I am trying to configure Apache httpd.conf (on my CentOS 6.4) to allow access to my user directory (i.e. ~me/public_html/index.html).
I changed the original httpd.conf (i.e. out-of-the-box) as follows:
[root#myhost www]# diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig.out-of-the-box
366c366
< #UserDir disabled
---
> UserDir disabled
373c373
< UserDir public_html
---
> #UserDir public_html
This should in principle provide access to http://myhost/~me but instead, I am getting the dreaded error:
You don't have permission to access /~me on this server.
I checked the file /var/log/httpd/error_log and, sure enough, it reads:
(13)Permission denied: access to /~me denied
The first weird thing I noticed is that a / is prepended to ~me.
Where does that leading / come from?
Is it only a "red herring"?
Or is this pointing to the root cause of the problem (i.e. something else I need to modify in httpd.conf)?
Most importantly, since I know that my ~me/public_html is has world-readable permissions, how do I troubleshoot a problem like this?
Is there a way to find out why "access to /~me denied"?
SELinux?
httpd.conf?
directory permissions?
all of the above?
Update 1, answering the 2 questions in the comments by #UlrichSchwarz below:
The home directory does seem to have the 'x' permission:
[root#myhost ~]# ls -lad /home/me
drwxr-xr-x. 33 me me 4096 Feb 8 16:30 /home/me
SELinux info on public_html:
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:file_t:s0 /home/me/public_html/
Update 2, after I verified that this is indeed an SELinux issue (thanks to the tip by #Scolytus):
I ran the command:
chcon -R -t httpd_user_content_t /home/me/public_html/
Still no go.
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:httpd_user_content_t:s0 /home/me/public_html/
Then I ran "Allow HTTPD to read home directories" from the command line:
setsebool -P httpd_enable_homedirs=1
Still no go.
/var/log/httpd/error_log now shows (in addition to the (13)permission denied error) the following:
[notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) DAV/2 configured -- resuming normal operations
Perhaps the problem lies in the discrepancy between context_system_u and httpd_user_content_t?
What else do I need to do? (without disabling SELinux completely, that is)
Update 3, thanks to information in #lserni's answer, I discovered the ausearch command:
ausearch -m avc --start today
Which provided the following output:
time->Fri Jul 4 09:16:44 2014
type=SYSCALL msg=audit(1404479804.256:1312): arch=40000003 syscall=196 success=no exit=-13 a0=12c2c80 a1=bfeb1d00 a2=a34ff4 a3=2008171 items=0 ppid=5880 pid=5886 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=193 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1404479804.256:1312): avc: denied { getattr } for pid=5886 comm="httpd" path="/home/me" dev=dm-3 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Huh? Why /home/me and not /home/me/public_html?
Here is the output of ls -Zd /home/me/:
drwxr-xr-x. me me system_u:object_r:file_t:s0 /home/me/
Should I run the chcon -t httpd_user_content_t on /home/me, too?
Continuing to research...
Update 4: Success!
I ran the command:
chcon -t httpd_user_content_t /home/me/
And all is well now.
[root#myhost sa]# ls -Z -d /home/me/
drwxr-xr-x. me me system_u:object_r:httpd_user_content_t:s0 /home/me/
I've seen a slightly different version of the command you gave, supplied by sealert:
SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different
program. If you would like to share /var/www/html/file1 from httpd
also, you need to change its file context to public_content_t. If
you did not intend to this access, this could signal a intrusion
attempt.
Allowing Access:
You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'
Fix Command:
chcon -t public_content_t '/var/www/html/file1'
how do I troubleshoot a problem like this?
Most SELinux-related information is generally in the auditd logs, but you probably want some tool such as sealert to decode it for you. I've done a brief search and came up with this tool that I didn't know of, but seems interesting: SELinux GUI.
Addendum: Some examples with semanage
I can't check immediately, but I recall that commenting out the UserDir disabled isn't the same as enabling!
More specifically, I think you need to include a line in your https.conf file
Userdir enabled me
Related
I followed the guide on https://blog.ssdnodes.com/blog/installing-nextcloud-docker/ and got the docker containers running.
I changed the port mappings of nextcloud-proxy to 7443:443, 780:80, since my server already has an apache running.
When I open the page foo.bar.com:7443, it shows me a server error 500 page by nginx.
docker logs --details nextcloud-proxy only shows me, that the error-500-page was successfully delivered.
docker logs --details nextcloud-app does not show any errors regarding the request. It only shows some messages during startup:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.5. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.5. Set the 'ServerName' directive globally to suppress this message
[Mon Mar 04 19:23:01.413561 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.15 configured -- resuming normal operations
[Mon Mar 04 19:23:01.413653 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
It is pretty clear, that there is an error with apache or php (both should be logged by nextcloud-app). But I need to see the error log entries. How do I do this?
Logs are redirected to nextcloud's data folder.
From your nextcloud's root, try with:
$ tail nextcloud/data/nextcloud.log
(or the folder you set for data storage).
It's even better if you run the nextcloud with this switch to mount it to a folder on your host, edit config/config.php to have finer-grained logs through setting loglevel, the run tail -f data/nextcloud.logs
docker run -v ~/Projects/nextcloud:/var/www/html -d -p 8080:80 nextcloud
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
...
...
...
'loglevel' => 0,
);
Restart the docker image by running docker restart YOUR_INSTNANCE_ID
Then docker exec -it YOUR_INSTNANCE_ID bash -c "tail -f /var/www/html/data/nextcloud.log"
In my case, it helped to configure Nextcloud to use stdout instead of a dedicated logfile for its logging output.
This allows you to see all the logs instead of just the php fpm output in the if you execute docker logs <yourcontainerid> or view it in Portainer or some other management software.
Just add the following to your config.php
"logfile" => "/dev/stdout",
I forgot that I had enabled SELinux on one of my web servers. So when I went to log into the host with my user account and ssh key, I was getting permission denied errors.
[TimothyDunphy#JEC206429674LM:~] #ssh bluethundr#web1.somedomain.com
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Hmmm... So I consoled into the server and was able to login. I tailed the audit logs, and this is what I saw:
type=USER_LOGIN msg=audit(1429981690.809:394593): pid=17074 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="bluethundr" exe="/usr/sbin/sshd" hostname=? addr=47.18.111.100 terminal=ssh res=failed'
In googling for the answer to this I got the advice to run this command:
[root#web1:~] #restorecon -R -v /home/bluethundr/.ssh
[root#web1:~] #
But when I go to login again, after doing that, I get the same result. Permission denied and the same error in the logs.
The only other thing I can think of is that the home directory for the user is mounted from an NFS share. Might there be some SELinux incantation I can use to allow SSH to a home directory on an NFS share?
Or maybe I'm missing something else?
Thanks,
Tim
If restorecon didn't work, I generally try audit2why and/or audit2allow to find what policy is being violated. That's not to say that I apply the policy change suggestions that are generated, just that they lead to very good information to resolving the issue.
Bingo!!
When I ran audit2why -w this was the output I saw:
[root#web1:~] #grep ssh /var/log/audit/audit.log | audit2why -w
Was caused by:
The boolean use_nfs_home_dirs was set incorrectly.
Description:
Allow use to nfs home dirs
Allow access by executing:
# setsebool -P use_nfs_home_dirs 1
type=AVC msg=audit(1429983513.529:394784): avc: denied { read } for pid=19748 comm="sshd" name="authorized_keys" dev="0:40" ino=275968 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
So it looks like my hunch about it being about NFS and your suggestion to use audit2why allow me to crack the case!
[TimothyDunphy#JEC206429674LM:~/creds] #ssh bluethundr#web1.jokefire.com
Last login: Sat Apr 25 13:41:02 2015 from ool-2f126f64.dyn.optonline.net
[bluethundr#web1 ~]$
Bam!! It works. Thanks for your help!
I am having issue when I select a kick start profile to start installation after PXE boot. On the network installation server (same DHCP server) side I can see the following error in /var/log/messages when I hit this issue.
Nov 13 17:42:30 desktop10 dhcpd: DHCPDISCOVER from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:30 desktop10 dhcpd: DHCPOFFER on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: Dynamic and static leases present for 192.168.174.2.
Nov 13 17:42:32 desktop10 dhcpd: Remove host declaration desktopy or remove 192.168.174.2
Nov 13 17:42:32 desktop10 dhcpd: from the dynamic address pool for 192.168.174/24
Nov 13 17:42:32 desktop10 dhcpd: DHCPREQUEST for 192.168.174.2 (192.168.174.10) from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: DHCPACK on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 in.tftpd[20546]: tftp: client does not accept options
Nov 13 17:42:36 desktop10 setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (httpd_sys_content_t). For complete SELinux messages. run sealert -l 97c61847-7ea2-435f-bede-c95302b034f5**
On server the the selinux security contents
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Note: desktop10 is RHEL5.6, if I change selinux to permissive then I can proceed with installation.
Can someone help me to sort out this issue? Please let me know if anyone need more info.
