Hi. We have a 200 user LAN under NIS and NFS with apache2 under 9.1 with all the YOU updates. The apache2 is untouched from when installed. Some users can access their files in their public_home directory via the server and others can't getting a 403 message from Apache2. The permissions on the respective directories are identical. Can anyone give me a starting point to tackle this one? Why can some gain access and some can't? Cheers, Steve.
steve-ss wrote regarding '[SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 09:47:
Hi. We have a 200 user LAN under NIS and NFS with apache2 under 9.1 with all the YOU updates. The apache2 is untouched from when installed.
Some users can access their files in their public_home directory via the server and others can't getting a 403 message from Apache2. The permissions on the respective directories are identical.
Can anyone give me a starting point to tackle this one? Why can some gain access and some can't?
Are the permissions on the files and, probably more importantly, the parent directories identical? The web server needs to be able to get into the home dir ("other" execute bit needs set, but not read) in order to get to the public_html (or public_home, whatever). --Danny
On Thursday 16 September 2004 16:52, Danny Sauer wrote:
steve-ss wrote regarding '[SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 09:47:
Hi. We have a 200 user LAN under NIS and NFS with apache2 under 9.1 with all the YOU updates. The apache2 is untouched from when installed.
Some users can access their files in their public_home directory via the server and others can't getting a 403 message from Apache2. The permissions on the respective directories are identical.
Can anyone give me a starting point to tackle this one? Why can some gain access and some can't?
Are the permissions on the files and, probably more importantly, the parent directories identical? The web server needs to be able to get into the home dir ("other" execute bit needs set, but not read) in order to get to the public_html (or public_home, whatever).
--Danny
Hi. Yes they are. I've checked them a loads of times. What is the "'other' execute bit needs set but not read"? Surely they must be readable both the files and the directories no? Steve
steve-ss wrote regarding 'Re: [SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 10:02:
On Thursday 16 September 2004 16:52, Danny Sauer wrote:
steve-ss wrote regarding '[SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 09:47:
Hi. We have a 200 user LAN under NIS and NFS with apache2 under 9.1 with all the YOU updates. The apache2 is untouched from when installed.
Some users can access their files in their public_home directory via the server and others can't getting a 403 message from Apache2. The permissions on the respective directories are identical.
Can anyone give me a starting point to tackle this one? Why can some gain access and some can't?
Are the permissions on the files and, probably more importantly, the parent directories identical? The web server needs to be able to get into the home dir ("other" execute bit needs set, but not read) in order to get to the public_html (or public_home, whatever).
--Danny
Hi. Yes they are. I've checked them a loads of times. What is the "'other' execute bit needs set but not read"? Surely they must be readable both the files and the directories no?
For a directory, the "read" bit allows directory listing, while the "execute" bit allows directory access. So, I usually make user home directories mode 751 or 711, depending on the user. That way, public_html still works, since it can be accessed via /home/user/public_html/, but people can't just list another user's home dir with "ls /home/user". If homedirs are mode 750 or 700, then apache won't be able to get to public_html even if public_html is 755. The execute bit needs set, but the read bit doesn't need set. I didn't write that terribly clearly the first time. :) --Danny
On Thursday 16 September 2004 17:07, Danny Sauer wrote:
steve-ss wrote regarding 'Re: [SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 10:02:
On Thursday 16 September 2004 16:52, Danny Sauer wrote:
steve-ss wrote regarding '[SLE] 403 forbidden access with
apache2' on Thu, Sep 16 at 09:47:
Hi. We have a 200 user LAN under NIS and NFS with apache2 under 9.1 with all the YOU updates. The apache2 is untouched from when installed.
Some users can access their files in their public_home directory via the server and others can't getting a 403 message from Apache2. The permissions on the respective directories are identical.
Can anyone give me a starting point to tackle this one? Why can some gain access and some can't?
Are the permissions on the files and, probably more importantly, the parent directories identical? The web server needs to be able to get into the home dir ("other" execute bit needs set, but not read) in order to get to the public_html (or public_home, whatever).
--Danny
Hi. Yes they are. I've checked them a loads of times. What is the "'other' execute bit needs set but not read"? Surely they must be readable both the files and the directories no?
For a directory, the "read" bit allows directory listing, while the "execute" bit allows directory access. So, I usually make user home directories mode 751 or 711, depending on the user. That way, public_html still works, since it can be accessed via /home/user/public_html/, but people can't just list another user's home dir with "ls /home/user".
If homedirs are mode 750 or 700, then apache won't be able to get to public_html even if public_html is 755. The execute bit needs set, but the read bit doesn't need set. I didn't write that terribly clearly the first time. :)
--Danny
All my home directories (and the public_html below them) are : drwxr-xr-x That should let apache in no? What groups must the user belong to, if any? Thanks, Steve.
steve-ss wrote regarding 'Re: [SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 10:26: [... some users' public_html fail to load...]
All my home directories (and the public_html below them) are :
drwxr-xr-x That should let apache in no?
What groups must the user belong to, if any?
No group requirements, and those permissions are fine. Have you looked at the apache error logs (possibly /var/log/apache2) to see what error is getting created on the denied directories? :) I'll bet the problem is described in there somewhere... --Danny
On Thursday 16 September 2004 18:38, Danny Sauer wrote:
steve-ss wrote regarding 'Re: [SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 10:26:
[... some users' public_html fail to load...]
All my home directories (and the public_html below them) are :
drwxr-xr-x That should let apache in no?
What groups must the user belong to, if any?
No group requirements, and those permissions are fine.
Have you looked at the apache error logs (possibly /var/log/apache2) to see what error is getting created on the denied directories? :) I'll bet the problem is described in there somewhere...
--Danny
Yep. Here is an example: [Thu Sep 16 18:04:11 2004] [error] [client 192.168.1.1] client denied by server configuration: /home/y10/benjamin-a/public_html The users in /home can access their directories fine. It's the users in a subdirectory of /home (in theis case y10) that can't. Thanks, Steve.
El Jue 16 Sep 2004 13:32, steve-ss escribió:
The users in /home can access their directories fine. It's the users in a subdirectory of /home (in theis case y10) that can't.
In my apache2 httpd.conf, the module mod_userdir.c is configured like this
(standard configuration):
On Thu, 2004-09-16 at 14:44, Andreas Philipp wrote:
El Jue 16 Sep 2004 13:32, steve-ss escribió:
The users in /home can access their directories fine. It's the users in a subdirectory of /home (in theis case y10) that can't.
In my apache2 httpd.conf, the module mod_userdir.c is configured like this (standard configuration):
... </Directory> So, wouldn't that mean that apache2 expects the public_html directory to be located in a user home directory which itself must be a subdirectory of /home?
No, the user home directory is dictated by the entry in /etc/passwd, it can reside any where on the system. -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2) * PLEASE only reply to the list *
El Jue 16 Sep 2004 13:59, Ken Schneider escribió:
So, wouldn't that mean that apache2 expects the public_html directory to be located in a user home directory which itself must be a subdirectory of /home?
No, the user home directory is dictated by the entry in /etc/passwd, it can reside any where on the system.
Well, I didn't mean to say that the OS couldn't handle home directories being located anywhere, just the mod_userdir.c configuration of apache2 (mine is the SuSE standard install) seems to expect them to be under /home to be able to access the public_html dirs in http://server/~user Or wouldn't the <Directory> directive of mod_userdir.c suggest that? Please correct me if I am wrong. Regards, -- Andreas Philipp Noema Ltda. Bogotá, D.C. - Colombia
Andreas wrote regarding 'Re: [SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 14:19:
El Jue 16 Sep 2004 13:59, Ken Schneider escribió:
So, wouldn't that mean that apache2 expects the public_html directory to be located in a user home directory which itself must be a subdirectory of /home?
No, the user home directory is dictated by the entry in /etc/passwd, it can reside any where on the system.
Well, I didn't mean to say that the OS couldn't handle home directories being located anywhere, just the mod_userdir.c configuration of apache2 (mine is the SuSE standard install) seems to expect them to be under /home to be able to access the public_html dirs in http://server/~user
Or wouldn't the <Directory> directive of mod_userdir.c suggest that? Please correct me if I am wrong.
You're right. To allow access, you probably want to either add another
<Directory> entry allowing access to /home/*/*/public_html, or use
a regular expression like
On Thursday 16 September 2004 22:48, Danny Sauer wrote:
Andreas wrote regarding 'Re: [SLE] 403 forbidden access with apache2' on Thu, Sep 16 at 14:19:
El Jue 16 Sep 2004 13:59, Ken Schneider escribió:
So, wouldn't that mean that apache2 expects the public_html directory to be located in a user home directory which itself must be a subdirectory of /home?
No, the user home directory is dictated by the entry in /etc/passwd, it can reside any where on the system.
Well, I didn't mean to say that the OS couldn't handle home directories being located anywhere, just the mod_userdir.c configuration of apache2 (mine is the SuSE standard install) seems to expect them to be under /home to be able to access the public_html dirs in http://server/~user
Or wouldn't the <Directory> directive of mod_userdir.c suggest that? Please correct me if I am wrong.
You're right. To allow access, you probably want to either add another <Directory> entry allowing access to /home/*/*/public_html, or use a regular expression like . The DirectoryMatch will be slower and a little less secure, but the security implications are minimal and it reduces the chance for error by putting the homedir config stuff in one place (rather than duplicating as in the first solution).
Access to stuff under /home is denied by default, then explicitly allowed just for public_html. Just to explain a little further.
The
On Thursday 16 September 2004 16:59, steve-ss wrote:
On Thursday 16 September 2004 16:52, Danny Sauer wrote:
steve-ss wrote regarding '[SLE] 403 forbidden access with
apache2' on Thu, Sep 16 at 09:47:
Hi. We have a 200 user LAN under NIS and NFS with apache2 under 9.1 with all the YOU updates. The apache2 is untouched from when installed.
Some users can access their files in their public_home directory via the server and others can't getting a 403 message from Apache2. The permissions on the respective directories are identical.
Can anyone give me a starting point to tackle this one? Why can some gain access and some can't?
Are the permissions on the files and, probably more importantly, the parent directories identical? The web server needs to be able to get into the home dir ("other" execute bit needs set, but not read) in order to get to the public_html (or public_home, whatever).
--Danny
Hi. Yes they are. I've checked them a loads of times. What is the "'other' execute bit needs set but not read"? Surely they must be readable both the files and the directories no?
All directories below and including public_html that should be public accessible need to be chmod go+rx All directories *above* public_html need to be at least chmod go+x All files below public_html that should be public accessible need to be chmod go+r See also man chmod. Cheers, Leen
participants (5)
-
Andreas Philipp
-
Danny Sauer
-
Ken Schneider
-
Leendert Meyer
-
steve-ss