I have my computer on network, and whole homedir is mounted at login with CIFS. When I access http://localhost everything works fine, but when I access http://localhost/~user it fails.
# cat /etc/mtab
.....
//192.168.1.5/user/ /home/user cifs rw,mand 0 0
ls -l
...
drwxrwxrwx 37 user domain users 0 2011-12-22 09:12 public_html
The browser say:
Forbidden
You don't have permission to access /~lluisforns on this server.
And apache say
cat /var/log/apache2/error.log
[Thu Dec 22 18:19:09 2011] [error] [client 127.0.0.1] (13)Permission denied: access to /~lluisforns denied
Any idea?
Had the same issue, and it turned out to be an SELinux thing: SELinux has a setting that prevents httpd (apache) to follow CIFS links.
To see if you have this issue:
getsebool -a | grep httpd
you should see httpd_use_cifs --> on. if not, your in luck - this is your problem.
To fix:
setsebool httpd_use_cifs on
You may also decide to disable SELinux altogether (assuming you know the risk) - here is a link to one relevant page
Related
I followed the guide on https://blog.ssdnodes.com/blog/installing-nextcloud-docker/ and got the docker containers running.
I changed the port mappings of nextcloud-proxy to 7443:443, 780:80, since my server already has an apache running.
When I open the page foo.bar.com:7443, it shows me a server error 500 page by nginx.
docker logs --details nextcloud-proxy only shows me, that the error-500-page was successfully delivered.
docker logs --details nextcloud-app does not show any errors regarding the request. It only shows some messages during startup:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.5. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.19.0.5. Set the 'ServerName' directive globally to suppress this message
[Mon Mar 04 19:23:01.413561 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.15 configured -- resuming normal operations
[Mon Mar 04 19:23:01.413653 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
It is pretty clear, that there is an error with apache or php (both should be logged by nextcloud-app). But I need to see the error log entries. How do I do this?
Logs are redirected to nextcloud's data folder.
From your nextcloud's root, try with:
$ tail nextcloud/data/nextcloud.log
(or the folder you set for data storage).
It's even better if you run the nextcloud with this switch to mount it to a folder on your host, edit config/config.php to have finer-grained logs through setting loglevel, the run tail -f data/nextcloud.logs
docker run -v ~/Projects/nextcloud:/var/www/html -d -p 8080:80 nextcloud
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
...
...
...
'loglevel' => 0,
);
Restart the docker image by running docker restart YOUR_INSTNANCE_ID
Then docker exec -it YOUR_INSTNANCE_ID bash -c "tail -f /var/www/html/data/nextcloud.log"
In my case, it helped to configure Nextcloud to use stdout instead of a dedicated logfile for its logging output.
This allows you to see all the logs instead of just the php fpm output in the if you execute docker logs <yourcontainerid> or view it in Portainer or some other management software.
Just add the following to your config.php
"logfile" => "/dev/stdout",
I'm trying to setup Apache (httpd) with mod_wsgi to run a single Django site.
(13)Permission denied: httpd: could not open error log file /var/mail/django-error-log.
Unable to open logs
I've already done: chown apache django-error-log to make sure the ownership is set to apache and verified it with ls -l
ls -l
total 0
-rw-r--r--. 1 apache root 0 Jan 10 01:40 django-error-log
Any idea what's causing the permission denied?
Highly possible you have SELinux Enforcing.
Just disable it (SELINUX=disabled) and try again.
1.) vi /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
2.) And then "reboot"
3.-) Try again
You can use "getenforce" command to verify the current status, as follows:
[root#instance-1 selinux]# getenforce
Disabled
[root#instance-1 selinux]#
Regards
I am trying to configure Apache httpd.conf (on my CentOS 6.4) to allow access to my user directory (i.e. ~me/public_html/index.html).
I changed the original httpd.conf (i.e. out-of-the-box) as follows:
[root#myhost www]# diff /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.orig.out-of-the-box
366c366
< #UserDir disabled
---
> UserDir disabled
373c373
< UserDir public_html
---
> #UserDir public_html
This should in principle provide access to http://myhost/~me but instead, I am getting the dreaded error:
You don't have permission to access /~me on this server.