Tried as suggested in the comment but no luck
[root#desktop10 ~]# restorecon -Rv /tftpboot/
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Your files are labeled by 'httpd_sys_content_t' that is not acceptable label for kickstart. It looks you copied the file from an apache directory or you create the file from a web appliaction running on apache.
Relabel directory by default labels:
[root#localhost /]# restorecon -Rv /tftpboot
I think it may work if you try to relabel the directory with tftpd context tftpd_rw_t:
# semanage fcontext -a -t tftpd_rw_t '/tftpboot(/.*)?'
# restorecon -R -v /tftpboot
So I just recently downloaded Apache server with all of its files (httpd, apr, apr-util, pcre) following the instructions dictated here: http://httpd.apache.org/docs/2.4/install.html
However, after set-up, when I tried to start my Apache server, which is located in my usr/local/bin/, I was prompted with this message:
[allen#allen-lnx ~]$ /usr/local/bin/apachectl start
(13)Permission denied: AH00091: httpd: could not open error log file /usr/local/logs/error_log.
AH00015: Unable to open logs
After some research, I have found that I need to edit my httpd.conf file, which I did so earlier to allow for the correct ServerName and Listen options. However, I am unsure as to how to edit my conf file to allow for access to the "logs" directory.
Notably, the command will run when I use the "sudo" command, but I would prefer to not always use that since it seems like a work around.
Any help would appreciated. Thanks!
Edit: I've actually noticed that I may have two httpd.conf files, which is proving to be a little troublesome. The other one is located in my root /etc/ directory (etc/httpd/conf/httpd.conf). I think my modified question now is... which one should I be keeping? Is the /etc/ version the one that is built in, as indicated by faff's comment below?
Current Solution: I figured I would just accept the fact that I need to use sudo when editing this file since I need to be root. I might change it later so that I'm always running as root, but for now, sudo will suffice.
This looks like an issue with he filesystem permissions. Make sure the /usr/local/logs/ directory exists and is writeable by the user you're running Apache as.
If you don't want to have your logs directory writeable by normal user, you can create the log file:
sudo touch /usr/local/logs/error_log
And then change the owner of the file to the correct user:
sudo chown allen /usr/local/logs/error_log
Assuming you want to run Apache as the user allen.
If you want to change the location of Apache logfile, look for the ErrorLog directive in your httpd.conf file (you will have to add it if it's not there):
ErrorLog path/to/logfile
For everyone that is using SELinux, if you deleted the folder or come across similar problems you may need to do several things.
Re-link the folder with ln -s /var/log/httpd /etc/httpd/logs
By default logs are kept under the var folder but are referenced in the /etc/httpd/logs folder
Apply SELinux security permissions with chcon system_u:object_r:httpd_config_t:s0 /etc/httpd/logs
And of course run everything as admin
Changing SELinux security policy to permissive fixed my problem.
Before fix my SELinux worked with enforced mode:
$ sestatus -v
sestatus -v
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
I changed security policy in SELinux configuration file and in the system.
#/etc/selinux/config
SELINUX=permissive
# In terminal set SELinux to run in permissive mode.
$ setenforce 0
After fix my SELinux worked with enforced mode:
$ sestatus -v
SELinux status: enabled
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 30
For those who are stuck with the SElinux policies, I was able to do it by creating a custom policy
Basically I wanted to move the /var/log/httpd to my own directory under /r/
So I run the following
semanage fcontext -a -t httpd_sys_content_t "/r/www(/.*)?"
semanage fcontext -a -t httpd_log_t "/r/logs(/.*)?"
restorecon -Rv /z/logs/
restorecon -Rv /z/www/
service httpd restart
# worked
I have my computer on network, and whole homedir is mounted at login with CIFS. When I access http://localhost everything works fine, but when I access http://localhost/~user it fails.
# cat /etc/mtab
.....
//192.168.1.5/user/ /home/user cifs rw,mand 0 0
ls -l
...
drwxrwxrwx 37 user domain users 0 2011-12-22 09:12 public_html
The browser say:
Forbidden
You don't have permission to access /~lluisforns on this server.
And apache say
cat /var/log/apache2/error.log
[Thu Dec 22 18:19:09 2011] [error] [client 127.0.0.1] (13)Permission denied: access to /~lluisforns denied
Any idea?
Had the same issue, and it turned out to be an SELinux thing: SELinux has a setting that prevents httpd (apache) to follow CIFS links.
To see if you have this issue:
getsebool -a | grep httpd
you should see httpd_use_cifs --> on. if not, your in luck - this is your problem.
To fix:
setsebool httpd_use_cifs on
You may also decide to disable SELinux altogether (assuming you know the risk) - here is a link to one relevant page