debian apache http server throws bad group name nobody error - linux

I am trying to run an application on debian 8 32 bits OS.
It has an inbuilt httpd server and when i try to start it i get error:
httpd: bad group name nobody
httpd/bin/httpd.rc startssl: httpd could not be started
Is there any standard way to enable this group (it looks similar to guest user access)
As per the documentation of Debian 8, nobody user is used by processes which do not require any privileges.

Found the answer on this post: https://askubuntu.com/questions/138972/what-is-the-equivalent-user-for-nobodynobody-from-centos
changed httpd.conf group name from nobody to nogroup

I have this problem because the group didnt exist in /etc/group.
I created and it worked

Related

nginx uWSGI connection to unix socket failed

I'm trying to connect uWSGI Flask application on CentOS 7 with nginx, nginx error log at /var/log/nginx/error.log gives:
2017/10/04 22:35:29 [crit] 24381#0: *54 connect() to unix:/var/www/html/CON29Application1/socket.sock failed
(13: Permission denied) while connecting to upstream, client: 80.44.138.51,
server: 188.226.174.121, request: "GET /favicon.ico HTTP/1.1", upstream: "uwsgi://unix:/var/www/html/CON29Application1/socket.sock:",
host: "188.226.174.121", referrer: "http://188.226.174.121/"
uWSGI error log shows I think that uWSGI running correctly:
WSGI app 0 (mountpoint='') ready in 1 seconds on interpreter 0x1a1ebd0 pid: 26364 (default app)
This is my first deployment on Linux, but read another SO answer here: Nginx can't access a uWSGI unix socket on CentOS 7
This guy answered his own question, and referred to blog post on SE Linux http://axilleas.me/en/blog/2013/selinux-policy-for-nginx-and-gitlab-unix-socket-in-fedora-19/, saying SE Linux was the problem. I don't really understand what is running where on SE Linux, and solution seems to involve altering "AVC" messages in nginx audit.log, I'm getting in over my head!
As the blog post referred, I do get AVC messages mentioning denied write and nginx at /var/log/audit/audit.log:
type=AVC msg=audit(1507153878.777:559609): avc: denied { write } for pid=24381
comm="nginx" name="socket.sock" dev="vda1" ino=715975
scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=sock_file
But being a newbie, is there perhaps something simpler perhaps I did wrong and can fix with chmod permissions or chown? Thanks any ideas.
Socket permissions:
ls -l socket.sock
srwxrwxrwx. 1 will nginx 0 Oct 4 17:02 socket.sock
Well, my SELinux settings did make a difference in the end, and changing this has got my web application actually working! I looked at another tutorial: https://www.digitalocean.com/community/tutorials/an-introduction-to-selinux-on-centos-7-part-1-basic-concepts
I must say from a Linux newbie's point of view, I have seen a few other posts mentioning how good Digital Ocean's tutorials are (I certainly don't have any affiliation with them whatsoever..).
For other newbies reading this, SELinux stands for Security Enhanced Linux, and is something included with many distributions of Linux now apparently, including CentOS 7. It's there for added security of some kind. I ran the simplest command they list on this page: getenforce
which output
enforcing
As the Digital Ocean tutorial states, "SELinux should currently be disabled", mine wasn't - no idea why, I hadn't touched anything on SELinux as had no idea what it was until 2 days ago.
Anyway, trying for simplest fix, as their advice did:
vi /etc/sysconfig/selinux
Or actually I think I didnt have permission to do this as my user, had to do it as root:
sudo vi /etc/sysconfig/selinux
There's only actually 2 settings in this file. So reset:
SELINUX=permissive
Then tried reboot as their advice to restart server, so apparently then SE Linux will start logging some security mumbo jumbo stuff, ie I think this means it records security booboos and people hacking into the system rather than stopping them. Reboot then asked me for Cloud something password, which I thought must be my sudo password, it wasn't, then crashed after trying this couple times anyway, so restarted it I think this is reboot yes? And my website now works.
As the other post I mentioned here, I think this means SELinux doing something to stop nginx running when it is set to enforcing. But the other post here seemed bit more complex for a newbie than to just change one setting as I have done here, more potential to create further problems. If I can ever develop this or another app further, i think need to find someone with more Linux experience.

NT_STATUS_ACCESS_DENIED Error in Samba share

So, I tried to set up a public SMB share with Samba on CentOS 7. Now, I have it set up, and I have a headache. But, sweet victory. I'm posting this here for all y'all so that you don't need to waste your time. It's actually easy, you just need to know the hoops you need to jump through. I'll also edit the Samba wiki.
The first problem was that it wouldn't connect at all, except locally:
Remote Connection (my Linux desktop):
-------
[root#my-desktop ~]# smbclient //sambaserver/PublicDocs -N
Error connecting to 192.168.100.97 (No route to host)
Connection to cgybkp01 failed (Error NT_STATUS_HOST_UNREACHABLE)
On Windows 8, using Windows Explorer, after typing "\\sambaserver" into the address bar, the progress bar would wait, wait, wait, then time out. The error message was:
Remote Connection (my Windows 8 desktop):
Windows cannot access \\sambaserver
Check the spelling of the name. Otherwise, there might be a problem with your network. To
try to identify and resolve network problems, click Diagnose.
This ended up being a problem with firewalld. To unblock Samba, I needed to add this line to /etc/firewalld/zones/public.xml :
<service name="samba"/>
Perfect, now I can connect!
But, I was actually mounting an NFS share, so I had one more issue, with SELinux. Now, when I attempt to connect with smbclient...
smbclient //sambaserver/PublicDocs -N
I can connect, but when I try to ls, I get the error: "NT_STATUS_ACCESS_DENIED" in CentOS 7. So, how do I connect?
The first thing everyone recommended that I try was file permissions. If you're not familiar with file permissions in Linux, I'd recommend trying those first. But for me, that didn't work, because SELinux was blocking me.
To see all of the SELinux options for Samba, type:
getsebool -a | grep samba
getsebool -a | grep smb
The one I needed to change was samba_share_nfs, because I was sharing an NFS mounted directory:
setsebool -P samba_share_nfs on
CentOS maintains a list of these booleans here.

You don't have permission to access / on this server ubuntu 14.04

Agenda: To have an common Project Folder between Linux and Windows
I have changed my document root from : /var/www/html to /media/mithun/Projects/test in my ubuntu machine 14.04
I get error as :
Forbidden
You don't have permission to access / on this server.
Apache/2.4.7 (Ubuntu) Server at localhost Port 80
So i added some scripts to : sudo gedit /etc/apache2/sites-available/000-default.conf
# DocumentRoot /var/www/html
DocumentRoot /media/mithun/Projects/test
But Document Root /var/www/test works but not with Windows NTFS Partition Drive.
Even after referring to :
Error message "Forbidden You don't have permission to access / on this server"
Issue with my Ubuntu Apache Conf file. (Forbidden You don't have permission to access / on this server.)
No success :( So kindly assist me with it...
Note: Projects is an New Volume (Internal Drive: In Windows its E:/ Drive)
#Lmwangi - Please check my updates for your reference below:
Output of : ls /etc/apparmor.d/
abstractions lightdm-guest-session usr.bin.evince usr.sbin.cupsd
cache local usr.bin.firefox usr.sbin.mysqld
disable sbin.dhclient usr.lib.telepathy usr.sbin.rsyslogd
force-complain tunables usr.sbin.cups-browsed usr.sbin.tcpdump
I tried killing apparmor:
sudo /etc/init.d/apparmor kill
I receive output as : Usage: /etc/init.d/apparmor
{start|stop|restart|reload|force-reload|status|recache}
After this, i was also able to restart apache successfully
maybe the problem is simple : is your new root directory accessible to the www-data user ?
Try :
$ chown -R www-data:www-data /media/mithun/Projects
As you have you have discovered by now, you cannot just manipulate permissions on an NTFS partition (using tools like chmod)
However, you can try forcing a given owner/permissions for the entire partition when you mount it.
Now the wayto do this, depends on the NTFS-utilities you are actually using (and which i don't know, so I'm assuming you are using ntfs-3g)
E.g. mount the partition with the following parameters (replace dev/sdX with your actual partition, and /path/to/wheredrive/is/mounted` with your target path):
mount -o gid=www-data /dev/sdX /path/where/the/drive/is/mounted
should make all the files on the partition belong to the www-data group.
If the filesystem sets the group ownership explicitely, this still might not work.
In this case, you might need to setup a usermap, that maps your windows users/groups (as found on the partition) to your linux users/groups.
The ntfs-3g.usermap utility will help you generate an initial usermap file, which you can then edit to your needs:
ntfs-3g.usermap /dev/sdX
Then pass the usermap to the mount options:
mount -o usermapping=/path/to/usermap.file /dev/sdX /path/where/the/drive/is/mounted
I suspect that you have apparmor enforcing rules that prevent Apache from reading non-whitelisted directory paths. I suggest that you
Edit the apparmor config for Apache to access your custom path. You'll need to hunt around /etc/apparmor.d/ . You may also find that using apparmor in non-enforcing mode helpful.
$ sudo aa-complain /etc/apparmor.d/*
Use mod_apparmor? See this
Or disable apparmor completely. See this
My order of preference would be 1,3,2. That should fix this for you :)
While using ubuntu with windows I faced same issue and it is resolved by remounting drive with read and write access. Below command will help you to do that:
sudo mount -o remount,rw /disk/location /disk/new_location
If it is still not working then in windows os, go to the power options and disable fast startup.
When you shut down a computer with Fast Startup enabled, Windows locks down the Windows hard disk. You won’t be able to access it from other operating systems if you have your computer configured to dual-boot. Even worse, if you boot into another OS and then access or change anything on the hard disk (or partition) that the hibernating Windows installation uses, it can cause corruption. If you’re dual booting, it’s best not to use Fast Startup or Hibernation at all.
Original article: https://www.howtogeek.com/243901/the-pros-and-cons-of-windows-10s-fast-startup-mode/

Linux - Installed Nagios but getting Forbidden 403 error

I have installed nagios successfully on fedora 17. but when I am trying to connect to nagios like http://mylocalhost.com/nagios. It asks for username and password. After putting these information I am found out forbidden 403 error with message , You dont have permission to access /nagios/ on this server.
I am bit confused how to resolve this issue. I read some post. they were saying to create empty index.html inside http root directory. i tried but same error is there.
http://www.unixmen.com/nagios-http-warning-http11-403-forbidden-solved/
If I am not wrong http root directory is /var/www/html?
oops ... sorry it was problem with my httpd service which was running actually but not accessible for publicly.
simply I flushed out iptables. then Checked out httpd service whether it is running properly or not.
Now its working great.
I think you create file index.html in /var/www/html.
After you can restart service nagios and httpd

Proper permission for sendmail.cf when apache sends mail on linux

I have a web application (bugzilla) in apache that needs to use sendmail.cf . When it tries to use sendmail I get the error:
/etc/mail/sendmail.cf: line 0: cannot open: Permission denied
the web application is in group "apache"
Permissions for sendmail look like:
-rw-r--r-- 1 root root 58624 2008-03-29 05:27 sendmail.cf
What do the permissions for sendmail.cf have to look like in order to be accessed by apache but still be secure enough to lock out everyone else.
I have this issue in a Centos 7 and the answer was here:
http://www.mysysadmintips.com/linux/servers/591-sendmail-won-t-send-emails-on-centos-7-permission-denied
Quick 'sestatus' check revealed that the issue was caused by SELinux.
Running: getsebool httpd_can_sendmail returns off, which means that
Apache (httpd) doesn't have permission to send emails.
The issue was resolved by running: setsebool -P httpd_can_sendmail on
You should have a different .cf file for local submissions, usually called (something like) submit.cf - this will have a slightly different batch of settings specifically for SENDING mail (whereas sendmail.cf will be the part for RECEIVING mail). The submit.cf is safe to be globally readable, because (in theory) all processes on the box should be trusted to send email.
Set the user as root and the group as apache: chown root:apache sendmail.cf

Resources