Fedora Linux Support Community & Resources Center
  #1  
Old 16th January 2012, 08:55 PM
kjiwa Offline
Registered User
 
Join Date: Jan 2012
Location: Seattle
Posts: 4
linuxchrome
httpd cannot read from /home

I'm having some trouble with httpd on Fedora 16.

Code:
$ rpm -q httpd 
httpd-2.2.21-1.fc16.i686
$ cat /etc/redhat-release 
Fedora release 16 (Verne)
I have the following vhost config:

Code:
NameVirtualHost *:80

<VirtualHost *:80>
 ServerName localhost
 Alias /tmp/ /home/kjiwa/tmp/
</VirtualHost>
I've ensured that the correct permissions are set on /home/kjiwa and /home/kjiwa/tmp so that the apache user can read from those locations.

When I try to access http://localhost/tmp/index.html (a file which exists), I get a 403. The httpd error log shows this:

Code:
[Mon Jan 16 12:48:50 2012] [error] [client 127.0.0.1] (13)Permission denied: access to /tmp/index.html denied
httpd can read from other locations, though, such as /srv/httpd or /var/www. Any ideas about what I have to change so that it can also read from my home directory?

Kamil
Reply With Quote
  #2  
Old 16th January 2012, 09:02 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,788
linuxfedorafirefox
Re: httpd cannot read from /home

Did you enable the SELinux security flags to allow apache to read home directories and set the proper labels on the directories?
Reply With Quote
  #3  
Old 16th January 2012, 09:04 PM
kjiwa Offline
Registered User
 
Join Date: Jan 2012
Location: Seattle
Posts: 4
linuxchrome
Re: httpd cannot read from /home

I have completely disabled SELinux:

Code:
$ sestatus 
SELinux status:                 disabled
Reply With Quote
  #4  
Old 16th January 2012, 10:14 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,788
linuxfedorafirefox
Re: httpd cannot read from /home

Well... by disabling access controls, you are now open to various possible attacks.

Now the home directory must be world readable (rx) OR group rx and be in the group apache. In addition, the specific directory (rx) and all files within that directory must be (r). If files are to be created by the server then the directory/files must be writable. Note, any files created by apache will be owned by apache.
Reply With Quote
  #5  
Old 16th January 2012, 10:18 PM
kjiwa Offline
Registered User
 
Join Date: Jan 2012
Location: Seattle
Posts: 4
linuxchrome
Re: httpd cannot read from /home

It's just a dev box, but yes, I understand the risks. I disabled SELinux to try to isolate what the issue is.

Code:
$ ls -ald /home/kjiwa
drwxr-x---+ 47 kjiwa kjiwa 4096 Jan 16 11:12 /home/kjiwa
$ ls -ald /home/kjiwa/tmp 
drwxrwxr-x. 5 kjiwa kjiwa 4096 Jan 11 16:14 /home/kjiwa/tmp
$ groups apache 
apache : apache kjiwa
So my home directory is g+rx (really it should just work with g+x, but I tried both) and apache is part of the kjiwa group.
Reply With Quote
  #6  
Old 16th January 2012, 10:39 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,788
linuxfedorafirefox
Re: httpd cannot read from /home

The apache process likely only has the group apache, and not kjiwa. Remember, the apache daemon is not started as a login. The configuration file for apache specifies the group (and user) the server runs under. By default it is UID apache, GID apache, and no other groups. Having multiple groups in apache makes it much harder to secure, and to prevent unintentional problems.
Reply With Quote
  #7  
Old 16th January 2012, 11:22 PM
kjiwa Offline
Registered User
 
Join Date: Jan 2012
Location: Seattle
Posts: 4
linuxchrome
Re: httpd cannot read from /home

I'm not sure if that is the issue here. The same configuration works fine in RHEL 6.x and Fedora 14. I didn't try Fedora 15, but I wonder if this came about due to the migration to systemd. Could it be related to cgroups or is that just a red herring?
Reply With Quote
  #8  
Old 16th January 2012, 11:47 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,788
linuxfedorafirefox
Re: httpd cannot read from /home

Cgroups are for CPU grouping, it doesn't have anything to do with access controls.

In this case, systemd is not at fault. Check the apache configuration file and be sure it is using kjiwa for the group. If it is not specified it defaults to group apache.

