-- See Tl;dr below for a short version --
On my ubuntu-16.04 droplet apache2 and php7 both use the user www-data. At some point all three installations of wordpress-4.7.2 seemingly without reason started asking for FTP credentials, indicating they don't have sufficient rights. Each wp instance has it's own mysql database.
I tried to solve this for /site1 with
sudo chown www-data:www-data /var/www/site1/* -R
which shouldn't change anything as this is how the permissions were set already. For whatever reason this caused the browser to return a
HTTP ERROR 500
for the sites in /var/www/site1, /var/www/site2 and /var/www/site3 – nothing works anymore.
The only way I've found to get out of this is to restore the droplet. But each time I try to get the permissions right, I end up with all sites down again.
These are the current permission settings:
drwxr-xr-x 14 root root 4096 Feb 3 XX:14 /var/
drwxrwxr-x 8 www-data www-data 4096 Mar 5 XX:27 /var/www/
drwxr-sr-x 3 www-data www-data 4096 Mar 5 XX:13 /var/www/site1/
drwxrwxr-x 3 www-data www-data 4096 Feb 25 XX:51 /var/www/site2/
drwxrwxr-x 3 www-data www-data 4096 Feb 28 XX:06 /var/www/site3/
The sudo user is member of www-data:
user1#droplet:~$ members www-data
www-data user2 user1
A freshly installed Theme on /site1 caused dozens of PHP Fatal errors like this one:
[Sun Mar 05 19:24:04.003189 2017] [:error] [pid 5632] [client 31.10.138.238:50870]
PHP Fatal error: Uncaught Error: Call to undefined function mysql_escape_string()
in /var/www/site1/html/wp-content/themes/gloria/functions.php:60\nStack trace:\n#0
/var/www/site1/html/wp-settings.php(425): include()\n#1 /var/www/bw/html/wp-config.php(89):
require_once('/var/www/site1/htm...')\n#2 /var/www/bw/html/wp-load.php(37):
require_once('/var/www/site1/htm...')\n#3 /var/www/bw/html/wp-admin/admin.php(31):
require_once('/var/www/site1/htm...')\n#4 /var/www/bw/html/wp-admin/themes.php(10):
require_once('/var/www/site1/htm...')\n#5 {main}\n thrown in
/var/www/site1/html/wp-content/themes/gloria/functions.php on line 60
After deleting the theme, /site1 went back online. I have no idea why. The first two times I ended up restoring the droplet because of
HTTP ERROR 500
this theme wasn't involved. Even though /site1 is back up, /site2 and /site3 remain stuck with
HTTP ERROR 500
Since the removal of the theme in /site1 the Apache Error Log doesn't have any suspicious entries:
[Sun Mar 05 19:56:35.456584 2017] [mpm_prefork:notice] [pid 1671] AH00171: Graceful restart requested, doing restart
[Sun Mar 05 19:56:35.662742 2017] [mpm_prefork:notice] [pid 1671] AH00163: Apache/2.4.18 (Ubuntu) configured -- resuming normal operations
[Sun Mar 05 19:56:35.662765 2017] [core:notice] [pid 1671] AH00094: Command line: '/usr/sbin/apache2'
Any ideas?
Edit: An instance of ActiveCollab in /var/www/site2/activecollab/ never stopped working during the whole issue. All connection and permission checks done by ActiveCollab for it's own files, folders and database are positive.
Tl;dr: WP1 asks for FTP, I say
sudo chown www-data:www-data /var/www/site1/* -R
WP1, WP2 and WP3 tell the browser to
HTTP ERROR 500
while ActiveCollab in a subfolder of WP2 doesn't give a sh*t and keeps running.
Try these
sudo chmod -R 774 /var/www/yourwordpressfolder
And then
sudo chown -R www-data:www-data /var/www/yourwordpress
Finally
sudo chmod -R 777 /var/www/yourwordpressfolder
Related
I am getting below error when trying to start the tomcat using systemd service
systemd[1]: tomcat.service: Failed to execute command: Permission denied
systemd[1]: tomcat.service: Failed at step EXEC spawning /opt/tomcat/bin/startup.sh: Permission denied
Below is my tomcat.service configuration
[Unit]
Description=Apache Tomcat Web Application Container
After=syslog.target network.target
[Service]
Type=forking
Environment=JAVA_HOME=/usr/lib/jvm/jre
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/bin/kill -15 $MAINPID
User=tomcat
Group=tomcat
[Install]
WantedBy=multi-user.target
These are my permission on files in the bin directory
drwxrwx---. 2 tomcat tomcat 4096 Mar 22 05:56 .
drwx------. 9 tomcat tomcat 276 Mar 22 05:58 ..
-rw-r-----. 1 tomcat tomcat 35071 Mar 11 09:33 bootstrap.jar
-rw-r-----. 1 tomcat tomcat 15953 Mar 11 09:33 catalina.bat
-rwxr-x--x. 1 tomcat tomcat 23792 Mar 11 09:33 catalina.sh
-rw-r-----. 1 tomcat tomcat 1664 Mar 11 09:36 catalina-tasks.xml
-rw-r-----. 1 tomcat tomcat 2123 Mar 11 09:33 ciphers.bat
-rwxr-x--x. 1 tomcat tomcat 1997 Mar 11 09:33 ciphers.sh
-rw-r-----. 1 tomcat tomcat 25197 Mar 11 09:33 commons-daemon.jar
-rw-r-----. 1 tomcat tomcat 206895 Mar 11 09:33 commons-daemon-native.tar.gz
-rw-r-----. 1 tomcat tomcat 2040 Mar 11 09:33 configtest.bat
-rwxr-x--x. 1 tomcat tomcat 1922 Mar 11 09:33 configtest.sh
-rwxr-x--x. 1 tomcat tomcat 8675 Mar 11 09:33 daemon.sh
-rw-r-----. 1 tomcat tomcat 2091 Mar 11 09:33 digest.bat
-rwxr-x--x. 1 tomcat tomcat 1965 Mar 11 09:33 digest.sh
-rw-r-----. 1 tomcat tomcat 3606 Mar 11 09:33 makebase.bat
-rwxr-x--x. 1 tomcat tomcat 3382 Mar 11 09:33 makebase.sh
-rw-r-----. 1 tomcat tomcat 3460 Mar 11 09:33 setclasspath.bat
-rwxr-x--x. 1 tomcat tomcat 3708 Mar 11 09:33 setclasspath.sh
-rw-r-----. 1 tomcat tomcat 2020 Mar 11 09:33 shutdown.bat
-rwxr-x--x. 1 tomcat tomcat 1902 Mar 11 09:33 shutdown.sh
-rw-r-----. 1 tomcat tomcat 2022 Mar 11 09:33 startup.bat
-rwxr-x--x. 1 tomcat tomcat 1904 Mar 11 09:33 startup.sh
-rw-r-----. 1 tomcat tomcat 49372 Mar 11 09:33 tomcat-juli.jar
-rw-r-----. 1 tomcat tomcat 419428 Mar 11 09:33 tomcat-native.tar.gz
-rw-r-----. 1 tomcat tomcat 4574 Mar 11 09:33 tool-wrapper.bat
NOTE: I am able to start the tomcat using sudo ./startup.sh command by navigating to bin directory
Can you check your /opt and /opt/bin permissions
Looks like
chmod a+rx /opt /opt/tomcat/ /opt/tomcat/bin
should help
I suppose you followed one of the many copied online tutorials where the tomcat user is made with /opt/tomcat/ as its home directory by using something similar like:
sudo useradd -d /opt/tomcat -s /sbin/nologin tomcat
SELinux is preventing applications from being launched from a home directory, with a message like the following in /var/log/audit/audit.log
type=AVC msg=audit(1614250994.710:33614): avc: denied { execute } for pid=60244 comm="(artup.sh)" name="startup.sh" dev="dm-3" ino=19000615 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0
I don't believe the tomcat user needs a home folder, so either remove it from an existing user with:
sudo usermod -d / tomcat
Or create your new user with the following instead:
sudo useradd -M -s /sbin/nologin tomcat
Reset the SELinux properties with the following afterwards:
sudo restorecon -rv /opt/tomcat
I encountered same problem and fix it by restorecon.
I don't know if the reason why the problem happened is same as the original question but I think it depends on how to install tomcat.
In general, we download the tar.gz onto a temp directory and tar xzvf at the temp directory. Next, we move it to /opt or /usr/local. At that time, if we use mv, SELinux context is not changed then permission denied happens. But you can change it by restorecon. If we use cp -R, SELinux context is changed then permission denied does not happen.
In case someone follows the google links to get here, there were three problems in my case that prevented Tomcat 9 (installed from TAR file) from starting on a RHEL 8 system that has CIS recommended security lock-downs on it. I think the DoD STIGs are similar, but not sure. I had the exact same messages in the system journal that the OP did.
First, our security folks went overboard and added the "noexec" option to the mount that the Tomcat was on, which is a separate partition and LVM volume for both security and organizational reasons. I had to modify the mount by removing the "noexec" option in the "/etc/fstab" file, to whit:
Before:
/dev/mapper/vg01-mymount /mymount xfs defaults,nodev,noexec 0 0
After:
/dev/mapper/vg01-mymount /mymount xfs defaults,nodev 0 0
Second, I found they had installed the "fapolicyd" daemon, and that acts like an application allow-listing for execution and access to files. Instead of using the standard method of adding individual binaries to a list in "/etc/fapolicyd/fapolicyd.trust", or creating files in "/etc/fapolicyd/trust.d/" directory, I followed recommendations from this reply on a blog entry here:https://computingforgeeks.com/install-apache-tomcat-9-on-linux-rhel-centos/#comment-7841 . This is the coward's way out, by adding all policy permissions for the tomcat user to access the whole tomcat directory, and depending on file-level permissions to do the security from there:
allow perm=any uid=tomcat gid=tomcat : dir=/mymount/tomcat/
I'm not really sure this will pass scrutiny with any security policies where you work, but it gets the thing running. Individual rules for fapolicyd can be made to run specific files, certain MIME types, read-only on whole directories, etc. The major flaw I found is that the logging from the daemon is less than stellar (or non-existent in my case), and left me scratching my head for a couple days as to what was blocking Tomcat starting. Just knowing fapolicyd is installed is half the battle won.
Third, checking SELinux reports (aureport binary) showed that the systemd binary context of "init_t" did not have permission to execute files in the Tomcat dir because they had the wrong context ("default_t"). Here I only changed the context of the script files in /tomcat/bin/ to "initrc_exec_t", which also may be bad, but it worked without disabling SELinux or doing weird things like compile a new SELinux policy file that allowed that access (i.e. allow init_t to execute default_t files, which seems like it would be much worse). I used a similar command set to the below:
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/startup.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/shutdown.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/catalina.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/setclasspath.sh
semanage fcontext --add --type initrc_exec_t /mymount/tomcat/bin/setenv.sh
restorecon -rv /mymount/tomcat/
I don't know if it needed the last three (catalina.sh, setclasspath.sh, setenv.sh), but I added them to be sure. This fixed my issue with systemd.
I setup LAMP on my MacOS computer using the https://getgrav.org/blog/macos-mojave-apache-upgrade-homebrew tutorial series.
It works for a month or two and then suddenly (without any changes made to config) it will stop working.
This site can’t be reached
localhost refused to connect.
ERR_CONNECTION_REFUSED
The last time this happened I gave up and re-installed from scratch. I don't want to have to do this each time it stops working.
Here is what I've tried so far this time:
jackrobson$ ps -aef | grep httpd
501 84635 459 0 5:03pm ttys000 0:00.00 grep httpd
jackrobson$ sudo apachectl -k restart
jackrobson$ tail -f /usr/local/var/log/httpd/error_log
[Sun Sep 16 14:43:22.548017 2018] [mpm_prefork:notice] [pid 74] AH00173: SIGHUP received. Attempting to restart
[Sun Sep 16 14:43:22.635379 2018] [mpm_prefork:notice] [pid 74] AH00163: Apache/2.4.34 (Unix) PHP/7.0.31 configured -- resuming normal operations
[Sun Sep 16 14:43:22.635437 2018] [core:notice] [pid 74] AH00094: Command line: '/usr/local/opt/httpd/bin/httpd -D FOREGROUND'
My /usr/local/etc/httpd/extra/httpd-vhosts.conf looks like:
<VirtualHost *:80>
DocumentRoot "/Users/jackrobson/Projects"
ServerName localhost
</VirtualHost>
As you can see, the last error was over two weeks ago. No errors today even though I'm getting the ERR_CONNECTION_REFUSED error.
Any suggestions will be greatly appreciated.
Got it working, these are the commands that I did before it worked:
jackrobson$ sudo apachectl stop
jackrobson$ sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist 2>/dev/null
jackrobson$ brew services restart httpd
==> Successfully started `httpd` (label: homebrew.mxcl.httpd)
I tried yesterday to make a virtual host.
i did few steps to make it:
i removed the hash (#) in /opt/lampp/etc/extra/ not its:
(hash)Virtual hosts
Include etc/extra/httpd-vhosts.conf
i edited the /opt/lampp/etc/extra/httpd-vhosts.conf to this:
i created directory for pic.localhost i 3 commands via root:
mkdir /opt/lampp/pictures/
chown daemon:daemon 770 -R /opt/lampp/pictures/
chmod 770 -R /opt/lampp/pictures/
i added this following lined to /etc/hosts/ file:
127.0.0.1 pic.localhost
i restarted the xampp(version 5.6.8) and its not working. what i did wrong?
log file picture-access_log shows:
5.29.203.187 - - [01/Jul/2015:18:04:07 +0300] "GET / HTTP/1.1" 403 1036
log file picture-error_log shows:
[Wed Jul 01 18:04:07.173810 2015] [authz_core:error] [pid 24261]
[client 5.29.203.187:57710] AH01630: client denied by server
configuration: /opt/lampp/pictures/
I have a large hard drive I would like to store data mapserver (Runs as a cgi-bin under Apache) but I am ruining in to errors when trying to access the data.
When I try and access any thing in the /bac/data/gis using mapserver I get:
msDrawMap(): Image handling error. Failed to draw layer named 'world'. msShapefileOpen(): Unable to access file. (/var/www/html/gis/world.shp) msShapefileOpen(): Unable to access file. (/bac/data/gis/global/world.shp)
from the mapserver log file:
[Fri Aug 2 01:12:15 2013].100850 CGI Request 1 on process 28658
[Fri Aug 2 01:12:15 2013].105687 msDrawMap(): rendering using outputformat named png (AGG/PNG).
[Fri Aug 2 01:12:15 2013].105731 msDrawMap(): WMS/WFS set-up and query, 0.000s
[Fri Aug 2 01:12:15 2013].105819 msShapefileOpen(): Unable to access file. (/bac/data/gis/global/world.shp)
[Fri Aug 2 01:12:15 2013].105838 msShapefileOpen(): Unable to access file. (/var/www/html/gis/world.shp)
[Fri Aug 2 01:12:15 2013].105848 msDrawMap(): Image handling error. Failed to draw layer named 'world'.
[Fri Aug 2 01:12:15 2013].106077 mapserv request processing time (msLoadMap not incl.): 0.005s
[Fri Aug 2 01:12:15 2013].106085 msFreeMap(): freeing map at 0x1bdfde0.
I also tried accessing data directly using Apache to see if it could read anything in /bac/data/gis. This was done by adding an ailes and directory directive to httpd.cfg file.
This to failed with the flowing error message in the httpd-error log.
[Thu Aug 01 22:52:37 2013] [error] [client 192.168.0.1] (13)Permission denied: access to /gis/ denied (filesystem path '/bac') because search permissions are missing on a component of the path
The file system is mounted as "/bac" and the data is in /bac/data/gis
my httpd directorys are /var/www/[html cgi-bin]/
I have ensured +x permission on all directors in the /bac/dat/gis path. I all so disabled seliux as this is general the first thing I try when faceing an access denied situation.
