4 a.m.
Greetings all;
I note just now that logwatch reports this:
--------------------- httpd Begin ------------------------
Requests with error response codes
403 Forbidden
/: 1 Time(s)
/gene/nitros9/level2/cc3io.dis: 1 Time(s)
/gene/nitros9/level2/cc3io_l51.ng: 1 Time(s)
/gene/nitros9/level2/cc3io_l51.ng.list: 1 Time(s)
/gene/nitros9/level2/cc3io_l51_191l.list: 1 Time(s)
/gene/nitros9/level2/cc3io_l52: 1 Time(s)
/gene/nitros9/level2/cc3io_l52_191l: 1 Time(s)
/gene/nitros9/level2/cc3io_m51.mine: 1 Time(s)
/gene/nitros9/level2/cc3io_m51.mine.list: 1 Time(s)
/gene/nitros9/level2/cc3io_m52: 1 Time(s)
/gene/nitros9/level2/cc3io_m52_191l: 1 Time(s)
/gene/nitros9/level2/dbgmouse: 1 Time(s)
/gene/nitros9/level2/smouseM51_L51.updt: 1 Time(s)
Indicating that someone tried to read those files, which they should be able
to, but were refused permissions. The directory 'nitros9' is a softlink
from /var/www/html/gene/nitros9 to that directory in /opt, which has these
permissions:
[root@coyote logrotate.d]# ls -l --lcontext /var/www/html/gene
total 36
drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
2008-09-28 14:09 emc
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 19
2008-07-20 08:51 Garage-pix -> /usr/pix/Garage-pix
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12
2008-06-20 11:01 nitros9 -> /opt/nitros9
drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
2008-10-10 07:56 pix
drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
2008-04-08 09:48 txpix
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 root root 18
2008-10-15 21:49 WorkBench -> /usr/pix/WorkBench
All the files that are referenced in the 403 no perms are owned by the user I
must be in order to make cvs write access work. And that user is his own
group also.
Seems like the fix should be easy, but I'm used up. Help please?
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
A student who changes the course of history is probably taking an exam.
3:14 p.m.
Gene Heskett wrote:
> Are these files actually there, or are they elsewhere, and these
are
> symlinks to them?
Symlinks.
Dumb question - do you have the FollowSymLinks option turned on?
Mikkel
--
Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!
7:18 a.m.
Tim:
> Don't forget world executable permissions on directories.
Gene Heskett:
Ahh, so it should have been 0655, fixed I hope.
Don't do that to files, you don't want to make all your webservable
files executable, unless they need it (e.g. CGI scripts, or SHTML pages
where you're using the X bit hack to tell the server to parse them for
SSI, rather than using the filename suffix).
That's where doing something like "chmod o+X" (that's a deliberate
capital X), rather than "chmod 644" was useful. It'd set executable
bits where it was needed (to directories), and not where it was not (not
on files, unless they were already executable).
--
[tim@localhost ~]$ uname -r
2.6.26.6-79.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
8:29 a.m.
On Thursday 30 October 2008, Tim wrote:
Tim:
>> Don't forget world executable permissions on directories.
Gene Heskett:
> Ahh, so it should have been 0655, fixed I hope.
Don't do that to files, you don't want to make all your webservable
files executable, unless they need it (e.g. CGI scripts, or SHTML pages
where you're using the X bit hack to tell the server to parse them for
SSI, rather than using the filename suffix).
That's where doing something like "chmod o+X" (that's a deliberate
capital X), rather than "chmod 644" was useful. It'd set executable
bits where it was needed (to directories), and not where it was not (not
on files, unless they were already executable).
Neat trick, thanks. I learned something today. :)
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
<SlayR> i just bought MS Office 2000 for only $20!!!
<Knghtbrd> you got ripped off ;>
<SlayR> i know ;)
11:44 p.m.
On Wed, 2008-10-29 at 15:34 -0400, Gene Heskett wrote:
And that was one of the clues, confirmed by an ls -l in the real
files
directory.
I just did a chmod 0644 * in that directory, try it again please.
Don't forget world executable permissions on directories.
Tried a few, working now. I don't see any files that I tried before
that didn't work, still in that directory. So I can't test that.
--
[tim@localhost ~]$ uname -r
2.6.26.6-79.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
1:32 a.m.
On Thursday 30 October 2008, Tim wrote:
On Wed, 2008-10-29 at 15:34 -0400, Gene Heskett wrote:
> And that was one of the clues, confirmed by an ls -l in the real files
> directory.
>
> I just did a chmod 0644 * in that directory, try it again please.
Don't forget world executable permissions on directories.
Ahh, so it should have been 0655, fixed I hope.
Tried a few, working now. I don't see any files that I tried
before
that didn't work, still in that directory. So I can't test that.
Thanks Tim.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
2:34 p.m.
On Wednesday 29 October 2008, Tim wrote:
On Wed, 2008-10-29 at 10:52 -0400, Gene Heskett wrote:
> I can read them just fine with FF, going to the exact same web address
> you would use: <http://gene.homelinux.net:85/gene/nitros9>
>
> But apparently (some) others cannot.
I just had a look, and some files in there are forbidden (cc3io.dis),
others load (e.g. the make). Which leads me to wonder about:
Permissions &/or SELinux contexts on individual files. Whatever the
user and group permissions, the world permissions need to be world
readable, and world executable for directories (all parent directories,
right back to /). And there must be an appropriate httpd SELinux
context.
And that was one of the clues, confirmed by an ls -l in the real files
directory.
I just did a chmod 0644 * in that directory, try it again please.
Are these files actually there, or are they elsewhere, and these are
symlinks to them?
Symlinks.
Thanks Tim.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Steal my cash, car and TV - but leave the computer!
-- Soenke Lange <soenke(a)escher.north.de>
12:15 p.m.
On Wed, 2008-10-29 at 10:52 -0400, Gene Heskett wrote:
I can read them just fine with FF, going to the exact same web
address
you would use: <http://gene.homelinux.net:85/gene/nitros9>
But apparently (some) others cannot.
I just had a look, and some files in there are forbidden (cc3io.dis),
others load (e.g. the make). Which leads me to wonder about:
Permissions &/or SELinux contexts on individual files. Whatever the
user and group permissions, the world permissions need to be world
readable, and world executable for directories (all parent directories,
right back to /). And there must be an appropriate httpd SELinux
context.
Are these files actually there, or are they elsewhere, and these are
symlinks to them?
--
[tim@localhost ~]$ uname -r
2.6.26.6-79.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
9:52 a.m.
On Sunday 26 October 2008, Manuel Aróstegui wrote:
El dom, 26-10-2008 a las 05:00 -0400, Gene Heskett escribió:
> Greetings all;
>
> I note just now that logwatch reports this:
>
> --------------------- httpd Begin ------------------------
>
>
> Requests with error response codes
> 403 Forbidden
> /: 1 Time(s)
> /gene/nitros9/level2/cc3io.dis: 1 Time(s)
> /gene/nitros9/level2/cc3io_l51.ng: 1 Time(s)
> /gene/nitros9/level2/cc3io_l51.ng.list: 1 Time(s)
> /gene/nitros9/level2/cc3io_l51_191l.list: 1 Time(s)
> /gene/nitros9/level2/cc3io_l52: 1 Time(s)
> /gene/nitros9/level2/cc3io_l52_191l: 1 Time(s)
> /gene/nitros9/level2/cc3io_m51.mine: 1 Time(s)
> /gene/nitros9/level2/cc3io_m51.mine.list: 1 Time(s)
> /gene/nitros9/level2/cc3io_m52: 1 Time(s)
> /gene/nitros9/level2/cc3io_m52_191l: 1 Time(s)
> /gene/nitros9/level2/dbgmouse: 1 Time(s)
> /gene/nitros9/level2/smouseM51_L51.updt: 1 Time(s)
>
> Indicating that someone tried to read those files, which they should be
> able to, but were refused permissions. The directory 'nitros9' is a
> softlink from /var/www/html/gene/nitros9 to that directory in /opt, which
> has these permissions:
> [root@coyote logrotate.d]# ls -l --lcontext /var/www/html/gene
> total 36
> drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
> 2008-09-28 14:09 emc
> lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 19
> 2008-07-20 08:51 Garage-pix -> /usr/pix/Garage-pix
> lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12
> 2008-06-20 11:01 nitros9 -> /opt/nitros9
> drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
> 2008-10-10 07:56 pix
> drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
> 2008-04-08 09:48 txpix
> lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 root root 18
> 2008-10-15 21:49 WorkBench -> /usr/pix/WorkBench
>
> All the files that are referenced in the 403 no perms are owned by the
> user I must be in order to make cvs write access work. And that user is
> his own group also.
Is /opt readable for the apache user?
Manuel.
Good question, but one I don't know how to determine. I can read them just
fine with FF, going to the exact same web address you would use:
<http://gene.homelinux.net:85/gene/nitros9>
But apparently (some) others cannot.
So how can I fix this if that is the problem?
Thanks Manuel.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, might not be read every day, and should not
be used for urgent or sensitive issues.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Atlanta makes it against the law to tie a giraffe to a telephone pole
or street lamp.
9:54 p.m.
On Sun, 26 Oct 2008, Gene Heskett wrote:
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache
12
2008-06-20 11:01 nitros9 -> /opt/nitros9
This, however, doesn't tell us anything about what /opt/nitros9
contains. Make sure that everything inside that directory that you want
httpd to access has the proper permissions and security context.
Ian
6:19 a.m.
El dom, 26-10-2008 a las 05:00 -0400, Gene Heskett escribió:
Greetings all;
I note just now that logwatch reports this:
--------------------- httpd Begin ------------------------
Requests with error response codes
403 Forbidden
/: 1 Time(s)
/gene/nitros9/level2/cc3io.dis: 1 Time(s)
/gene/nitros9/level2/cc3io_l51.ng: 1 Time(s)
/gene/nitros9/level2/cc3io_l51.ng.list: 1 Time(s)
/gene/nitros9/level2/cc3io_l51_191l.list: 1 Time(s)
/gene/nitros9/level2/cc3io_l52: 1 Time(s)
/gene/nitros9/level2/cc3io_l52_191l: 1 Time(s)
/gene/nitros9/level2/cc3io_m51.mine: 1 Time(s)
/gene/nitros9/level2/cc3io_m51.mine.list: 1 Time(s)
/gene/nitros9/level2/cc3io_m52: 1 Time(s)
/gene/nitros9/level2/cc3io_m52_191l: 1 Time(s)
/gene/nitros9/level2/dbgmouse: 1 Time(s)
/gene/nitros9/level2/smouseM51_L51.updt: 1 Time(s)
Indicating that someone tried to read those files, which they should be able
to, but were refused permissions. The directory 'nitros9' is a softlink
from /var/www/html/gene/nitros9 to that directory in /opt, which has these
permissions:
[root@coyote logrotate.d]# ls -l --lcontext /var/www/html/gene
total 36
drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
2008-09-28 14:09 emc
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 19
2008-07-20 08:51 Garage-pix -> /usr/pix/Garage-pix
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 apache apache 12
2008-06-20 11:01 nitros9 -> /opt/nitros9
drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
2008-10-10 07:56 pix
drwxr-xr-x 2 system_u:object_r:httpd_sys_content_t:s0 apache apache 4096
2008-04-08 09:48 txpix
lrwxrwxrwx 1 system_u:object_r:httpd_sys_content_t:s0 root root 18
2008-10-15 21:49 WorkBench -> /usr/pix/WorkBench
All the files that are referenced in the 403 no perms are owned by the user I
must be in order to make cvs write access work. And that user is his own
group also.
Is /opt readable for the apache user?
Manuel.
--
Manuel Arostegui Ramirez.
Electronic Mail is not secure, might not be read every day, and should not
be used for urgent or sensitive issues.
5:24 a.m.
On Sun, 2008-10-26 at 05:00 -0400, Gene Heskett wrote:
Indicating that someone tried to read those files, which they should
be able to, but were refused permissions.
Can you read those files through your web browser? (Through the
webserver, not directly reading the files the file system.)
Is Apache configured to follow symlinks?
--
[tim@localhost ~]$ uname -r
2.6.26.5-45.fc9.i686
Don't send private replies to my address, the mailbox is ignored. I
read messages from the public lists.
4:21 p.m.
On Wednesday 29 October 2008, Mikkel L. Ellertson wrote:
Gene Heskett wrote:
>> Are these files actually there, or are they elsewhere, and these are
>> symlinks to them?
>
> Symlinks.
Dumb question - do you have the FollowSymLinks option turned on?
Mikkel
That part must be working since some of them were readable, only seletced was
getting the 403's. And I think I fixed it with a chmod 0644 *. You might
recheck now if you have the time.
Thanks Mikkel.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
You can't expect a boy to be vicious till he's been to a good school.
-- H.H. Munro
5693
days inactive
5697
days old
12 comments
5 participants
participants (5)
-
Gene Heskett -
Ian Hilt -
Manuel Aróstegui -
Mikkel -
Tim