I don't think apache supports multigroup, I know it doesn't under Fedora 14 where I'm running it.
Reply With Quote
  #9  
Old 19th February 2012, 09:37 AM
satanselbow Offline
Registered User
 
Join Date: Apr 2011
Location: Upminster, Essex, UK
Posts: 169
linuxchrome
Wink Re: httpd cannot read from /home

A reasonably sane workaround is to make yourself a member of the "apache" group and then use your usual username in http.conf leaving the group as apache

Reload / restart httpd for changes to take effect.
Reply With Quote
  #10  
Old 19th February 2012, 06:58 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,349
windows_7firefox
Re: httpd cannot read from /home

I can't read your httpd.conf from here. But I suspect this is what you're overlooking. Below is very much stock; html in public_html and only SomeWebUser's content is allowed. Works fine with SELinux enforcing.


Code:
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid.  This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disabled
    UserDir enabled SomeWebUser

    #
    # To enable requests to /~user/ to serve the user's public_html
    # directory, remove the "UserDir disabled" line above, and uncomment
    # the following line instead:
    #
    UserDir public_html

</IfModule>

# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory /home/*/public_html>
    AllowOverride All FileInfo AuthConfig Limit
#    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
     Options MultiViews SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>
Reply With Quote
  #11  
Old 2nd March 2012, 02:25 PM
Mainsun Offline
Registered User
 
Join Date: Feb 2012
Location: Hong Kong
Posts: 26
windows_7ie
Re: httpd cannot read from /home

I have the same problem to enable user home dir in Apache.
If you have edited the httpd.conf and enable SELinux bool and still encountering problem
Please check the permission to access /home/[user].
Once I have changed the access mode to 755 I can access from browser!
However it mean that my files are visiable by others. so what's the purpose of using UserDir in Fedora! I think there should be some modifications....
Reply With Quote
  #12  
Old 2nd March 2012, 02:58 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,788
linuxfirefox
Re: httpd cannot read from /home

Quote:
Originally Posted by Mainsun View Post
I have the same problem to enable user home dir in Apache.
If you have edited the httpd.conf and enable SELinux bool and still encountering problem
Please check the permission to access /home/[user].
Once I have changed the access mode to 755 I can access from browser!
However it mean that my files are visiable by others. so what's the purpose of using UserDir in Fedora! I think there should be some modifications....
That is what SELinux does. Unfortunately, the things are set up, you MUST make it world readable (and searchable).
Reply With Quote
  #13  
Old 2nd March 2012, 04:19 PM
beaker_ Offline
Registered User
 
Join Date: Nov 2008
Location: Canada
Posts: 2,349
linuxfirefox
Re: httpd cannot read from /home

Quote:
Originally Posted by Mainsun View Post
I have the same problem to enable user home dir in Apache.
If you have edited the httpd.conf and enable SELinux bool and still encountering problem
Please check the permission to access /home/[user].
Once I have changed the access mode to 755 I can access from browser!
However it mean that my files are visiable by others. so what's the purpose of using UserDir in Fedora! I think there should be some modifications....
Why would you ever chmod 755 YOUR home directory? I never chmod 755 a home directory with public html content. If modifications need to be done, then it's not Fedora.
Reply With Quote
  #14  
Old 3rd March 2012, 02:54 AM
Mainsun Offline
Registered User
 
Join Date: Feb 2012
Location: Hong Kong
Posts: 26
windows_7ie
Re: httpd cannot read from /home

I am sorry for my prevous post.
I just test fedora in vbox,
And I have use 711 for my real fedora.
But I hope UseDir should able in 700 mode which is default in Fedora. And only the own user to use visit.
Reply With Quote
  #15  
Old 3rd March 2012, 12:21 PM
jpollard Online
Registered User
 
Join Date: Aug 2009
Location: Waldorf, Maryland
Posts: 6,788
linuxfirefox
Re: httpd cannot read from /home

Not sure what you mean by "And only the own user to use visit".
Reply With Quote
Reply

Tags
httpd, or home, read

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[BASH] elegant way to read home dir? sea Programming & Packaging 4 7th September 2011 11:11 AM
Apache httpd equivalent use for micro-httpd line legendbb Servers & Networking 2 29th April 2010 08:59 PM
Cannot Read Hidden Files in Home Directory pwhitney Using Fedora 25 17th August 2009 03:15 AM
Help...Locked home folder!!!Can't read Contents ilnakos Using Fedora 1 6th June 2005 12:33 PM


Current GMT-time: 11:28 (Thursday, 31-07-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat