RE: Permission Still Denied with Moodle (Apache Users)

Hi again,

Here is the result of the command you suggested Yehuda:

netstat -ln | grep 80

tcp6 0 0 :::80 :::* LISTEN

udp6 0 0 :::22880 :::*

unix 2 [ ACC ] STREAM LISTENING 15965 @/tmp/.ICE-unix/806

unix 2 [ ACC ] STREAM LISTENING 15966 /tmp/.ICE-unix/806

And some more info:

/sbin/ifconfig

em1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255

inet6 fe80::211:d8ff:fe26:a1ca prefixlen 64 scopeid 0x20<link>

ether 00:11:d8:26:a1:ca txqueuelen 1000 (Ethernet)

RX packets 3127 bytes 2155230 (2.0 MiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 3300 bytes 639943 (624.9 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

device interrupt 17

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 0 (Local Loopback)

RX packets 4 bytes 340 (340.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 4 bytes 340 (340.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

By the way, in the first e-mail, you might have seen the 'all' in the <Directory "/var/www/html">

When I restarted the server, it complained about that, so I commented it out, despite the notes about it in the file.

Options Indexes FollowSymLinks

# AllowOverride controls what directives may be placed in .htaccess files.

# It can be "All", "None", or any combination of the keywords:

# Options FileInfo AuthConfig Limit

#AllowOverride None

#all

Require all granted

</Directory>

Regarding the SELinux suspicion, I tried the suggestions in that wiki before my first post. That's where I learned the "ls -alZ" command. I should have put these in that e-mail. Here are the results on the pertinent folders:

drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 www

drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 .

drwxr-xr-x. root root system_u:object_r:var_t:s0 ..

drwxrwxr-x. apache apache system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin

drwxrwxr-x. apache apache system_u:object_r:httpd_sys_content_t:s0 html

-rwxr-xr-x. apache timothy unconfined_u:object_r:user_home_t:s0 index.php

Actually I don't know how to use the "change file SELinux security context" command. But as you can see, the html file setting is "httpd_sys_content_t", but the index.php file is not. I did try these commands:

cp /etc/selinux/config /etc/selinux/config.bak

Disable SELinux

sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

I thought that would disable SELinux to rule that out as a problem but it didn't appear to do anything. Reading a little bit more about the chcon command I tried it out:

chcon -R --reference=info.php moodle

Then files like the index all have that same httpd_sys_content_t label which is what Yehuda suggested. Still, there was no change in the Permission Denied situation.

-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 index.php

One thing I haven't looked at because I don't understand is the comment at the end of the http://wiki.apache.org/httpd/13PermissionDenied article. Maybe someone could translate this into some concrete steps I could try:

"In rare cases, this can be caused by other issues, such as a file permissions problem elsewhere in your apache2.conf file. For example, a WSGIScriptAlias directive not mapping to an actual file. The error message may not be accurate about which file was unreadable."

Something funny is going on with the ip address however. When I go to localhost, like I said before, it prints this message: "Incorrect access detected, this server may be accessed only through "http://*.*.*.30:80/moodle" address, sorry. Please notify server administrator. This page should automatically redirect. If nothing is happening please use the continue link below." The funny part is that the ip address does not end with a 30, but a 50, as Linksys shows, and Tomcat, working on port 8080 on another box shows. So why does that message point to ...30:80/moodle? Strange.

Any other suggestions would really help,

Thanks in advance,

Timothy.

From: yehuda@xxxxxxxxxx
Date: Wed, 9 Oct 2013 20:03:45 -0400
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Permission Still Denied with Moodle

1. For the "http://*my ip*/moodle" problem:

It appears that there are no vhosts at all, so that should not get in the way.

I should have listed this before too: Can you check if apache is listening on all ips?

netstat -ln | grep 80

2. For the localhost problem:

I can't shake the feeling that this is SELinux related, since your permissions look OK.

Did you look at this wiki article? I don't want to suggest anything you already tried.

Did you try changing the SELinux context (I think the correct one should be httpd_sys_content_t)?

