httpd cannot read from /home

[kjiwa]

I'm having some trouble with httpd on Fedora 16.

Code:

$ rpm -q httpd 
httpd-2.2.21-1.fc16.i686
$ cat /etc/redhat-release 
Fedora release 16 (Verne)

I have the following vhost config:

Code:

NameVirtualHost *:80

<VirtualHost *:80>
 ServerName localhost
 Alias /tmp/ /home/kjiwa/tmp/
</VirtualHost>

I've ensured that the correct permissions are set on /home/kjiwa and /home/kjiwa/tmp so that the apache user can read from those locations.

When I try to access http://localhost/tmp/index.html (a file which exists), I get a 403. The httpd error log shows this:

Code:

[Mon Jan 16 12:48:50 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /tmp/index.html denied

httpd can read from other locations, though, such as /srv/httpd or /var/www. Any ideas about what I have to change so that it can also read from my home directory?

Kamil

[jpollard]

Did you enable the SELinux security flags to allow apache to read home directories and set the proper labels on the directories?

[kjiwa]

I have completely disabled SELinux:

Code:

$ sestatus 
SELinux status:                 disabled

[jpollard]

Well... by disabling access controls, you are now open to various possible attacks.

Now the home directory must be world readable (rx) OR group rx and be in the group apache. In addition, the specific directory (rx) and all files within that directory must be (r). If files are to be created by the server then the directory/files must be writable. Note, any files created by apache will be owned by apache.

[kjiwa]

It's just a dev box, but yes, I understand the risks. I disabled SELinux to try to isolate what the issue is.

Code:

$ ls -ald /home/kjiwa
drwxr-x---+ 47 kjiwa kjiwa 4096 Jan 16 11:12 /home/kjiwa
$ ls -ald /home/kjiwa/tmp 
drwxrwxr-x. 5 kjiwa kjiwa 4096 Jan 11 16:14 /home/kjiwa/tmp
$ groups apache 
apache : apache kjiwa

So my home directory is g+rx (really it should just work with g+x, but I tried both) and apache is part of the kjiwa group.

[jpollard]

The apache process likely only has the group apache, and not kjiwa. Remember, the apache daemon is not started as a login. The configuration file for apache specifies the group (and user) the server runs under. By default it is UID apache, GID apache, and no other groups. Having multiple groups in apache makes it much harder to secure, and to prevent unintentional problems.

[kjiwa]

I'm not sure if that is the issue here. The same configuration works fine in RHEL 6.x and Fedora 14. I didn't try Fedora 15, but I wonder if this came about due to the migration to systemd. Could it be related to cgroups or is that just a red herring?

[jpollard]

Cgroups are for CPU grouping, it doesn't have anything to do with access controls.

In this case, systemd is not at fault. Check the apache configuration file and be sure it is using kjiwa for the group. If it is not specified it defaults to group apache.

I don't think apache supports multigroup, I know it doesn't under Fedora 14 where I'm running it.

[satanselbow]

A reasonably sane workaround is to make yourself a member of the "apache" group and then use your usual username in http.conf leaving the group as apache

Reload / restart httpd for changes to take effect.

[beaker_]

I can't read your httpd.conf from here. But I suspect this is what you're overlooking. Below is very much stock; html in public_html and only SomeWebUser's content is allowed. Works fine with SELinux enforcing.

Code:

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid.  This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disabled
    UserDir enabled SomeWebUser

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disabled" line above, and uncomment
    # the following line instead:
    #
    UserDir public_html

</IfModule>

# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/*/public_html>
    AllowOverride All FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
     Options MultiViews SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

[Mainsun]

I have the same problem to enable user home dir in Apache.
If you have edited the httpd.conf and enable SELinux bool and still encountering problem
Please check the permission to access /home/[user].
Once I have changed the access mode to 755 I can access from browser!
However it mean that my files are visiable by others. so what's the purpose of using UserDir in Fedora! I think there should be some modifications....

[jpollard]

Quote:

Originally Posted by Mainsun

I have the same problem to enable user home dir in Apache.
If you have edited the httpd.conf and enable SELinux bool and still encountering problem
Please check the permission to access /home/[user].
Once I have changed the access mode to 755 I can access from browser!
However it mean that my files are visiable by others. so what's the purpose of using UserDir in Fedora! I think there should be some modifications....

That is what SELinux does. Unfortunately, the things are set up, you MUST make it world readable (and searchable).

[beaker_]

Quote:

Originally Posted by Mainsun

I have the same problem to enable user home dir in Apache.
If you have edited the httpd.conf and enable SELinux bool and still encountering problem
Please check the permission to access /home/[user].
Once I have changed the access mode to 755 I can access from browser!
However it mean that my files are visiable by others. so what's the purpose of using UserDir in Fedora! I think there should be some modifications....

Why would you ever chmod 755 YOUR home directory? I never chmod 755 a home directory with public html content. If modifications need to be done, then it's not Fedora.

[Mainsun]

I am sorry for my prevous post.
I just test fedora in vbox,
And I have use 711 for my real fedora.
But I hope UseDir should able in 700 mode which is default in Fedora. And only the own user to use visit.

[jpollard]

Not sure what you mean by "And only the own user to use visit".