Help With Httpd Userdir Recovery

Home » CentOS » Help With Httpd Userdir Recovery
CentOS 36 Comments

I lost my harddrive on my little personal webserver that only serves some private files from my userdir.

So I am trying to build this from notes on a new CentOS7.3 installation
(well really CentOS7.3-arm, but supposedly same sources).

Right now the server is running on a test subnet, not the production, but I have set up the hostname and my standard httpd edits. I have enabled userdir and setup my /home/rgm/public_html directory with 711
permissions.

I can display the /home/rgm/public_html/index.html file that only has
“Hello World’ in it (to prevent anyone from walking my file tree from the root).

But when I try to display the files in a subdir with ipaddr/~rgm/mydir

I get

You don’t have permission to access /~rgm/mydir/ on this server.

So obviously I have forgotten something that I did not put into my notes, or something has changed from CentOS6.

I have tried both:


AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS

which is what the current /etc/httpd/conf.d/userdir.conf has, and what I
have in my notes:


# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

Order allow,deny
Allow from all


Order deny,allow
Deny from all

Neither seems to make a difference.

thank you for your assistance.

36 thoughts on - Help With Httpd Userdir Recovery

  • Hello Robert,

    To prevent people walking a directory structure you better disable Options Indexes.

    The fact that you see the index page makes me assume SELinux is not the problem. If you do have it enabled you might want to check out the sebooleans that affect apache.

    $ getsebool -a | grep http

    httpd_enable_homedirs is one of those.

    Remember that file access is based on file permissions in combination with file ownership. This means that if apache is neither owner nor group owner of a file world must have read access for apache to access such files. A 711 permission on a directory is then insufficient. It allows apache to cd to, but not read the directory.

    Regards, Leonard.

  • If I tell someone about ~rgm/mydir (really no such dir), then I want them to find ~rgm/mydir/subdir, but not know about ~rgm/otherdir.

    My understanding (most likely flawed) is that Indexes are needed to see the list of files in mydir, and to be able to walk down to subdir. By having a ~rgm/index.html file, they can’t query what other files are directly in the public_html directory.

    I ran

    setsebool -P httpd_enable_homedirs on restorecon -Rv /home

    And I see:

    httpd_enable_homedirs –> on

    the owner is rgm:rgm, but the permissions is 755, not 711.

    So still scratching my head here..

  • is the error message you mention displayed in the browser? Have you looked into the logging produced by the web server itself?
    John

  • That was what the browser showed. The error_log is:

    [Tue Dec 27 12:42:57.513529 2016] [authz_core:error] [pid 2060] [client
    192.168.160.12:41588] AH01630: client denied by server configuration:
    /home/rgm/public_html/mydir/

  • Hello Robert,

    Correct.

    Incorrect. The index is a convenience. Without it directories with the right permissions are still accessible with a direct url. So there’s not much point enabling indexes when you use an index file to avoid the index showing up…

    The man page for restorecon explicitly states it does not follow symlinks, and it might not cross file system boundaries either, so make sure they are not causing your issue.

    You have to make sure apache can access the whole path, meaning you need at least o+x on all directories in the path. This is quite likely *not*
    the case for /home/rgm.

    Regards, Leonard.

  • No symlinks.

    So I deleted the whole public_html directory. Re moved the files over.
    I went back to the default user_dir setup of:


    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    Require method GET POST OPTIONS

    Restarted httpd and tried again. I get my ~/public_html/index.html to display, cannot get a directory list to display. I can display a file.
    If I list a specific jpg in one of the directories it comes up ok, but I
    am not getting the listing option.

    access_log:

    192.168.160.12 – – [27/Dec/2016:16:53:00 -0500] “GET
    /~rgm/cubieboard/cubietower-2.JPG HTTP/1.1” 200 1450256 “-” “Mozilla/5.0
    (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0”
    192.168.160.12 – – [27/Dec/2016:16:53:08 -0500] “GET /~rgm/cubieboard/
    HTTP/1.1” 403 218 “-” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
    Gecko/20100101 Firefox/50.0”

    error_log:

    [Tue Dec 27 16:53:08.858042 2016] [negotiation:error] [pid 1965]
    (13)Permission denied: [client 192.168.160.12:55644] AH00686: cannot read directory for multi: /home/rgm/public_html/cubieboard/

    So I have the permissions right to retrieve files. Something is wrong for displaying the directory list.

    :(

  • That error should be caused by having MultiViews options but incorrect permissions (711 instead of 755) on the directory.

    John

  • Are you actually using MultiViews? If you don’t need that option, maybe the easiest thing is to take it out and see if the error message changes. John

  • I am using the default conf file for userdir.

    /etc/httpd/conf.d/userdir.conf

    So I deleted Multiviews and now the error is:

    [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
    (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can’t open directory for index: /home/rgm/public_html/family/

  • I know this is not going to help, but that error means that apache does not have access to read the directory /home/rgm/public_html/family/. That doesn’t really fit with the rest of the evidence, that you have chmod 755 everything from /home/rgm/public_html downwards and that apache can read specific files from /home/rgm/public_html. John

  • Here is a small test program that you can use to check the permissions.

    You can compile it with:

    cc -o test test.c

    then run it with:

    ./test apache /home/rgm/public_html/family/

    where apache is the name of the user that your web server runs under
    (check it with ps -ef | grep http). You should run it as root (or from sudo).

    John

    ——test.c—–

  • This is on CentOS7-arm, so I will have to install all the build stuff, and hopefully won’t take too long to compile….

