i'm facing the next error in a centos 7 server
I take a look to similar questions saying that is because SELinux doesn't allow to httpd to write in my /home folder, i've tried changing the owner of the folder without success; try changing the context (chcon) to httpd_sys_rw_content_t of my /home with the same error; try disabling SELinux and the error persists; and in the file httpd.conf change the User and Group from apache to test this didn't work either. My server is:
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.4.1708 (Core)
Release: 7.4.1708
Codename: Core
and
Linux localhost 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
When I execute move_uploaded_file() from php -a as user test it works normally, i see that the issue is with the user apache
TLDR:
Do not run setenforce 0 command, this will disable SELinux! You should not disable SELinux for security reasons.
The solution:
You should update policy to make SELinux allow read and write on specific directories:
To allow apcahe to read and write.
chcon -R -t httpd_sys_rw_content_t /path/your_writabl_dir
For read only directories:
chcon -R -t httpd_sys_content_t /path/yourdir
For example you can make your public (document root) directory read only and only allow write on directories that you allow you app to write on:
# Make all read only
chcon -R -t httpd_sys_content_t /var/www/myapp
# Only allow write on uploads dir for example
chcon -R -t httpd_sys_rw_content_t /var/www/myapp/public/uploads
Related
I am install nfs using this command in fedora 32:
sudo dnf install nfs-utils
and then I create a dir to export storage:
[dolphin#MiWiFi-R4CM-srv infrastructure]$ cat /etc/exports
/home/dolphin/data/k8s/monitoring/infrastructure/jenkins *(rw,no_root_squash)
now I could mount this dir with root user like this:
sudo mount -t nfs -o v3 192.168.31.2:/home/dolphin/data/k8s/monitoring/infrastructure/jenkins /mnt
now I want to make a step forward to make it it avaliable to any user from any ip(the client could mount nfs without using sudo), so I first try to chown of this folder:
chown 777 jenkins
and then I want to make this jenkins folder group and user to nfsnobody:
[dolphin#MiWiFi-R4CM-srv infrastructure]$ chown -R nfsnobody jenkins
chown: invalid user: ‘nfsnobody’
and I do not find any nfsnobody content from /etc/passwd. what should I do to fix invalid user: ‘nfsnobody’ problem? should nfs-util added it automatically?
Right now nobody used by default probably after RedHat/Centos versions 8
You can simply use
chown -R nobody jenkins
Or
Change it from /etc/idmapd.conf
[Mapping]
Nobody-User = nfsnobody
Nobody-Group = nfsnobody
To put the changes into effect restart the rpcidmapd service and remount the NFSv4 filesystem:
service rpcidmapd restart
mount -o remount /nfs/mnt/point
On Red Hat Enterprise Linux 6, if the above settings have been applied and UID/GID’s are matched on server and client and users are still being mapped to nobody:nobody then a clearing of the idmapd cache may be required.
# nfsidmap -c
I'm developing a website on a totally offline environment. also, I use gitlab runner for CI and the host is CentOS 7.
the problem is that gitlab runner uses gitlab-runner user on centos for deploying laravel application and apache uses apache user for running laravel.
I got Permission denied error on apache til I changed ownership of files. after that I get this error on apache log:
Uncaught UnexpectedValueException: The stream or file "storage/logs/laravel.log" could not be opened: failed to open stream: Permission denied
it seems that some vendor libraries like monolog want to write error or debug logs onto storage/logs/laravel.log but it gets permission denied. :(
.gitlab-ci.yml
stages:
- build
- test
- deploy
buildBash:
stage: build
script:
- bash build.sh
testBash:
stage: test
script:
- bash test.sh
deployBash:
stage: deploy
script:
- sudo bash deploy.sh
build.sh
#!/bin/bash
set -xe
# creating env file from production file
cp .env.production .env
# initializing laravel
php artisan key:generate
php artisan config:cache
# database migration
php artisan migrate --force
deploy.sh
#!/bin/bash
PWD=$(pwd)'/public'
STG=$(pwd)'/storage'
ln -s $PWD /var/www/html/public
chown apache.apache -R /var/www/html/public
chmod -R 755 /var/www/html/public
chmod -R 775 $STG
Am I using gitlab runner correct? how can I fix the permission denied error?
SELinux
I found the problem and it was selinux, like always it was selinux and I ignored it at the begining
What's the problem:
you can see selinux context on files with ls -lZ command, by default all files on www are httpd_sys_content_t, the problem is that selinux just allow apache to read these files. you should change storage and bootstrap/cache context so it can be writable.
there are 4 apache context type:
httpd_sys_content_t: read-only directories and files
httpd_sys_rw_content_t: readable and writable directories and files used by Apache
httpd_log_t: used by Apache for log files and directories
httpd_cache_t: used by Apache for cache files and directories
What to do:
first of all install policycoreutils-python for better commands
yum install -y policycoreutils-python
after installing policycoreutils-python the semanage command is available, so you can change file context like this:
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/laravel/storage(/.*)?"
semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/laravel/bootstrap/cache(/.*)?"
don't forget to commit the changes by this command:
restorecon -Rv /var/www/html/laravel/storage
restorecon -Rv /var/www/html/laravel/bootstrap/cache
the problem is solved :)
ref: http://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/
I am trying to set a custom umask for a tomcat 8 instance, tried to make it the good way by using the UMask directive in systemd tomcat unit as seen here without luck.