Is it possible access data on other file system using Apache and cgi-bin scripts such as mapserver?
As arkascha pointed out, the mount points and filesystems are irrelevant when considering access permissions. You should check that your apache user has access to those files:
user#host$ sudo su apache (apache may need to be replaced by httpd, www-data, check your apache config file to see under which user apache runs)
apache#host$ ls /bac/data/gis/global/world.shp
If the ls command returned a permission error, you have determined the cause of your error. In that case check that the permissions on /bac/data/gis/global/world.shp have "+r" for apache (that will probably be for the "others"), and that all the intermediate directories have +x.
sudo chmod o+r /bac/data/gis/global/world.*
sudo chmod o+x /bac
sudo chmod o+x /bac/data
sudo chmod o+x /bac/data/gis
sudo chmod o+x /bac/data/gis/global
I am trying out CGI-scripts for the first time but without success. I have read many tutorials and followed may threads in different forums but I can not make it work.
I am using a appache web server on a Fedora 10 machine.
I always have problem with
[Wed Oct 21 20:47:36 2009] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Wed Oct 21 20:47:36 2009] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Wed Oct 21 20:47:36 2009] [notice] Digest: generating secret for digest authentication ...
[Wed Oct 21 20:47:36 2009] [notice] Digest: done
[Wed Oct 21 20:47:36 2009] [notice] Apache/2.2.11 (Unix) DAV/2 PHP/5.2.9 mod_ssl/2.2.11 OpenSSL/0.9.8g configured -- resuming normal operations
I need help.
This is what my environment looks like.
uname -a
Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686 i386 GNU/Linux
ls -l /var/www/cgi-bin/
total 36
-rwxrwxrwx 1 root root 106 2009-10-21 18:29 index.html
-rwxr-xr-x 1 root root 11089 2009-02-24 20:11 squidGuard.cgi
-rwxr-xr-x 1 root root 5720 2009-02-24 20:11 squidGuard-simple.cgi
-rwxr-xr-x 1 root root 5945 2009-02-24 20:11 squidGuard-simple-de.cgi
-rwxrwxrwx 1 root root 110 2009-10-21 17:38 test.cgi
apachectl -v
Server version: Apache/2.2.11 (Unix)
Server built: Mar 6 2009 09:12:25
perl -version
This is perl, v5.10.0 built for i386-linux-thread-multi
Copyright 1987-2007, Larry Wall
My script
cat test.cgi
#!/usr/bin/perl
print "Content-Type: text/html\n\n";
print "Hello, world!\n";
The error message I gen when I try to access the web page server "http://192.168.50.29/cgi-bin/test.cgi" looks like this:
[Wed Oct 21 21:00:27 2009] [error] [client 192.168.50.69] (13)Permission denied: access to /cgi-bin/test.cgi denied
I have added the line:
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
to /etc/httpd/conf/httpd.conf
I just can not make it work.
Can anyone help me?
Check your os permissions for test.cgi and be sure the user or group you are using to run your apache it has read access.
EDIT - The problem is with permissions, but not with read permissions, as you are using SELinux, you need to worry about your file context. Check this thread at fedora forums, it explains quite a few options to solve your problem.
1.FIRST CHECK THE HTTPD.CONF FILE.Set the script directory as follows in the httpd.conf.
Here you'd need to make sure you find the right httpd.conf file.For example, in my Debian, the default httpd.conf is /etc/apache2/sites-avaialbe/default.
<Directory "dir_name">
Options All
AllowOverride All
Order allow,deny
Allow from all
<Directory>
OR you could just use the default /cgi-bin folder.
2.Set the execute permission for the test script.
chmod +x script_name
check your fstab if the mounted filesystem have permission to execute
UUID=xxx-xxx-xxx-xx-xx /mnt/mountpoint ext4 rw,user,exec 0 0
the exec part is important
SELinux prevented Apache from accessing the cgi script in my case.
A quick-n-dirty fix that worked for me was turning off SELinux:
vim /etc/sysconfig/selinux
set "SELINUX=disabled"
reboot