    Tomorrow most likely.

  • Which is why I wonder if there is some different config for the C7.3
    version of apache.

    Or something with the C7-arm build…

  • I’m not sure if it is worth installing a build system just for this unless you need it for other stuff. Maybe other lines of investigation will bring up something.

    John

  • Robert, but is apache allowed access to /home/rgm ?
    Try su – apache -s /bin/bash to run a shell as apache and see how far you get starting from cd /home and if that works cd /home/rgm and so on… That will check normal user permissions, but not selinux
    /Louis

  • I really did not read your instructions well enough. I got it this time and followed it.

    I had no problem CDing all the way up the /home tree, doing ‘ls’ along the way.

    So normal user permissions work. I have to check out selinux as Todor recommended.

    There was/is some sort of selinux issue with this C7-arm image. I will post all of that in a separate message. Plus some posts on the CentOS-arm list will be needed.

    Bob

  • Good advice. As I suspect the problem is with SELinux.

    So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log:

    192.168.160.12 – – [28/Dec/2016:11:59:10 -0500] “GET /~rgm/family/
    HTTP/1.1” 403 214 “-” “Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0)
    Gecko/20100101 Firefox/50.0”

    [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
    (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can’t open directory for index: /home/rgm/public_html/family/

    type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid!41 comm=”httpd” name=”family” dev=”sda3″ ino&2199
    scontext=system_u:system_r:httpd_t:s0
    tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0

    type=SYSCALL msg=audit(1482944350.289:339): arch@000028 syscall22
    per

  • Robert Moskowitz wrote:
    Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you’ll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0

    Note that this is *temporary*, and will revert on reboot. To make it permanent, you’d need to edit /etc/selinux/config.

    mark
    mark

  • Thanks, Mark, I was just getting around to that way of thinking.

    The command, at least on my CentOS7-arm system is

    setenforce 0

    A presto it works. So now to figure out what is wrong with SElinux on this image.

  • Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a “SELinux Troubleshooter” entry in the Applications/Sundry menu, or it can be launched via:

    # /usr/bin/python -Es /usr/bin/sealert -s

    It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help.

  • No GUI in the base image. And on arm, we tend to use Xfce.

    no sealert bin file, so it is off to install it.

    I have never had it make useful suggestions to my on my notebook, but we will see…

    so here is what happens after I install it:

    # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error!

    Traceback (most recent call last):
    File “/usr/bin/sealert”, line 651, in
    import gtk ImportError: No module named gtk

    If it needs a GUI, then that won’t work here. Headless system.

  • Sorry, missed the no GUI if it was mentioned earlier. You _might_ get away with SSH -Y from a workstation but you might end up wasting time. No guarantees I’m afraid. :-) Martin

  • # yum install setroubleshoot Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile No package setroubleshoot available. Error: Nothing to do

    :(

  • Never mentioned it. I have not checked to see what GUI has been ported to try and load something. I *DO* use Xfce with Fedora-arm systems.
    But I would have to hook this little server up to such.

    Yeah, SSH -Y can be such fun with a headless system.

  • Never mentioned it. I have not checked to see what GUI has been ported to try and load something. I *DO* use Xfce with Fedora-arm systems.
    But I would have to hook this little server up to such.

    Yeah, SSH -Y can be such fun with a headless system.

  • # getsebool httpd_enable_homedirs httpd_enable_homedirs –> on

    This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes:

    # setsebool -P httpd_enable_homedirs on
    [ 8192.799162] SELinux: Class binder not defined in policy.
    [ 8192.804646] SELinux: the above unknown classes and permissions will be allowed

    Other than some SELinux guru pointing me to things to do, I will probably have to wait until the C7-arm builders chime in on the CentOS-arm list.

  • # getsebool httpd_enable_homedirs httpd_enable_homedirs –> on

    This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes:

    # setsebool -P httpd_enable_homedirs on
    [ 8192.799162] SELinux: Class binder not defined in policy.
    [ 8192.804646] SELinux: the above unknown classes and permissions will be allowed

    Other than some SELinux guru pointing me to things to do, I will probably have to wait until the C7-arm builders chime in on the CentOS-arm list.

  • The first time was when I did the yum update after the basic image install, adding chronyd to keep time, and enabling seliunx. Then again when I changed SSH port and finally setting userdir.

    To test if it was the yum update would take setting up another image.
    Not too hard, but I am scheduled to go away for the weekend.

  • I ran into the same problem, I think. I ran “audit2why” and passed in the AVC. It suggested a pair of booleans I’ve never seen before.

    # audit2why type=AVC msg=audit(1483077583.703:1539671): avc: denied { read } for pid162 comm=”httpd” name=”courier-pythonfilter” dev=”dm-0″
    inoS3228 scontext=system_u:system_r:httpd_t:s0
    tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir

    Was caused by:
    One of the following booleans was set incorrectly.
    Description:
    Allow httpd to read user content

    Allow access by executing:
    # setsebool -P httpd_read_user_content 1
    Description:
    Allow httpd to unified

    Allow access by executing:
    # setsebool -P httpd_unified 1
    # setsebool -P httpd_read_user_content 1

    … and setting one of them fixed the problem.

    I don’t see a bug filed for this. Can anyone else confirm that httpd_enable_homedirs doesn’t work as it did before 7.3? I suspect it’s not widely used and the bug may not have been noticed yet.

LEAVE A COMMENT