- Y

On Wed, Oct 9, 2013 at 7:34 PM, Timothy Curchod <timofeyc@xxxxxxxxxxx> wrote:

Thanks for the reply Yehuda. Here is the info you asked about.

ls -l
lrwxrwxrwx.   1 root root     7 Oct 8 17:13 bin -> usr/bin

dr-xr-xr-x.   5 root root 1024 Oct 8 17:31 boot

drwxr-xr-x   19 root root 3440 Oct 10 07:02 dev

drwxr-xr-x. 144 root root 12288 Oct 10 07:02 etc

drwxr-xr-x.   4 root root 4096 Jul 8 17:56 home

lrwxrwxrwx.   1 root root     7 Oct 8 17:13 lib -> usr/lib

lrwxrwxrwx.   1 root root     9 Oct 8 17:13 lib64 -> usr/lib64

drwx------.   2 root root 16384 Jun 28 02:09 lost+found

drwxr-xr-x.   2 root root 4096 Jul 8 17:56 media

drwxr-xr-x.   3 root root 4096 Jul 8 17:56 mnt

drwxr-xr-x.   3 root root 4096 Oct 8 18:42 opt

dr-xr-xr-x 166 root root     0 Oct 10 07:02 proc

dr-xr-x---.   5 root root 4096 Oct 9 22:42 root

drwxr-xr-x   39 root root 1180 Oct 10 07:02 run

lrwxrwxrwx.   1 root root     8 Oct 8 17:13 sbin -> usr/sbin

drwxr-xr-x.   2 root root 4096 Jul 8 17:56 srv

dr-xr-xr-x   13 root root     0 Oct 10 07:02 sys

drwxrwxrwt   13 root root   280 Oct 10 07:03 tmp

drwxr-xr-x. 13 root root 4096 Oct 8 17:13 usr

drwxr-xr-x. 23 root root 4096 Oct 9 12:21 var

Also, moodle requires a data folder which I put in var with 777 permissions:

drwxrwxrwx. 6 root   root   4096 Oct 9 12:55 moodledata

httpd -S
VirtualHost configuration:
ServerRoot: "/etc/httpd"

Main DocumentRoot: "/var/www/html"

Main ErrorLog: "/etc/httpd/logs/error_log"

Mutex proxy: using_defaults

Mutex authn-socache: using_defaults

Mutex default: dir="/run/httpd/" mechanism=default

Mutex mpm-accept: using_defaults

Mutex authdigest-opaque: using_defaults

Mutex proxy-balancer-shm: using_defaults

Mutex rewrite-map: using_defaults

Mutex authdigest-client: using_defaults

PidFile: "/run/httpd/httpd.pid"

Define: DUMP_VHOSTS

Define: DUMP_RUN_CFG

User: name="apache" id=48 not_used

Group: name="apache" id=48 not_used

I have a Linksys router which has settings as such:

Start    End    Protocol    IP Address

80     80     both         192.168.1.100

8080    8080     both        192.168.1.126 <-- used with Tomcat which runs fine on another box.

This is in the httpd.config file:

#
# Listen: Allows you to bind Apache to specific IP addresses and/or

# ports, instead of the default. See also the <VirtualHost>

# directive.

#

# Change this to Listen on specific IP addresses as shown below to

# prevent Apache from glomming onto all bound IP addresses.

#

#Listen 12.34.56.78:80

Listen 80

What am I doing wrong? Notice that info.php is in the documents directory and I can access it fine.

-rw-r--r--. 1 apache root     20 Oct 9 11:32 info.php

I tried to create the page as my regular user, but was unable to save in that directory, so I ended up creating it as root. How am I going to be able to work on Moodle development if I can’t modify files in the www/html folder as a regular user? This is a development server with one user, myself. Should I make all the files match the permissions on info.php and do all my work as root?

Thanks for any help,

Timothy.

From: yehuda@xxxxxxxxxx
Date: Wed, 9 Oct 2013 12:18:56 -0400
To: users@xxxxxxxxxxxxxxxx
Subject: Re: Permission Still Denied with Moodle

"AH00035: access to /moodle/ denied (filesystem path '/var/www/html/moodle') because search permissions are missing on a component of the path"

This implies that the x permission is missing. You posted for every directory except /var . What are its permissions?
I have no idea if selinux could get in the way or if setenforce 0 really gets rid of it.

