Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

You don't have permission error in Apache in CentOS

I have installed apache 2.2 in centos 6. Everything worked fine when the apache folder was at its default location /var/www/html. Then I configured a Virtual host inside my users home folder. After that apache started showing Forbidden You don't have permission error when I tried to go to localhost or 127.0.0.1 from browser.

this is the code i used in httpd.conf

<VirtualHost *:80>
        DocumentRoot "/home/anjan/workspace/mfs"
        ServerName anjan-centOS
        <Directory "/home/anjan/workspace/mfs">
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order Deny,Allow
                Allow from all
        </Directory>
</VirtualHost>

I also disabled SElinux as was mentioned in some articles but in vain. If anyone could help me out it would be much appreciated.

like image 938
th1rdey3 Avatar asked Jan 20 '13 18:01

th1rdey3


2 Answers

I solved the problem. After meddling with the permission of the system I found out that the user "anjan" who is owner of /home/anjan had read/write/execute permission on /home/anjan but the group "anjan", created when user "anjan" was created didn't have any permission at all.

ls -l /home/

showed

drwx------. 28 anjan anjan 4096 Jan 21 13:19 anjan

so I changed the permission with this command

chmod -R 770 /home/anjan
ls -l /home/
drwxrwx---. 28 anjan anjan 4096 Jan 21 13:19 anjan

i found out under which user my apache is running from this thread. It was running under user "apache"

so I added user "apache" to group "anjan" with this command.

usermod -G anjan,apache apache

after that voila. No more Forbidden error.

P.S. I did everything as the root user.

UPDATE It seems the provided link is broken now. Heres another one.

Just to be safe(to avoid future broken links), copying the command here. In terminal type -

ps axo user,group,comm | grep apache
like image 114
th1rdey3 Avatar answered Nov 08 '22 08:11

th1rdey3


This is (for me at least) a doubtful design. It basically means that the Apache user has WRITE access to all that user's files including secrets for example ssh-keys.

Not fun if a cracker attacks apache.

A simple modification would be while running as 'anjan':

chmod -R g-rwx ~ # undo the unsafe -R first
chmod g+rx ~ ~/workspace
chmod -R g+rx ~/workspace/mfs

If apache is a member of the 'anjan' group.

My recommendation is to use ACL:s if the filesystem supports that.

Is SELinux running now ? It should be so and if is still the case that the SELinux policy blocks apache's access to workspace/mfs a number of messages from sealert should be evident in var/log/messages. This problem is usually fixed with a judicious usage of setsebol.

Disabling SELinux because something isn't working and recommending that method is njaa....

The original problem is that apache runs as itself and because of that is slumped in the other category when calculating permissions.

chmod o+rx ~anjan/ ~anjan/workspace/ ~anjan/workspace/mfs

should be enough.

CentOS 6 is a free (as in free beer) version of RedHat Enterprise Linux and as such RedHat's document https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Confined_Services/ is a necessity.

like image 22
user2402590 Avatar answered Nov 08 '22 10:11

user2402590