Greetings all;
I note just now that logwatch reports this:
--------------------- httpd Begin ------------------------
Requests with error response codes 403 Forbidden /: 1 Time(s) /gene/nitros9/level2/cc3io.dis: 1 Time(s) /gene/nitros9/level2/cc3io_l51.ng: 1 Time(s) /gene/nitros9/level2/cc3io_l51.ng.list: 1 Time(s) /gene/nitros9/level2/cc3io_l51_191l.list: 1 Time(s) /gene/nitros9/level2/cc3io_l52: 1 Time(s) /gene/nitros9/level2/cc3io_l52_191l: 1 Time(s) /gene/nitros9/level2/cc3io_m51.mine: 1 Time(s) /gene/nitros9/level2/cc3io_m51.mine.list: 1 Time(s) /gene/nitros9/level2/cc3io_m52: 1 Time(s) /gene/nitros9/level2/cc3io_m52_191l: 1 Time(s) /gene/nitros9/level2/dbgmouse: 1 Time(s) /gene/nitros9/level2/smouseM51_L51.updt: 1 Time(s)
Indicating that someone tried to read those files, which they should be able to, but were refused permissions. The directory 'nitros9' is a softlink from /var/www/html/gene/nitros9 to that directory in /opt, which has these permissions: [root@coyote logrotate.d]# ls -l --lcontext /var/www/html/gene total 36 drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-09-28 14:09 emc lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 19 2008-07-20 08:51 Garage-pix -> /usr/pix/Garage-pix lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12 2008-06-20 11:01 nitros9 -> /opt/nitros9 drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-10-10 07:56 pix drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-04-08 09:48 txpix lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 root root 18 2008-10-15 21:49 WorkBench -> /usr/pix/WorkBench
All the files that are referenced in the 403 no perms are owned by the user I must be in order to make cvs write access work. And that user is his own group also.
Seems like the fix should be easy, but I'm used up. Help please?
On Sun, 2008-10-26 at 05:00 -0400, Gene Heskett wrote:
Indicating that someone tried to read those files, which they should be able to, but were refused permissions.
Can you read those files through your web browser? (Through the webserver, not directly reading the files the file system.)
Is Apache configured to follow symlinks?
El dom, 26-10-2008 a las 05:00 -0400, Gene Heskett escribió:
Greetings all;
I note just now that logwatch reports this:
--------------------- httpd Begin ------------------------
Requests with error response codes 403 Forbidden /: 1 Time(s) /gene/nitros9/level2/cc3io.dis: 1 Time(s) /gene/nitros9/level2/cc3io_l51.ng: 1 Time(s) /gene/nitros9/level2/cc3io_l51.ng.list: 1 Time(s) /gene/nitros9/level2/cc3io_l51_191l.list: 1 Time(s) /gene/nitros9/level2/cc3io_l52: 1 Time(s) /gene/nitros9/level2/cc3io_l52_191l: 1 Time(s) /gene/nitros9/level2/cc3io_m51.mine: 1 Time(s) /gene/nitros9/level2/cc3io_m51.mine.list: 1 Time(s) /gene/nitros9/level2/cc3io_m52: 1 Time(s) /gene/nitros9/level2/cc3io_m52_191l: 1 Time(s) /gene/nitros9/level2/dbgmouse: 1 Time(s) /gene/nitros9/level2/smouseM51_L51.updt: 1 Time(s)
Indicating that someone tried to read those files, which they should be able to, but were refused permissions. The directory 'nitros9' is a softlink from /var/www/html/gene/nitros9 to that directory in /opt, which has these permissions: [root@coyote logrotate.d]# ls -l --lcontext /var/www/html/gene total 36 drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-09-28 14:09 emc lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 19 2008-07-20 08:51 Garage-pix -> /usr/pix/Garage-pix lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12 2008-06-20 11:01 nitros9 -> /opt/nitros9 drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-10-10 07:56 pix drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-04-08 09:48 txpix lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 root root 18 2008-10-15 21:49 WorkBench -> /usr/pix/WorkBench
All the files that are referenced in the 403 no perms are owned by the user I must be in order to make cvs write access work. And that user is his own group also.
Is /opt readable for the apache user?
Manuel.
On Sunday 26 October 2008, Manuel Aróstegui wrote:
El dom, 26-10-2008 a las 05:00 -0400, Gene Heskett escribió:
Greetings all;
I note just now that logwatch reports this:
--------------------- httpd Begin ------------------------
Requests with error response codes 403 Forbidden /: 1 Time(s) /gene/nitros9/level2/cc3io.dis: 1 Time(s) /gene/nitros9/level2/cc3io_l51.ng: 1 Time(s) /gene/nitros9/level2/cc3io_l51.ng.list: 1 Time(s) /gene/nitros9/level2/cc3io_l51_191l.list: 1 Time(s) /gene/nitros9/level2/cc3io_l52: 1 Time(s) /gene/nitros9/level2/cc3io_l52_191l: 1 Time(s) /gene/nitros9/level2/cc3io_m51.mine: 1 Time(s) /gene/nitros9/level2/cc3io_m51.mine.list: 1 Time(s) /gene/nitros9/level2/cc3io_m52: 1 Time(s) /gene/nitros9/level2/cc3io_m52_191l: 1 Time(s) /gene/nitros9/level2/dbgmouse: 1 Time(s) /gene/nitros9/level2/smouseM51_L51.updt: 1 Time(s)
Indicating that someone tried to read those files, which they should be able to, but were refused permissions. The directory 'nitros9' is a softlink from /var/www/html/gene/nitros9 to that directory in /opt, which has these permissions: [root@coyote logrotate.d]# ls -l --lcontext /var/www/html/gene total 36 drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-09-28 14:09 emc lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 19 2008-07-20 08:51 Garage-pix -> /usr/pix/Garage-pix lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12 2008-06-20 11:01 nitros9 -> /opt/nitros9 drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-10-10 07:56 pix drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096 2008-04-08 09:48 txpix lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 root root 18 2008-10-15 21:49 WorkBench -> /usr/pix/WorkBench
All the files that are referenced in the 403 no perms are owned by the user I must be in order to make cvs write access work. And that user is his own group also.
