fedora 4 + apache + forbidden

Raul raul at c3-po.info
Sun Dec 25 09:29:26 UTC 2005

Tim wrote:

>On Fri, 2005-12-23 at 10:55 +0000, Raul wrote:
>>lrwxrwxrwx      1 root   root     13 Dec 22 01:10 ldap -> phpldapadmin/
>>-rw-r--r--      1 root   root     22 Dec 17 21:25 php_info.php
>>drwxrwxr-x      7 apache apache 4096 Dec 21 23:55 phpldapadmin
>>lrwxrwxrwx      1 root   root     20 Dec 17 23:56 phpmyadmin -> phpMyAdmin-2.7.0-pl1
>>drwxr-xr-x      7 apache apache 4096 Dec 22 00:13 phpMyAdmin-2.7.0-pl1
>>drwxr-xr-x      8 apache apache 4096 Dec 17 21:46 scarecrow
>>drwxr-xr-x      2 root   root   4096 Dec 22 01:10 test
>A tip about something else:  
>It's not usually a good idea to put files into the webspace as owned by
>apache.  You're giving the server write access to those files, that way,
>and that may be remotely exploitable.
>Usually, they're owned by someone else, and given world readable, and
>world-executable (where needed) permissions, for the server to allow the
>WWW to see them.
>>As I said am having all the defaults on apache (users etc.) however am
>>not able to access the folder phpldapadmin by http://azul/phpldapadmin,
>>but I do access it via http://azul/ldap which is a soft link to
>>phpldapadmin. The error message am getting is a simple forbidden. Since
>>I can access tru the link is not a real problem, but I don't know why I
>>cannot make it tru the original.
>>Things I changed on the conf file are
>>    AllowOverride All
>>     UserDir public_html
>>everything else is the defaults.
>>P.S. am getting the sam error when doing http://azul/~user/
>I can't think of the reason for your phpldapadmin access problem off the
>top of my head, but SELinux could be one (particularly with the ~user
>one).  And in the case of the user homespace one, you need to make their
>public_html world readable and executable, and *all* the parent
>directories (right down to /home) world executable, as well as
>appropriate SELinux contexts and rules (if you're using SELinux).


Thanks for your answer, you are right on the 'tip' of ownership. I also 
thought it could be related to SELinux, as this was the case with Samba, 
but am not too familiar with SELinux, but however it all seems to me to 
be the same at least at first glance. If I do a ls -Z -d on the html 
folder I get:

[root at azul html]# ls -Z -d *
drwxr-sr-t  sanchez  sanchez  root:object_r:httpd_sys_content_t adds
lrwxrwxrwx  root     root     root:object_r:httpd_sys_content_t ldap -> 
-rw-r--r--  sanchez  sanchez  root:object_r:httpd_sys_content_t php_info.php
drwxrwxrwx  sanchez  sanchez  root:object_r:httpd_sys_content_t phpldapadmin
lrwxrwxrwx  root     root     root:object_r:httpd_sys_content_t 
phpmyadmin -> phpMyAdmin-2.7.0-pl1
drwxr-xr-x  sanchez  sanchez  root:object_r:httpd_sys_content_t 
drwxr-xr-x  sanchez  sanchez  root:object_r:httpd_sys_content_t scarecrow
drwxr-xr-x  sanchez  sanchez  root:object_r:httpd_sys_content_t test

Or in the ~ folder

ls -Z -d ~sanchez/public_html/
drwxrwsrwt  sanchez  sanchez  root:object_r:httpd_sys_content_t 

Well I guess am gonna have to read much more about SELinux, thanks again.

More information about the fedora-list mailing list