Joshua Slive wrote:
On 12/10/05, Stephen Collyer <scollyer@xxxxxxxxxxxxxxxx> wrote:And the perms are fine - chmod'ed everything wide open earlier on to be sure. There's a ScriptAlias set up pointing to a cgi-bin dir thats working just fine, too. This strikes me as odd.You checked ALL PARENT DIRECTORIES? Are you using selinux? Are you using symlinks? Have you tried to su to the User/Group specified in httpd.conf and see if you can access the files?
Yes, I've checked ALL PARENT DIRECTORIES. No, I'm not using selinux. No, I'm not using symlinks. Yes, I can su to the appropriate user, and I can, indeed, access the files that way.
I'm much keener to get Apache to tell why it's returning a 403 rather than guessing - do you know if this is possible ?Sure; first you need to find the code in apache that is denying access, and then add an appropriate error log message to that code path. Easy, huh?
I'm not familiar with the Apache code base, but I guess this implies that there's no trace code in there ? Seems to be something of an omission for a project as large as Apache, if so.
An alternative is to run the request under a debugger and step through it until you see what is causing the problem. See: http://httpd.apache.org/dev/debugging.html
Well, I'd already strace'd it, with no better results; all I could see is that the appropriate file is stat'ed, and then a little later on, the 403 being returned. However: *** I have found the problem *** The problem, of course, was caused by my being a dick. I'd put in some temporary access control that I'd forgotten about in an Include'd conf file. Now, given that we're all dicks at some point or other, this has taught me that Apache is too hard to debug. It would be much more useful if it were possible to askApache to provide a trace of a request, based on its current configuration, this trace containing all of the major decisions
that are made thoughout its life: access control, URL->dir translations, usage of Aliases, and so on. Now, I'd guess that such trace would be spread across many components, written by many different people, so I won't be holding my breath, but this would be far more useful than the current suggestions in the debugging page of, say, strace or gdb, both of which are really at the wrong level semantically. (strace is telling you about syscalls, not config logic, and gdb'ing Apache ain't for those who aren't already familiar with the code, though it would give you the right answer with enough effort, of course). -- Regards Stephen Collyer Netspinner Ltd --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx