CentOS 7 Httpd Permission Problems With Postfixadmin
More joy with CentOS 7.
I am having permission problems with Postfixadmin. I am installing as I have in my notes I did in CentOS6 and it is not working.
I untar Postfixadmin into /usr/share. The owner is root:root (I even tried root:apache). My postfixadmin.conf file has:
alias /mailadmin /usr/share/postfixadmin
AllowOverride AuthConfig
And I get when I try fqdn/mailadmin
You don’t have permission to access /mailadmin on this server.
When I google this message, I am getting that httpd is not allowing me access. I have even added:
allow from all
To the above .conf with no change.
This is not a SELInux problem as I tried ‘setenforce 0’ and still get the error.
It is as if there is some new security setting in httpd for files not in the www dir (default of /var/www/).
Any ideas?
thanks
15 thoughts on - CentOS 7 Httpd Permission Problems With Postfixadmin
More joy with CentOS 7.
I am having permission problems with Postfixadmin. I am installing as I
have in my notes I did in CentOS6 and it is not working.
I untar Postfixadmin into /usr/share. The owner is root:root (I even tried root:apache). My postfixadmin.conf file has:
alias /mailadmin /usr/share/postfixadmin
AllowOverride AuthConfig
I
What is the setting “allowoveride”? What does it mean?
And I get when I try fqdn/mailadmin
You don’t have permission to access /mailadmin on this server.
When I google this message, I am getting that httpd is not allowing me access. I have even added:
allow from all
To the above .conf with no change.
This is not a SELInux problem as I tried ‘setenforce 0’ and still get the error.
It is as if there is some new security setting in httpd for files not in the www dir (default of /var/www/).
Any ideas?
thanks
No, accessing directories outside document root is perfectly acceptable behaviour as far as I can see.
Just to check, you did restart/reload apache after making the changes?
What do the apache logs say about it? That will tell you if it’s a permissions problem or a redirection issue.
P.
It tells apache to obey .htaccess files in the document directory – in other words it “allows” the .htaccess file to “override” the configured parameters. The arguments to it say what subset of commands can be overridden – AuthConfig allows authorisation configuration.
P.
https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride
This has been in the default postfixadmin.conf for many years.
From error.log:
[Fri Feb 17 12:56:33.478024 2017] [authz_core:error] [pid 5759] [client
192.168.160.12:48290] AH01630: client denied by server configuration:
/usr/share/postfixadmin
Which is:
4 drwxrwxr-x. 17 root apache 4096 Feb 16 19:33 postfixadmin
I originally had ownership of root:root. Same error.
So it’s an authorisation issue. In your .htaccess file change
Order allow,deny
Allow from all
to the apache 2.4 version
Require all granted
See http://httpd.apache.org/docs/2.4/upgrading.html
P.
Thing is, I don’t have an .htaccess file ANYWHERE on this system. I
checked.
I’ll make one.
Not there still. In /var/www/html I created .htaccess:
# ls -lstra total 12
4 drwxr-xr-x. 4 root root 4096 Feb 6 16:06 ..
4 drwxr-xr-x. 2 root root 4096 Feb 17 13:32 .
4 -rw-r–r–. 1 root apache 21 Feb 17 13:32 .htaccess
# cat .htaccess
Require all granted
restarted httpd, and still get the error.
[Fri Feb 17 13:36:17.366525 2017] [authz_core:error] [pid 5844] [client
192.168.160.12:48370] AH01630: client denied by server configuration:
/usr/share/postfixadmin
Does the conf file that contains the “/usr/share/postfixadmin” alias also contain a Directory block? Something like this:
Alias /postfixadmin /usr/share/postfixadmin
…stuff here…
Look for the old style “Order Deny,Allow” and “Deny from All” and remove them if it does, and put the “Require all granted” there.
Al McCann
Robert Moskowitz wrote:
Do you have an authz.conf file?
mark
No authz.conf anywhere on the system. Thanks for the advice, but I got it now.
My memory may be flawed, but I think the .htaccess is a hidden file just change its properties.
john
Yes, it is hidden, but ‘ls -lsa’ will show it. And mlocate’s updatedb finds them as in:
# locate .bash_history
/home/rgm/.bash_history
/root/.bash_history
which is another hidden file.
I use locate a lot. ‘Where did I put the that write up on xyz?’ Locate with grep are my friends.
That’s not how the .htaccess file works. It needs to be in the directory specified in the postfixadmin.conf file – i.e. the configuration
AllowOverride AuthConfig
means to look in the .htaccess file in /usr/share/postfixadmin when accessing any file in that directory (and below) for authorisation information.
Putting it in /var/www/html will have no effect.
P.
If you don’t have a .htaccess file, then why have the AllowOverride directive in the .conf file?
Putting AllowOverride in means that every time apache retrieves a file from that directory, *and every directory below*, it will look for a
.htaccess file in the current directory, and every directory above
(until it reaches the original directory). It doesn’t cache the information (because it can change), so it means a significant increase in the amount of disk activity for each page. It also provides another attack surface for naughty people.
So in general if you don’t use, or intend to use, .htaccess files, then don’t put in the AllowOverride directive.
P.