Incorrect access detected, this server may be accessed only through "http://*my ip*/moodle" address, sorry. Please notify server administrator.

Does Moodle modify the default 403 error page? That is probably what this is.

If I use http://*my ip*/moodle or http://*my ip*:80/moodle I get this error:
Oops! Google Chrome could not connect to *my ip*
Is apache set to listen to an IP besides 127.0.0.1?
Run httpd -S for the list of active vhosts.

- Y

On Wed, Oct 9, 2013 at 4:19 AM, Timothy Curchod <timofeyc@xxxxxxxxxxx> wrote:

Hi,

I've tried a few times to setup moodle on LAMP but failed each time with the following errors:

If I use localhost/moodle, I get this error:

Incorrect access detected, this server may be accessed only through "http://*my ip*/moodle" address, sorry. Please notify server administrator.

If I use http://*my ip*/moodle or http://*my ip*:80/moodle I get this error:

Oops! Google Chrome could not connect to *my ip*

If I look in the /etc/httpd/logs/error_log I see:

[Wed Oct 09 14:59:46.240266 2013] [core:error] [pid 2279] (13)Permission denied: [client 127.0.0.1:43084] AH00035: access to /moodle/ denied (filesystem path '/var/www/html/moodle') because search permissions are missing on a component of the path

The wiki says this is an error 13 which indicates a filesystem permissions problem but I can't see where. I've looked at a lot of questions relating to permission problems that people have had and it all seems to show that I have things set up correctly, or have tried the things that should work.

/etc/httpd/conf/httpd.conf contains
...
User apache
Group apache
...
<Directory />
AllowOverride none

Require all denied
</Directory>
...
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted

</Directory>
...
<Directory "/var/www/html">
Options Indexes FollowSymLinks
#AllowOverride None
all
Require all granted

</Directory>

My directory permissions are:

drwxrwxr-x. 4 apache apache 4096 Oct 9 08:23 www

drwxrwxr-x. 2 apache apache 4096 Jul 31 15:50 cgi-bin

drwxrwxr-x. 3 apache apache 4096 Oct 9 14:07 html

-rw-r--r--. 1 apache root 20 Oct 9 11:32 info.php
drwxr-xr-x. 44 apache apache 4096 Oct 9 14:18 moodle

-rw-r-----. 1 apache apache 690 Oct 9 14:18 config.php
-rwxr-xr-x. 1 apache timothy 35147 Oct 4 11:43 COPYING.txt
drwxr-xr-x. 7 apache timothy 4096 Oct 9 14:06 course
-rwxr-xr-x. 1 apache timothy 2594 Oct 4 11:43 draftfile.php

drwxr-xr-x. 17 apache timothy 4096 Oct 9 14:06 enrol
drwxr-xr-x. 2 apache timothy 4096 Oct 9 14:06 error
-rwxr-xr-x. 1 apache timothy 3923 Oct 4 11:43 file.php
drwxr-xr-x. 3 apache timothy 4096 Oct 9 14:06 files

drwxr-xr-x. 14 apache timothy 4096 Oct 9 14:06 filter
-rwxr-xr-x. 1 apache timothy 953 Oct 4 15:14 githash.php
drwxr-xr-x. 8 apache timothy 4096 Oct 9 14:06 grade
drwxr-xr-x. 3 apache timothy 4096 Oct 9 14:06 group

-rwxr-xr-x. 1 apache timothy 1423 Oct 4 11:43 help_ajax.php
-rwxr-xr-x. 1 apache timothy 1761 Oct 4 11:43 help.php
-rwxr-xr-x. 1 apache timothy 13203 Oct 4 11:43 index.php

* tried setenforce 0. The ls -alZ command returns

-rwxr-xr-x. apache timothy unconfined_u:object_r:user_home_t:s0 index.php

* tried chown -R root on all files as well.

* ran the moodle setup script as such: # sudo -u apache /usr/bin/php install.php

I am using the following setup:
Fedora 19
Apache 2.4.6
PHP 5.5.4
moodle 2.5

MariaDB 5.5.32

Since the Moodle docs indicate this is a permissions problem with apache, I thought I should ask here first. Any suggestions or solutions would be much welcomed.

Thanks,

Timothy Curchod.