I'd like to set a 022 umask cause the company dev needs to access tomcat / application logs and they are not in the same group as the tomcat user....
the crazy thing is that the systemd doc says :
Controls the file mode creation mask. Takes an access mode in octal notation. See umask(2) for details. Defaults to 0022.
But the logs (application / tomcat) are set to 640 (not the expected 755) :
-rw-r----- 1 top top 21416 Feb 1 09:58 catalina.out
My service file :
# Systemd unit file for tomcat
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[...]
User=top
Group=top
UMask=0022
[Install]
WantedBy=multi-user.target
Any thoughts about this ?
Thanks
Try adding UMASK as Environment variable into tomcat's service file:
[Service]
...
Environment='UMASK=0022'
...
Default catalina.sh is checking for environment's $UMASK:
# Set UMASK unless it has been overridden
if [ -z "$UMASK" ]; then
UMASK="0027"
fi
umask $UMASK
(It seems to me, that UMask from systemd is not used by Tomcat, but I am not completely sure.)
I think you can achieve this with systemd by doing the following:
~]# mkdir -p /etc/systemd/system/tomcat.service.d
~]# echo -e "[Service]\nUMask=0022" >/etc/systemd/system/tomcat.service.d/custom-umask.conf
~]# systemctl daemon-reload
~]# systemctl restart tomcat
/etc/systemd/system/tomcat.service.d/umask-user.conf should overwrite the default values.
Source: https://access.redhat.com/solutions/2220161
P.S: A umask of 0022 would give a file 0644 permissions and a directory 0755
if using jsvc to start Tomcat as daemon process, then we need to set the -umask argument in jsvc command line
I am on someone else's linux server (shared hosting). I do not have root access. I have determined that it's a Redhat 4.1.2-46 running as Centos Release 5.9(Final).
I have the database dump for the site and the .php files from public_html as well. What I'm TRYING TO DO is locate the httpd.conf file and get the config for that site.
when I type in
httpd - v
I get -bas: httpd: command not found - even in like the /user/sbin directory - and it's clearly running and there.
Bottom line I can't find the sitedef/conf file for www.thisparticularsite.com - and can't even figure out what version of apache I'm running...
For Apache 2 try apache2ctl -v (or sudo apache2ctl -v if root access is available). I'm on a Raspberry Pi 4B running Debian, just for reference.
The init files of apache are usually located in /etc/init.d the httpd path are found in it. However, You can find out where the httpd.conf file and httpd command directory by doing a ps aux|grep -i http. For example:
ps aux|grep -i http
510 2594 0.0 0.0 77256 1516 ? S Jul02 0:00 **/usr/sbin/httpd-0.0.0.0_80** -k start -f **/etc/httpd/conf/instances/httpd-0.0.0.0_80/httpd.conf**
root 5470 0.0 0.0 77120 872 ? Ss 2013 22:13 **/usr/sbin/httpd-0.0.0.0_80** -k start -f **/etc/httpd/conf/instances/httpd-0.0.0.0_80/httpd.conf**
Conclusion:
httpd.conf file path: **/etc/httpd/conf/instances/httpd-0.0.0.0_80/httpd.conf**
httpd command directory: **/usr/sbin/httpd-0.0.0.0_80**
As mentionned by apache.org, httpd command should not be invoked directly.
see source
If you're trying to find loaded modules, earlier the command was httpd -l. But it'll give you the same error, Command 'httpd' not found,
Nowadays, you can use apache2 -l (tested on Apache/2.4.29).
I want to check whether mod_headers and mod_expires modules enabled or not in my server
Is there a way available to list apache enabled/disabled modules using some php function just like we list php information with phpinfo(); function?
All the above answers are wrong. Use instead:
apachectl -t -D DUMP_MODULES
or
apachectl -M
On Debian:
user#machine:~$ /usr/sbin/apache2 -l
Most GNU/Linux distros:
user#machine:~$ /usr/sbin/httpd -l
Ubuntu:
user#machine:~$ ls /etc/apache2/mods-enabled
On Mac OSX:
user#mymac:~$ httpd -l
On Win 7 (64-bit):
C:\Users\myuser>"\Program Files (x86)\Apache Software Foundation\Apache2.2\bin\httpd.exe" -l
Try these commands from a terminal window in all but Windows, which will use CMD instead.
On Ubuntu you can see the list of enabled modules here,
/etc/apache2/mods-enabled
Some versions of PHP/Apache show all loaded modules in phpinfo() under "Loaded Modules".
Speeve's answer shows compiled in modules (x6 on my system):
echo system('/usr/sbin/apache2 -l');
You'll also need to see your enabled modules (x36 for me):
echo system('ls /etc/apache2/mods-enabled/');
To get the list of disabled modules, run this command then cross off all the enabled modules:
echo system('ls /etc/apache2/mods-available/');