I checked the file /var/log/httpd/error_log and, sure enough, it reads:
(13)Permission denied: access to /~me denied
The first weird thing I noticed is that a / is prepended to ~me.
Where does that leading / come from?
Is it only a "red herring"?
Or is this pointing to the root cause of the problem (i.e. something else I need to modify in httpd.conf)?
Most importantly, since I know that my ~me/public_html is has world-readable permissions, how do I troubleshoot a problem like this?
Is there a way to find out why "access to /~me denied"?
SELinux?
httpd.conf?
directory permissions?
all of the above?
Update 1, answering the 2 questions in the comments by #UlrichSchwarz below:
The home directory does seem to have the 'x' permission:
[root#myhost ~]# ls -lad /home/me
drwxr-xr-x. 33 me me 4096 Feb 8 16:30 /home/me
SELinux info on public_html:
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:file_t:s0 /home/me/public_html/
Update 2, after I verified that this is indeed an SELinux issue (thanks to the tip by #Scolytus):
I ran the command:
chcon -R -t httpd_user_content_t /home/me/public_html/
Still no go.
[root#myhost ~]# ls -Z -d /home/me/public_html/
drwxrwxr-x. me me unconfined_u:object_r:httpd_user_content_t:s0 /home/me/public_html/
Then I ran "Allow HTTPD to read home directories" from the command line:
setsebool -P httpd_enable_homedirs=1
Still no go.
/var/log/httpd/error_log now shows (in addition to the (13)permission denied error) the following:
[notice] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[notice] Digest: generating secret for digest authentication ...
[notice] Digest: done
[notice] Apache/2.2.15 (Unix) DAV/2 configured -- resuming normal operations
Perhaps the problem lies in the discrepancy between context_system_u and httpd_user_content_t?
What else do I need to do? (without disabling SELinux completely, that is)
Update 3, thanks to information in #lserni's answer, I discovered the ausearch command:
ausearch -m avc --start today
Which provided the following output:
time->Fri Jul 4 09:16:44 2014
type=SYSCALL msg=audit(1404479804.256:1312): arch=40000003 syscall=196 success=no exit=-13 a0=12c2c80 a1=bfeb1d00 a2=a34ff4 a3=2008171 items=0 ppid=5880 pid=5886 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=193 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1404479804.256:1312): avc: denied { getattr } for pid=5886 comm="httpd" path="/home/me" dev=dm-3 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
Huh? Why /home/me and not /home/me/public_html?
Here is the output of ls -Zd /home/me/:
drwxr-xr-x. me me system_u:object_r:file_t:s0 /home/me/
Should I run the chcon -t httpd_user_content_t on /home/me, too?
Continuing to research...
Update 4: Success!
I ran the command:
chcon -t httpd_user_content_t /home/me/
And all is well now.
[root#myhost sa]# ls -Z -d /home/me/
drwxr-xr-x. me me system_u:object_r:httpd_user_content_t:s0 /home/me/
I've seen a slightly different version of the command you gave, supplied by sealert:
SELinux denied access to /var/www/html/file1 requested by httpd.
/var/www/html/file1 has a context used for sharing by different
program. If you would like to share /var/www/html/file1 from httpd
also, you need to change its file context to public_content_t. If
you did not intend to this access, this could signal a intrusion
attempt.
Allowing Access:
You can alter the file context by executing chcon -t public_content_t
'/var/www/html/file1'
Fix Command:
chcon -t public_content_t '/var/www/html/file1'
how do I troubleshoot a problem like this?
Most SELinux-related information is generally in the auditd logs, but you probably want some tool such as sealert to decode it for you. I've done a brief search and came up with this tool that I didn't know of, but seems interesting: SELinux GUI.
Addendum: Some examples with semanage
I can't check immediately, but I recall that commenting out the UserDir disabled isn't the same as enabling!
More specifically, I think you need to include a line in your https.conf file
Userdir enabled me
I am having issue when I select a kick start profile to start installation after PXE boot. On the network installation server (same DHCP server) side I can see the following error in /var/log/messages when I hit this issue.
