Curious symlink problem with Apache -- FC12

Tim ignored_mailbox at yahoo.com.au
Wed Nov 3 13:31:05 UTC 2010


On Wed, 2010-11-03 at 01:59 -0400, Robert Moskowitz wrote:
> # cat /etc/sysconfig/selinux
>  
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=disabled

This (immediately above line) says that your SELinux is disabled, so
SELinux shouldn't be the cause of your problems.  That being said, it's
usually a good idea to use SELinux when you have a publicly exposed
webserver.  Even one that's not advertised, as hackers find them by
scanning ranges of IP addresses.

To serve out anything via HTTP, the directory permissions from root
right through to the directory in question, including all the ones in
between, should be rwx r-x r-x  (owner read, write, and execute; group
permissions usually don't matter; other uses can read and execute).

The file permissions need to be almost the same, the file in question
should be rwx r-x r-x (owner read, write and execute; group permissions
usually don't matter; other users can read the files).  Apache treats
the executable bit on files specially - it allows them to be parsed for
server-side-includes.

The "other" users, also known as "world," permissions are used for
serving out to the world.

(I spaced apart owner, group, and world permissions in the above
examples, for ease of reading.)

Servable files should not be owned by root or the apache user, they
should be owned by the author.  The same goes for directories *inside*
the webserver's root path.  This allows changes, and disallows tampering
by remote uses over the web.

e.g.

drwxr-xr-x   root  root    /var/www/html/
drwxr-xr-x   tim   tim     /var/www/html/mywebsite/
drw-r--r--   tim   tim     /var/www/html/mywebsite/homepage.html
drw-r--r--   tim   tim     /var/www/html/mywebsite/picture.png

If you are asking the server to follow symlinks, then you need to set
the Apache configuration option to allow that.  I can't remember what
the default was.

If you installed the manual, see:
http://localhost/manual/mod/core.html#options

Also, if you serve files from outside the usual filepaths, you might
want to check the <Directory> options in the Apache configuration.

If you installed the manual, see:
http://localhost/manual/mod/core.html#directory

If you have SELinux enabled, then you need to set proper contexts for
the files and directories.  This will be done automatically, when you
create them in the standard file paths.

  i.e. inside "/var/www/html" and inside "~/public_html/"

But not if you move files into those paths, or serve files in other
locations.  Then, you'll need to manually set the contexts, and reset
them if you ever scan the whole drive resetting contexts to defaults
(unless you make up custom rules to match your custom locations).

See http://fedoraproject.org/wiki/SELinux/apache for example contexts.

But I have this for webserving directories, and the files inside them:

 system_u:object_r:httpd_sys_script_exec_t:s0   /var/www/cgi-bin/
 unconfined_u:object_r:httpd_sys_content_t:s0   /var/www/html/

 system_u:object_r:httpd_user_content_t:s0      ~/public_html/

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.





More information about the users mailing list