Problem with apache virtual host in new fedora 12 installation

Tim ignored_mailbox at yahoo.com.au
Thu Mar 11 05:54:41 UTC 2010 

On Thu, 2010-03-11 at 06:55 +0800, Richard Cahilig wrote:
> I have problem with my new apache virtual host setup in my fedora 12
> server. I can't access it in the browser and I am receiving error 403.
> Please see the error below in my error_log.

Virtual hosts (generally) read from: 

 /var/www/something-or-other

With you specifying the something-or-other.  And the files owned by
whoever wrote them.  And all the way up the directory tree, world
readable permissions for files and directories, plus world executable
directories.  Owner and group permissions aren't used for web serving.

e.g. /var needs world r-x
     /var/www needs world r-x
     /var/www/html needs world r-x
     /var/www/html/homepage.html needs world r--
         (likewise for /var/www/different-web-site)

User home dirs are (generally) read from:

 /home/username/public_html

With username being the different user's names (their homespace), and
the files owned by whoever wrote them.  All the way up the directory
tree, world readable permissions for files and directories, plus world
executable for directories.  Owner and group permissions aren't used for
web serving.

If SELinux is being used, then contexts must be set correctly on the
files and directories.  They will be, by default, if you copy files to
the proper places, or create files in the proper places.  But if you
write files, them move them, they'll have the wrong contexts.

In the /var/www/ directory, I see files using the following contexts:

 system_u:object_r:httpd_sys_content_t
 root:object_r:httpd_sys_content_t

But the user's home space should use different contexts.  If I create a
new public_html directory, it gets:

 system_u:object_r:httpd_user_content_t:s0

And if I create a new file in there, it gets:
 unconfined_u:object_r:httpd_user_content_t:s0

Note how the system web serving directory has *sys* (system) content
contexts, and user's web serving directories have *user* content
contexts.  Things get a bit more complex if you allow the running of
scripts.

If you are operating a public webserver, or a private one in a hostile
environment, then you are better to keep SELinux running, and set things
up properly.

Do *NOT* set files and directories to be owned by the Apache user (or
group), nor set files to be world writeable.  You'd be opening yourself
up, even more, to potential hacking.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.

More information about the users mailing list