httpd run directory permissions in F12/11
Clodoaldo Neto
clodoaldo.pinto.neto at gmail.com
Thu Oct 29 13:20:36 UTC 2009
2009/10/29 Paul Howarth <paul at city-fan.org>:
> On 29/10/09 11:29, Clodoaldo Neto wrote:
>>
>> I've been using Fedora 10 and while trying F12 beta I noticed a
>> problem in the httpd run directory permission. Then I tried F11 and
>> the same problem happens:
>>
>> [Wed Oct 28 12:05:02 2009] [notice] Apache/2.2.13 (Unix) DAV/2
>> PHP/5.2.9 mod_python/3.3.1 Python/2.6 mod_ssl/2.2.13
>> OpenSSL/0.9.8k-fips mod_wsgi/2.6 mod_perl/2.0.4 Perl/v5.10.0
>> configured -- resuming normal operations
>> [Wed Oct 28 12:05:09 2009] [error] [client 10.0.2.15] (13)Permission
>> denied: mod_wsgi (pid=2722): Unable to connect to WSGI daemon process
>> 'mygroup' on '/etc/httpd/run/wsgi.2692.0.1.sock' after multiple
>> attempts.
>>
>> The problem is that until F10 the httpd socket directory was /var/run/
>> and in F11 and F12 it is /var/run/httpd:
>>
>> # ll /etc/httpd/run
>> lrwxrwxrwx. 1 root root 19 2009-10-28 11:04 /etc/httpd/run ->
>> ../../var/run/httpd
>>
>> # ll -d /var/run/httpd
>> drwx------. 2 root root 4096 2009-10-28 11:51 /var/run/httpd
>>
>> # ll -d /var/run
>> drwxr-xr-x. 31 root root 4096 2009-10-28 11:35 /var/run
>>
>> # ll /var/run/httpd/
>> total 4
>> -rw-r--r--. 1 root root 5 2009-10-28 12:05 httpd.pid
>> srwx------. 1 apache root 0 2009-10-28 12:05 wsgi.2692.0.1.sock
>>
>> That can break some apache modules like mod_wsgi which rely on sockets.
>>
>> Any of these solve the problem:
>>
>> # chmod o+x /var/run/httpd
>> # chown apache.root /var/run/httpd
>>
>> Is there a reason for the /var/run/httpd permissions to be as in
>> F11/12 ? Is it necessary to have the user intervention to fix it? I
>> have posted at the mod_wsgi list:
>>
>> http://groups.google.com/group/modwsgi/t/c5f5abc122088478
>
> I had exactly the same problem with mod_fcgid and ended up creating a
> separate socket directory /var/run/mod_fcgid with appropriate permissions
> instead of following /etc/httpd/run.
>
> If you create a directory matching /var/run/mod_.* with suitable permissions
> and include that directory in your package then it should get the right
> SELinux context set so that it will work out of the box.
Thanks for the workaround. But then what is the point of having a
default httpd run directory as a symlink in the /etc/httpd directory?
I could just set /var/run or run/.. as the socket directory avoiding
the extra work and future maintenance of creating a directory.
What I mean is why restrict the httpd run directory read permission to
root if apache will run as the apache user and not as root?
Regards, Clodoaldo
>
> Paul.
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
More information about the fedora-devel-list
mailing list