Apache

habl · 09-07-2008, 10:43 AM

Hi,

I have a problem with apache, it gives a 403 forbidden message for every file and directory in my document root. I also setup the userdir module and in userdirs everything works fine. I have searched on the web for days now and I still haven't found the answer.

My documentroot is set to /var/www/htdocs/ and as far as I can see everything is fine:

Code:

drwxrwxr--  2 root   apache  144 2008-02-14 22:38 cgi-bin/
drwxrwxr--  3 root   apache  976 2008-02-14 22:38 error/
drwxr-xr-x 32 apache apache 1144 2008-09-07 16:46 htdocs/
drwxrwxr--  3 root   apache 4632 2008-02-14 22:38 icons/

the rights for htdocs are recursive. I also tried changing it to 777, but still no effect.

The apache access logs gives a bunch of these lines:

Code:

local.damnation.nl - - [07/Sep/2008:17:02:29 +0200] "GET / HTTP/1.1" 403 293

And my error_log

Code:

[Sun Sep 07 17:02:34 2008] [crit] [client 10.0.0.150] (13)Permission denied: /var/www/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[Sun Sep 07 17:02:37 2008] [crit] [client 10.0.0.150] (13)Permission denied: /var/www/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

These errors come from a .htaccess file, they only appear when I enter a directory with a .htaccess file in it. I didn't took the time yet to set it up right. There aren't anymore errors then these.

In my Apache config I have the following lines (if there is more info about my config needed just ask):

Code:

<Directory "/var/www/htdocs/">

    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.2/mod/core.html#options
    # for more information.
    #
    Options All

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride All

    #
    # Controls who can get stuff from this server.
    #
    Order allow,deny
    Allow from all

</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.html index.htm
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<FilesMatch "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy All
</FilesMatch>

Userdirs:

Code:

UserDir public_html

<Directory "/home/*/public_html">
    AllowOverride All
    Options MultiViews SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

And also a couple of vhosts like these (there are more of them in the original config):

Code:

NameVirtualHost *:80

<VirtualHost *:80>
  ServerName home.habl.nl
  ServerAlias *.home.habl.nl
  DocumentRoot /var/www/htdocs/images/
  DirectoryIndex index.php index.html index.htm index.shtml
</VirtualHost>

For what I know it should work with this config and I tried a dozen of other combinations.

I really have no idea what to do anymore, probably it's something really simple and stupid, but I can't see my mistake. Somebody here who do?

keefaz · 09-07-2008, 11:32 AM

Could you post the output with: ls -al /var/www ?
Also the output with: ls -al /var/www/htdocs

habl · 09-07-2008, 11:39 AM

Thanks for your reply.

/var/www:

Code:

total 7
drwxrwxr--  7 root   www     168 2008-09-04 22:26 ./
drwxr-xr-x 17 root   root    528 2008-07-29 05:43 ../
drwxrwxr--  2 root   apache  144 2008-02-14 22:38 cgi-bin/
drwxrwxr--  3 root   apache  976 2008-02-14 22:38 error/
drwxr-xr-x 32 apache apache 1144 2008-09-07 16:46 htdocs/
drwxrwxr--  3 root   apache 4632 2008-02-14 22:38 icons/
drwxr-xr-x  2 apache apache   80 2008-09-04 21:57 passwd/

/var/www/htdocs

Code:

total 28
drwxr-xr-x 28 apache apache  808 2008-09-07 18:37 ./
drwxrwxr--  7 root   www     168 2008-09-04 22:26 ../
drwxr-xr-x  3 apache apache   72 2008-08-26 20:03 cgi-bin/
drwxr-xr-x  3 apache apache  104 2008-08-26 20:03 cgiirc/
drwxr-xr-x 14 apache apache 1176 2008-08-26 20:03 damnation/
drwxr-xr-x  2 apache apache  112 2008-08-26 20:03 domi/
drwxr-xr-x 11 apache apache  320 2008-09-07 16:23 downloads/
drwxr-xr-x  4 apache apache  200 2008-08-26 20:11 fun/
drwxr-xr-x 11 apache apache 1520 2008-08-26 20:12 hablserv/
drwxr-xr-x 15 apache apache 1288 2008-08-26 20:12 hablserv2/
drwxr-xr-x  3 apache apache  192 2008-09-07 18:34 home/
drwxr-xr-x  8 apache apache  264 2008-08-26 20:12 images/
-rwxr-xr-x  1 apache apache   55 2008-09-07 15:29 index.php*
drwxr-xr-x  2 apache apache  496 2008-08-26 20:12 kabelweg/
drwxr-xr-x  2 apache apache  240 2008-08-26 20:12 kangoo/
drwxr-xr-x  3 apache apache  456 2008-08-26 20:12 lgsl/
-rwxr-xr-x  1 apache apache 1350 2008-08-26 20:12 mailtest.php*
drwxr-xr-x  2 apache apache  136 2008-08-26 20:12 mobiel/
drwxr-xr-x  2 apache apache  112 2008-08-26 20:12 movie/
drwxr-xr-x  3 apache apache  216 2008-08-26 20:12 nightmare.org/
-rwxr-xr-x  1 apache apache   16 2008-08-26 20:12 phpinfo.php*
drwxr-xr-x  9 apache apache 2776 2008-08-26 20:12 phpmyadmin/
drwxr-xr-x  2 apache apache  112 2008-08-26 20:12 proxy/
drwxr-xr-x 11 apache apache 2864 2008-08-26 20:13 sql/
drwxr-xr-x  5 apache apache  368 2008-08-26 20:13 sysinfo/
drwxr-xr-x  5 apache apache  224 2008-08-26 20:13 temp/
drwxr-xr-x 12 apache apache 1760 2008-08-26 20:13 uri/
drwxr-xr-x 12 apache apache 1728 2008-08-26 20:13 uri.old/
drwxr-xr-x  2 apache apache 3464 2008-08-26 20:13 usage/
drwxr-xr-x  2 apache apache   96 2008-08-26 20:14 ut/
drwxr-xr-x  2 apache apache  112 2008-08-26 20:14 woutie/

keefaz · 09-07-2008, 11:46 AM

Ok, just do: chmod 0755 /var/www
That should fix it

And to correct some other potential permission problem:
chmod 0755 /var/www/cgi-bin
chmod 0755 /var/www/error
chmod 0755 /var/www/icons

If you want to restrict directory access for some directories, do it in httpd.conf or in .htaccess, it is better imho

Alien Bob · 09-07-2008, 11:48 AM

This should have said enough:

Quote:

drwxrwxr-- 7 root www 168 2008-09-04 22:26 ./

The apache user cannot descend into your /var/www directory structure.
Note that it is not enough to have read rights on a directory... if the directory does not have the executable bit set, you will not be able to access it.
So,

Code:

chmod -R o+x /var/www

should get the default Slackware permissions back (apart from the apache ownership).

Eric

habl · 09-07-2008, 12:00 PM

Quote:

Originally Posted by Alien Bob

This should have said enough:

The apache user cannot descend into your /var/www directory structure.
Note that it is not enough to have read rights on a directory... if the directory does not have the executable bit set, you will not be able to access it.
So,

Code:

chmod -R o+x /var/www

should get the default Slackware permissions back (apart from the apache ownership).

Eric

*sigh* Your right. Like I said, it had to be something stupid

Only weird thing is, this was the default ownership. Before all the directory's had this ownership. I allready changed /var/www/htdocs, only forgot the parent.

Thanks for your help!

Alien Bob · 09-07-2008, 12:06 PM

Quote:

Originally Posted by habl

Only weird thing is, this was the default ownership. Before all the directory's had this ownership. I allready changed /var/www/htdocs, only forgot the parent.

That would definitely not be the default settings, right after an installation of Slackware. So, something must have changed these permissions on your system after the installation of Slackware.

Are you running Slackware actually?

Eric

habl · 09-08-2008, 10:31 AM

Yes I am using slackware (12.1). I really don't know what could have changed the ownership. I didn't do it by hand and I also didn't installed other software (yet). It's pretty weird because the user/group www doesn't exists at all, so slackware doesn't allow to change it to www.

keefaz · 09-08-2008, 10:53 AM

www has to be defined in /etc/group, else the name www wouldn't appear on ls output, just the gid number

habl · 09-09-2008, 02:08 AM

Indeed it is. Oh well, probably I wasn't paying attention when installing slack and stuff, problem solved, case closed!