Is /opt readable for the apache user?
Manuel.
Good question, but one I don't know how to determine. I can read them just fine with FF, going to the exact same web address you would use: http://gene.homelinux.net:85/gene/nitros9
But apparently (some) others cannot.
So how can I fix this if that is the problem?
Thanks Manuel.
-- Manuel Arostegui Ramirez.
Electronic Mail is not secure, might not be read every day, and should not be used for urgent or sensitive issues.
On Wed, 2008-10-29 at 10:52 -0400, Gene Heskett wrote:
I can read them just fine with FF, going to the exact same web address you would use: http://gene.homelinux.net:85/gene/nitros9
But apparently (some) others cannot.
I just had a look, and some files in there are forbidden (cc3io.dis), others load (e.g. the make). Which leads me to wonder about:
Permissions &/or SELinux contexts on individual files. Whatever the user and group permissions, the world permissions need to be world readable, and world executable for directories (all parent directories, right back to /). And there must be an appropriate httpd SELinux context.
Are these files actually there, or are they elsewhere, and these are symlinks to them?
On Wednesday 29 October 2008, Tim wrote:
On Wed, 2008-10-29 at 10:52 -0400, Gene Heskett wrote:
I can read them just fine with FF, going to the exact same web address you would use: http://gene.homelinux.net:85/gene/nitros9
But apparently (some) others cannot.
I just had a look, and some files in there are forbidden (cc3io.dis), others load (e.g. the make). Which leads me to wonder about:
Permissions &/or SELinux contexts on individual files. Whatever the user and group permissions, the world permissions need to be world readable, and world executable for directories (all parent directories, right back to /). And there must be an appropriate httpd SELinux context.
And that was one of the clues, confirmed by an ls -l in the real files directory.
I just did a chmod 0644 * in that directory, try it again please.
Are these files actually there, or are they elsewhere, and these are symlinks to them?
Symlinks.
Thanks Tim.
Gene Heskett wrote:
Are these files actually there, or are they elsewhere, and these are symlinks to them?
Symlinks.
Dumb question - do you have the FollowSymLinks option turned on?
Mikkel
On Wednesday 29 October 2008, Mikkel L. Ellertson wrote:
Gene Heskett wrote:
Are these files actually there, or are they elsewhere, and these are symlinks to them?
Symlinks.
Dumb question - do you have the FollowSymLinks option turned on?
Mikkel
That part must be working since some of them were readable, only seletced was getting the 403's. And I think I fixed it with a chmod 0644 *. You might recheck now if you have the time.
Thanks Mikkel.
On Wed, 2008-10-29 at 15:34 -0400, Gene Heskett wrote:
And that was one of the clues, confirmed by an ls -l in the real files directory.
I just did a chmod 0644 * in that directory, try it again please.
Don't forget world executable permissions on directories.
Tried a few, working now. I don't see any files that I tried before that didn't work, still in that directory. So I can't test that.
On Thursday 30 October 2008, Tim wrote:
On Wed, 2008-10-29 at 15:34 -0400, Gene Heskett wrote:
And that was one of the clues, confirmed by an ls -l in the real files directory.
I just did a chmod 0644 * in that directory, try it again please.
Don't forget world executable permissions on directories.
Ahh, so it should have been 0655, fixed I hope.
Tried a few, working now. I don't see any files that I tried before that didn't work, still in that directory. So I can't test that.
Thanks Tim.
Tim:
Don't forget world executable permissions on directories.
Gene Heskett:
Ahh, so it should have been 0655, fixed I hope.
Don't do that to files, you don't want to make all your webservable files executable, unless they need it (e.g. CGI scripts, or SHTML pages where you're using the X bit hack to tell the server to parse them for SSI, rather than using the filename suffix).
That's where doing something like "chmod o+X" (that's a deliberate capital X), rather than "chmod 644" was useful. It'd set executable bits where it was needed (to directories), and not where it was not (not on files, unless they were already executable).
On Thursday 30 October 2008, Tim wrote:
Tim:
Don't forget world executable permissions on directories.
Gene Heskett:
Ahh, so it should have been 0655, fixed I hope.
Don't do that to files, you don't want to make all your webservable files executable, unless they need it (e.g. CGI scripts, or SHTML pages where you're using the X bit hack to tell the server to parse them for SSI, rather than using the filename suffix).
That's where doing something like "chmod o+X" (that's a deliberate capital X), rather than "chmod 644" was useful. It'd set executable bits where it was needed (to directories), and not where it was not (not on files, unless they were already executable).
Neat trick, thanks. I learned something today. :)
On Sun, 26 Oct 2008, Gene Heskett wrote:
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12 2008-06-20 11:01 nitros9 -> /opt/nitros9
This, however, doesn't tell us anything about what /opt/nitros9 contains. Make sure that everything inside that directory that you want httpd to access has the proper permissions and security context.
Ian
-
Gene Heskett -
Ian Hilt -
Manuel Aróstegui -
Mikkel -
Tim