_r:httpd_sys_script_t tcontext=system_u:object_r:lib_t tclass=dir

If so you will have to configure your users home directories with the chcon command
eg.

Code:

chcon -t httpd_sys_content_t -R /path_to_home_directories/public_html

This is just the tip of the iceberg as far as SElinux goes

SteveK1979 · 08-01-2005, 03:45 PM

sbb, the permissions on files and folders can be represented with numbers on a unix-based system. This is called an octal representation of the permissions.

0711 would give you rwx--x--x

Read man chmod

Cheers,

Steve

SparceMatrix · 09-25-2005, 01:02 AM

I have Fedora 4 and I am having the UserDir problems. Everything else checks out. Permissions are rwxrw-rw all the way up to /home. My last point of confusion was the commented out section that is mentioned below. I uncommented it and restarted httpd with no change in behavior. Another point of confusion is the idea of giving Apache permission to search the home directories. The manual and comments make it sound like there is some other issue besides just chmod-ing the permissions. Is there some group changes that also have to be made?

What is the source of these permission denied errors?

Quote:

Forbidden
You don't have permission to access /~UserName on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

--------------------------------------------------------------------------------

Apache/2.0.54 (Fedora) Server at cubie Port 80

reddazz · 09-25-2005, 02:29 AM

The permissions for ~userid should be 711 and those for ~userid/public_html should be 755. If you have Selinux enable then take a look for a possible solution here.

SparceMatrix · 09-25-2005, 03:49 PM

Quote:

Originally posted by reddazz
The permissions for ~userid should be 711 and those for ~userid/public_html should be 755. If you have Selinux enable then take a look for a possible solution here.

Doesn't work. I tried the following with no change in behavior:

Code:

chmod 711 /home/* -R
chmod 755 /home/userid/public_html/ -R

I tried the chmod above ...

Code:

chomd 711 /home/* -fr

and got a "mode error" for the directory I am trying to reach.

SparceMatrix · 09-25-2005, 04:08 PM

I am noticing a few other things. If I log in as another low level user, I can't reach the file of that other low level user I am trying to reach with Apache. Konqueror shows that directory as a "Locked folder". Could some other file sharing issue be involved? Also, I have Samba installed on the same machine and use it. Could there be some interference there?

SparceMatrix · 09-25-2005, 04:45 PM

Quote:

Originally posted by hlyrad
Do you have selinux enabled? Check /var/log/messages for entries like...

Jul 26 12:25:50 server kernel: audit(1122402350.937:0): avc: denied { add_name } for pid=4581 exe=/bin/ln name=liblnxfv.so.4 scontext=root:system_r:httpd_sys_script_t tcontext=system_ubject_r:lib_t tclass=dir

If so you will have to configure your users home directories with the chcon command
eg.

Code:

chcon -t httpd_sys_content_t -R /path_to_home_directories/public_html

This is just the tip of the iceberg as far as SElinux goes

Whoa! Hey, I do have selinux enabled ... I guess.

My first reading of this post goes,

"Do you have selinux? Check .... " and of course I'm thinking "No, dude, I have Fedora 4 like I said."

Yes, the command offered above makes the directory accessable. I am not looking forward to messing with selinux.

Problem improved if not solved, but closed as far as I am concerned for this thread.

SparceMatrix · 04-10-2006, 06:29 PM

Once again, I am having problems with my user directories. Since this last post, I have been through a second upgrade of Fedora to Fedora Core 5 and Apache 2.2.0(Fedora). I do not use this server frequently, but I need to depend on it again and I have tried to create new users, but once again I am getting the identical errors I reported in the post above with these new users. SELinux is not enabled according to my Security Level Tool.

What could it be this time? All my user permissions are set identically and I have three older users that can be served without any problems. My HTTP error log says "(13) permission denied: Access to ... denied".

What could be the problem this time?

Any and all tips and clues would be appreciated.