Nov 13 17:42:30 desktop10 dhcpd: DHCPDISCOVER from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:30 desktop10 dhcpd: DHCPOFFER on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: Dynamic and static leases present for 192.168.174.2.
Nov 13 17:42:32 desktop10 dhcpd: Remove host declaration desktopy or remove 192.168.174.2
Nov 13 17:42:32 desktop10 dhcpd: from the dynamic address pool for 192.168.174/24
Nov 13 17:42:32 desktop10 dhcpd: DHCPREQUEST for 192.168.174.2 (192.168.174.10) from 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 dhcpd: DHCPACK on 192.168.174.2 to 00:0c:29:90:39:53 via eth0
Nov 13 17:42:32 desktop10 in.tftpd[20546]: tftp: client does not accept options
Nov 13 17:42:36 desktop10 setroubleshoot: SELinux is preventing in.tftpd (tftpd_t) "read" to ./vmlinuz (httpd_sys_content_t). For complete SELinux messages. run sealert -l 97c61847-7ea2-435f-bede-c95302b034f5**
On server the the selinux security contents
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Note: desktop10 is RHEL5.6, if I change selinux to permissive then I can proceed with installation.
Can someone help me to sort out this issue? Please let me know if anyone need more info.
Tried as suggested in the comment but no luck
[root#desktop10 ~]# restorecon -Rv /tftpboot/
[root#desktop10 ~]# ls -Z /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
-rw-r--r-- apache apache system_u:object_r:httpd_sys_content_t /tftpboot/images/ks-rhel-x86_64-server-6-60/vmlinuz
Your files are labeled by 'httpd_sys_content_t' that is not acceptable label for kickstart. It looks you copied the file from an apache directory or you create the file from a web appliaction running on apache.
Relabel directory by default labels:
[root#localhost /]# restorecon -Rv /tftpboot
I think it may work if you try to relabel the directory with tftpd context tftpd_rw_t:
# semanage fcontext -a -t tftpd_rw_t '/tftpboot(/.*)?'
# restorecon -R -v /tftpboot
The issue
Now, I am a complete n00b on Apache, and I could certainly use some help with my current issue. I have installed the httpd rpm's on 3 different systems (all Advantech computers, 1 Box PC, 1 Advanced TCA blade, 1 Compact PCI blade, and all have RHEL6 installed). I have configured Apache with files used earlier, on other installations. When I issue the command
# service httpd restart
All goes well and I get this output:
Stopping httpd: [ OK ]
Starting httpd: httpd: apr_sockaddr_info_get() failed for <PC_Name>
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
Now, when I try to connect to the machine via Apache, I get the log-in screen asking for the username and password, as you would expect. However, it fails to log-in. When I look at the error_log in /var/log/httpd/, it shows this error message:
[Thu Sep 15 14:24:40 2011] [error] [client 192.168.10.175] (13)Permission denied: Could not open password file: /etc/shadow
[Thu Sep 15 14:24:40 2011] [error] [client 192.168.10.175] PAM: user 'root' - not authenticated: System error
It seems to me that this is either a configuration error, or it has something to do with permissions. Yet I can't seem to find out which. Another interesting fact is, that this only applies to the last two installations(Advanced TCA & Compact PCI), and not the first (Box PC), while all 3 installations are exactly the same.
Additional Info
The way I installed it was install httpd from yum,
# yum install httpd
Next install mod_auth_pam, which is needed by the configuration,
# yum install mod_auth_pam
Then I configured Apache with the files I got from previous installations (which basically is just replacing the configuration files from the standard Apache install), and after that I restarted the Apache service.
For this error "apr_sockaddr_info_get() failed"
You need to properly set your hostname.
hostname actual-non-expired-domain-name.com
Don't forget to set the name in your httpd.conf and in /etc/hosts as well.
I have been able to solve this by setting SELinux to allow Apache requests. This is done by issuing the following command:
semanage permissive -a http_t
Semanage is a utility from the policycoreutils-python package. This should come with the installation medium.