Re: [users@httpd] permissions problem

["Dr. Stephen Judd" <sjudd@xxxxxxxxxxxxxx>]

On 2006 Jan 30, at 10:09 PM, Joshua Slive wrote:

On 1/30/06, Dr. Stephen Judd <sjudd@xxxxxxxxxxxxxx> wrote:

On 2006 Jan 30, at 4:01 PM, Joshua Slive wrote:

On 1/30/06, David Salisbury <salisbury@xxxxxxxxx> wrote:

[Mon Jan 30 15:54:49 2006] [error] (13)Permission denied: access to

/radar/data/hi3.html denied

I'm not so sure about your "forbidden by rule" assumption.  I believe if

you were to Deny access to an IP address you get a simple "permission

denied".

So I wouldn't discount a configuration problem.. maybe even a hidden

.htaccess

guy hanging out.

No, in this case, "permission denied" (errorno=EACCES=13) is what the

OS is returning when apache tries to open the file.

Try logging in as the user specified in the User/Group directive and

see if you can access the file.

Joshua.

The config file says this:

User apache

Group apache

The straightforward way of doing what you ask for does not work:

[root@database ~]# su apache

This account is currently not available.

I don't know exactly what that means or how to get around it,

but I investigated this much further the other day and found some

oddities...

I wrote a little script to look into the issue of who the user is:

<?php

clearstatcache();

$yuzer= $_ENV['USER']; $lognm= $_ENV['LOGNAME'];

print "USER= $yuzer, LOGNAME= $lognm<br/>\n";

$getperms= fileperms('data') & 0777;

print "fileperms are: $getperms <br/>\n";

if ($getperms ==0) print "cannot access<br/>\n";

?>

When invoked via the web, it apparently runs as root(!) (not apache?!)

and gives a message saying that it cannot do a stat:

USER= root, LOGNAME= root

fileperms are: 0

cannot access

When invoked from the command line (in any of several users I tried)

it works fine and accesses the file. I'm baffled. Is the "root" user

that it purports to be the same as the usual system root user? If so, why

can it not access a file that everyone else can? If not, then who is it??

USER/LOGNAME are probably inherited from the parent apache process. 

If you create a file in /tmp, you'll probably find it is owned by

apache.

Yes. You are right about that. That makes the message from the script

all the more confusing. I suppose that it gets invoked as root and then

switches its identity to apache as soon as it can. You'd think that its

identity as root would be gone long before it ran my script, but whatever.

Your problem still sounds very much like SELinux to me.  Are you

absolutely positive you are not running that? 

What exact version of redhat are you running?

I'm quite sure I'm not running SELinux. Here is my evidence:

[judd@database ~]$ echo $MACHTYPE

i686-redhat-linux-gnu

As for version, I dunno. How do I find out?

If not, check the permissions on every file and directory starting

with the one you are trying to access and going all the way up the

tree.

I've done this --and redone it-- because it sure seems like the thing to do.

But no explanation lies in there.

The permissions on the radar directory are these:

drwxr-xr-x  3 radar radargrp 4096 Jan 27 22:21 radar

The permissions on the data directory are these:

drwxrwxrwx  4 radar radargrp 4096 Jan 26 09:13 data

And given that files from the radar directory are being served up without 

problem, I believe that I need exhibit no more evidence. Is that true?

Anyway, I'll provide it just to be forthcoming...

radar's parent is this:

drwxr-xr-x   4 root root 4096 Jan 27 22:28 html

html's parent is this:

drwxr-xr-x   8 root root 4096 Jan  6 11:26 www

and www's parent is this:

drwxr-xr-x  21 root root 4096 Jan  6 11:38 var

and var's parent is /. The path is OPEN !

Tell me about the issue in SELinux. At this point, I'm willing to chase any

possibilities.

sj