httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel-St├ęphane SMORGRAV <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] permissions problem
Date Tue, 31 Jan 2006 08:32:54 GMT
 
The error log says that the file Apache is trying to read is /radar/data/hi3.html. The error
log normally will report the absolute file system path contrary to the access log that reports
the URL path requested. At the same time, from the information given, it is my understanding
that the URL you are trying to get is http://whatever/radar/data/hi3.html (from the browser's
message about not having permissions to access /radar/data/hi3.html on the server). Those
two pieces of information put together seem to indicate that your DocumentRoot is /.

You also say that documents in the radar directory are served correctly, which totally confuses
me.

Could you provide the following pieces of information:

1. ServerRoot from httpd.conf
2. DocumentRoot from httpd.conf
3. The path to your httpd.conf file
4. the output of the command "ps -ef | grep httpd"
5. the output of the command "ls -l /var/www/html/radar/data/hi3.html"

-ascs
________________________________

From: Dr. Stephen Judd [mailto:sjudd@seas.upenn.edu] 
Sent: Tuesday, January 31, 2006 4:50 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] permissions problem


On 2006 Jan 30, at 10:09 PM, Joshua Slive wrote:


	On 1/30/06, Dr. Stephen Judd <sjudd@seas.upenn.edu> wrote:


		On 2006 Jan 30, at 4:01 PM, Joshua Slive wrote:

		On 1/30/06, David Salisbury <salisbury@globe.gov> wrote:

		[Mon Jan 30 15:54:49 2006] [error] (13)Permission denied: access to
		/radar/data/hi3.html denied


			I'm not so sure about your "forbidden by rule" assumption.  I believe if
			you were to Deny access to an IP address you get a simple "permission
			denied".
			So I wouldn't discount a configuration problem.. maybe even a hidden
			.htaccess
			guy hanging out.


		No, in this case, "permission denied" (errorno=EACCES=13) is what the
		OS is returning when apache tries to open the file.

		Try logging in as the user specified in the User/Group directive and
		see if you can access the file.
		Joshua.


		The config file says this:
		User apache
		Group apache
		The straightforward way of doing what you ask for does not work:
		[root@database ~]# su apache
		This account is currently not available.
		I don't know exactly what that means or how to get around it,
		but I investigated this much further the other day and found some
		oddities...

		I wrote a little script to look into the issue of who the user is:
		<?php
		clearstatcache();
		$yuzer= $_ENV['USER']; $lognm= $_ENV['LOGNAME'];
		print "USER= $yuzer, LOGNAME= $lognm<br/>\n";
		$getperms= fileperms('data') & 0777;
		print "fileperms are: $getperms <br/>\n";
		if ($getperms ==0) print "cannot access<br/>\n";
		?>

		When invoked via the web, it apparently runs as root(!) (not apache?!)
		and gives a message saying that it cannot do a stat:
		USER= root, LOGNAME= root
		fileperms are: 0
		cannot access

		When invoked from the command line (in any of several users I tried)
		it works fine and accesses the file. I'm baffled. Is the "root" user
		that it purports to be the same as the usual system root user? If so, why
		can it not access a file that everyone else can? If not, then who is it??


	USER/LOGNAME are probably inherited from the parent apache process. 
	If you create a file in /tmp, you'll probably find it is owned by
	apache.

Yes. You are right about that. That makes the message from the script
all the more confusing. I suppose that it gets invoked as root and then
switches its identity to apache as soon as it can. You'd think that its
identity as root would be gone long before it ran my script, but whatever.


	Your problem still sounds very much like SELinux to me.  Are you
	absolutely positive you are not running that? 

	What exact version of redhat are you running?

I'm quite sure I'm not running SELinux. Here is my evidence:
[judd@database ~]$ echo $MACHTYPE
i686-redhat-linux-gnu
As for version, I dunno. How do I find out?


	If not, check the permissions on every file and directory starting
	with the one you are trying to access and going all the way up the
	tree.

I've done this --and redone it-- because it sure seems like the thing to do.
But no explanation lies in there.
The permissions on the radar directory are these:

	drwxr-xr-x  3 radar radargrp 4096 Jan 27 22:21 radar

The permissions on the data directory are these:

	drwxrwxrwx  4 radar radargrp 4096 Jan 26 09:13 data

And given that files from the radar directory are being served up without 
problem, I believe that I need exhibit no more evidence. Is that true?
Anyway, I'll provide it just to be forthcoming...
radar's parent is this:

	drwxr-xr-x   4 root root 4096 Jan 27 22:28 html

html's parent is this:

	drwxr-xr-x   8 root root 4096 Jan  6 11:26 www

and www's parent is this:

	drwxr-xr-x  21 root root 4096 Jan  6 11:38 var

and var's parent is /. The path is OPEN !

Tell me about the issue in SELinux. At this point, I'm willing to chase any
possibilities.
sj


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message