[rhn-users] 403 forbidden - you don't have permission to access /home/*/public_html on this server
Kelwin Wylie
kwylie at csc.com
Thu Mar 3 19:59:18 UTC 2005
This problem may be caused by SELinux. It is installed by default in RHEL
4 and one
of the daemons that is affected is httpd. The Release Notes have a section
on httpd
where it says:
A file or directory which is not labeled with a context on the
Apache's allowable types will generate a 403 Forbidden error.
Here is a full quote of that section of the release notes.
httpd
o Under the default SELinux security configuration, httpd is covered
by
the targeted policy. This increases security and Web server
stability
by specifically granting or denying httpd access to system objects.
However, because this has the potential to cause previously-working
configurations (such as those that use PHP) to no longer function,
you
must understand how SELinux works in order to ensure that your
configuration is both secure and functional.
For example, a Boolean can be set to give specific permission to
httpd
to read objects in ~/public_html/ as long as they are labeled with
the
security context httpd_sys_content_t. The Apache daemon cannot
access
objects (files, applications, devices, and other processes) that
have
a security context not specifically granted access by SELinux to
httpd.
By allowing Apache access to only what it needs to do its function,
the system is protected from compromised or misconfigured httpd
daemons.
Because of the need for both standard Linux directory and file
permissions as well as SELinux file context labels, adminstrators
and
users will need to know about relabeling files. Examples of
relabeling
include the following commands (one for recursively relabeling the
contents of a directory, and one for relabeling a single file):
chcon -R -h -t httpd_sys_content_t public_html
chcon -t httpd_sys_content_t public_html/index.html
A file or directory which is not labeled with a context on the list
of
Apache's allowable types will generate a 403 Forbidden error.
You can configure Boolean values or selectively disable targeted
policy coverage for just Apache (or any of the covered daemons)
using
system-config-securitylevel. Under the SELinux tab, within the
Modify
SELinux Policy area, you can modify the Boolean values for Apache.
If
you wish, you can select to Disable SELinux protection for httpd
daemon, which disables the transition from unconfined_t (the default
type that acts transparently like standard Linux security without
SELinux) to the specific daemon type, i.e., httpd_t. Disabling this
transition effectively turns off SELinux coverage for that daemon,
returning it to standard Linux security only.
-----------
I don't fully understand SELinux and have not looked at its effect beyond
reading the release
notes, but your description of your problem sounds like it might be this.
Original Message
---------------------------
Date: Thu, 03 Mar 2005 09:55:00 -0500
From: Paul Sielis <psielis at facil.umass.edu>
Subject: [rhn-users] 403 forbidden - you don't have permission to
access /home/*/public_html on this server
To: rhn-users at redhat.com
Message-ID: <002b01c52000$f9188630$41b97780 at facil.umass.edu>
Content-Type: text/plain; charset="iso-8859-1"
I just installed Red Hat V4.0AS on my web server this week with apache
v2.0.52
All my file permissions to and including the directory public_html are 755
including file index.html.
My userdir is pointed to /home/*/public.html
apachectl configtest shows no errors
Error message is still :
403 forbidden - you don't have permission to access /home/*/public_html on
this server
Any ideas or suggestion ?
Thank You,
Paul J. Sielis
Information Technologies Network Administrator
Physical Plant Department
University of Massachusetts
360 Campus Center Way
Amherst, Ma 01003-6710
tel: 413-545-4401
cell: 413-530-6326
fax: 413-545-4900
--
Kelwin Wylie
CSC - Nortel Account
Phone: (613) 763-2034 ESN: 393-2034
kwylie at csc.com
----------------------------------------------------------------------------------------
Ce message est CONFIDENTIEL. Si vous n'en êtes pas le destinataire,
veuillez le supprimer sans en faire de copies et prévenir l'expéditeur par
messagerie électronique qu'il n'a pas été acheminé à la destination voulue.
NOTA: Quel que soit le contenu du message, il ne lie CSC à aucune commande
ni à aucun contrat à moins que la commande ou le contrat fasse suite à une
entente écrite ou à une initiative gouvernementale explicite prévoyant
expressément l'utilisation de la messagerie électronique à cette fin.
----------------------------------------------------------------------------------------
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------
More information about the rhn-users
mailing list