I am looking to change apaches default page for when there are no indexes and getting a 500 error. My server is Linux Red Hat with clients setup using Kloxo and /etc/httpd/conf.d/welcome.conf I am trying to change:
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.html
</LocationMatch>
To
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /error/noindex.php
</LocationMatch>
Which after httpd restart it gives a 500 error. I assume it has to do with PHP permissions as the file is uploaded as root and the user is specific to an account.
The noindex.html file works fine and is set as root as well.
I know an alternative is to use a skeleton directory, but I don't want to go that route.
Does anyone have any ideas how I would accomplish this?
Thanks.
EDIT:
Error I get in suPHP:
UID of script "/var/www/error/noindex.php" is smaller than min_uid
If I change permissions to 777, I get the 500 error page, with only this message in logs:
File "/var/www/error/noindex.php" is writeable by others
EDIT 2:
Make the file 400 or 660 and user ID 501 (lxlabs), I now get the error:
Mismatch between target UID (1060) and UID (501) of file "/var/www/error/noindex.php"
I believe lxlabs is supposed to be a regular user, but might not have permissions to that directory. I am not sure how to target the /home/kloxo/httpd/error/noindex.php as the welcome.conf file seems to start in the /var/www directory.
EDIT 3:
This may help as well. I was able to set the suPHP details in the Virtualhost declarating. Like:
<Virtualhost 123.456.78.90:8888>
SSLEngine On
SSLCertificateFile /home/kloxo/httpd/ssl/eth0___localhost.crt
SSLCertificateKeyFile /home/kloxo/httpd/ssl/eth0___localhost.key
SSLCACertificatefile /home/kloxo/httpd/ssl/eth0___localhost.ca
DocumentRoot /home/kloxo/httpd/webmail/
<Ifmodule mod_suphp.c>
SuPhp_UserGroup lxlabs lxlabs
</Ifmodule>
</Virtualhost>
Perhaps I can do something similar in the welcome.conf file?
The solution is to change the owner and permissions of the script. The user must be a normal user. The permissions must be 660 (rw for user and group) or 400 (r for user only). Explanation follows.
You are using suPHP which is an Apache module that tries to secure PHP scripts by running them with restricted permissions. When a script is requested, suPHP switches to the owner of the script before executing it.
For obvious security reasons, suPHP forbids to run a script as root. So PHP scripts owned by root can't be reached through Apache. This is what the message UID of script is smaller than min_uid means. suPHP is indeed a bit more generic: it forbids all special users. Linux keeps the first user ids for the special users. Normal users have an ID above 500 or 1000 (depending on the distribution) while root usually has the ID 0.
suPHP, still for security reasons, refuses to run scripts that any user can modify. This is the meaning of the message File is writeable by others. This behavior can be switched of with the config parameter allow_file_others_writeable, but it doesn't make much sense to use a security-oriented module with an insecure configuration. After all, the main purpose of suPHP is to separate the applications that have different file owners.
After lots of testing and researching, it doesn't appear to be possible to have a global file like this. The best work around is to put a file in the skeleton directory for each user.
Related
I have difficulties making my .htacces work on my Ubuntu 14.04 LTS. I know it is a hidden file and all; I've searched everywhere and people seem to have the same problem. I've made a virtual host on my machine and all. Can someone please help me ?
ErrorDocument 404 /pages/error.php?code=404
ErrorDocument 403 /pages/error.php?code=403
You need to make sure the following things are true:
You need to check what DocumentRoot is set to. When an url beginning with a slash is detected, it will try to load that file relative to the document root. (docs) The file <documentroot>/pages/error.php must thus exist.
You need to make sure that .htaccess files are allowed by the main Apache configuration. The easiest way to test this is by entering garbage into your .htaccess file, saving it and reloading a page. You'll get an internal server error if Apache reads the .htaccess file. Otherwise the page loads as expected. To enable .htaccess files, the AllowOverride directive must allow something (see next bullet point). Additionally, check in httpd.conf if AccessFileName is set to something different than .htaccess. Change it as necessary, then RESTART APACHE. (docs)
For ErrorDocument, AllowOverride must be at least set to FileInfo. See the docs. Go to your main config file (httpd.conf), probably apache/Apachex.y.z/conf/httpd.conf. Search for the <Directory ...> block that corresponds to your http root, and look around if it contains an AllowOverride directive. Add FileInfo as one of the arguments, save the file and RESTART APACHE.
I am trying to set up a owncloud server using httpd. In my /var/www/html I set the owner and group to apache:apache and permission of 644.
In my httpd.conf file I have the following.
DocumentRoot /var/www/html
<Directory "/var/www/html/owncloud">
Options Indexes FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
I am able to read the php files in the document root, however, when I browse to /owncloud I am getting a 403 Forbidden error.
In my error log I am getting the following.
(13)Permission Denied: access to /owncloud denied
Am I missing any configuration?
You should usually set the user/group to www-data:www-data, see the Owncloud guide, unless you have a changed webserver configuration.
Adding my two cents. (Others have posted similar answers).
I just moved from Linux Fedora 14 to Fedora 20,
then downloaded/installed Apache (which is no longer on
the install DVD), and ran into this "403 You don't
have access" problem, until I found that SELunix
was the culprit. Depending on your flavour of
Linux, this might apply to some of you as well.
To find out whether SELinux is active, enter
"getenforce". If you get "Enabled" then look
in "/var/log/audit/audit.log".
You might see lines like
... denied { getattr } ... comm="httpd"
path="/var/www/html/index.html"
Then decide whether:
You DON'T want/need SELunix. Then edit
"/etc/selinux/config" and change the relevant
line to "SELINUX=disabled", then reboot.
You DO want/need SELunix. Then study SELunix
and change whatever settings. (I can't help
you with this, since I opted for 1 above.) :D
PHP programmer here. Boss wants me to create multiple wordpress websites that are symlink'ed back to a single parent wordpress directory. Each website resides in a separate Linux user account. In other words, one parent, many children copies, all residing in different /home/ accounts. I need help with my symlink strategy...
So far, for each new linux web account,
install the database
sed replace config values into a temp config file
mysql insert some config data
symlink????
a. every wordpress file ??
b. the entire public_html directory ??
If I alter the parent wordpress PHP code, I can place a "real" copy of the config file in the child user directory, above the symlinked public_html. So, I need only use one child symlink to the parent's public_html directory. BUT, apache returns a 500 error. How do I set up the permissions?
Permissions are the issue. Would chgrp work? Which group? What file mode? Or would I need to create a special group to accommodate the apache user, nobody?
Any help would be greatly appreciated. Code samples welcome :)
Problem's Cause (paranoid security, "switch-user" blocking):
PHP 5 Handler suphp
Suexec on
Problem's solution (DSO):
PHP 5 Handler dso
Suexec off
Performance optimization, added +FollowSymLinks at httpd.conf LINE 75:
<Directory "/">
Options All +FollowSymLinks
AllowOverride All
</Directory>
Each linux user must have a wp-content directory and a wp-config.php file. Don't forget to set writing permissions to the wp-content directory.
You can symlink the rest of the wordpress files to the global wordpress ones.
The global wordpress files must not be writable by the linux users.
This is very possible to do. I have actually written a detailed post explaining the process of symlinking the WordPress directory.
Basically the idea is to replace the wp-config.php file.
Download the repo for WordPress from github with this you can switch to newer or older version of WordPress with a simple command. "git checkout 3.7-branch"
Here is the complete set of instructions:
http://www.htmlgraphic.com/symlinking-wordpress-core-files-wordpress-skeleton/
I get this problem when I visit my domain.com. I have compared this with my other website with the SAME set-up (just different username!!!) For some reason that website works and this one doesn't.
Forbidden
You don't have permission to access / on this server.
Apache/2.2.3 (Red Hat) Server at www.mydomain.com Port 80
In terms of permission issues, I have added user "apache" to the group "dver" and "svn" that own the folders that everything is located on.
$ ls -l
total 4
drwxr-xr-x 4 dver svn 4096 Oct 13 19:49 tv
This is my django.wsgi:
import os
import sys
sys.path.append('/home/dver/tv')
os.environ['PYTHON_EGG_CACHE'] = '/home/dver'
os.environ['DJANGO_SETTINGS_MODULE'] = 'mtv.settings'
import django.core.handlers.wsgi
application = django.core.handlers.wsgi.WSGIHandler()
This is in my httpd.conf:
WSGIScriptAlias / /home/dver/tv/mtv/wsgi/django.wsgi
DocumentRoot "/home/dver/tv/mtv/"
Alias /media/ /home/dver/tv/mtv/media/
<Directory /home/dver/tv/mtv/media>
Order deny,allow
Allow from all
</Directory>
<Directory /home/dver/tv/mtv>
Order deny,allow
Allow from all
</Directory>
If anyone can help me I'll really appreciate it.
Thanks!
As the code will run as the Apache user, all directories from the root of the file system down to '/home/dver/tv/mtv/wsgi' must be readable/executable to others, or at least somehow the Apache user, not just your Django site directory.
Thus, if '/home/dver' has permissions 'rwxr-x---' then it will not work. This is the most common problem where people go and stick the WSGI script file under their own home account. Manipulating groups may work, but you don't indicate if that group ownership also applies to '/home/dver'.
Although it will not matter as refers to a parent directory, but more secure to have:
<Directory /home/dver/tv/mtv/wsgi>
Order deny,allow
Allow from all
</Directory>
That is, use '/home/dver/tv/mtv/wsgi' rather than '/home/dver/tv/mtv'.
One other possibility is that you have SELinux extensions enabled for operating systems. You should configure SELinux correctly if it is, or possibly disable it just to see if it then works.
There are three potential problems that I notice.
The first depends on the OS you're running — are you sure the user you should add to the groups is called apache and not www-data?
The second is that you have your wsgi script under the directory wsgi but you have no httpd.conf Directory definition for it. I would add that and try again.
The third is that your /home/dver egg directory might have the wrong permissions.
I'm a beginner running 1&1's default customer-self-manages Apache setup, which has Plesk pre-installed. The Plesk site is at https://example.com:8443/ (where example.com is my registered domain) and brings up a PHP-based login page. However, I'd like to additionally secure this app with an htaccess, HTTP-based authentication request (because I might not update Plesk in time should there be Plesk security bugs, and somehow feel better not having the PHP files lying around publicly, if PHP-protected). However, logging in via SSH as root and dropping .htaccess files into folders I figured were relevant -- like /usr/local/psa/admin/htdocs/, among others -- does not bring up the http authentication when requesting the page in a browser. What should I do?
PS: The same .htaccess file works well in other folders I want to secure (I also tried chmod 644). It basically contains this:
AuthType Basic
AuthName "John Doe Management Access"
AuthUserFile /johndoe/.htpasswd
require user johndoe_user
PPS: My .htaccess file seems to be there alright, as https://example:8443/.htaccess brings up a "no permission" page, whereas https://example.com:8443/.htfoo brings up a "not found" page. Perhaps htaccess files are just not correctly configured to be, well, htaccess files for the port and site in question?
We just had the same problem (although not with Plesk)
Turned out that the vhost configuration had the directive:
AllowOverride None
This meant that the .htaccess file was being completely ignored (even if we entered garbage into the file)
The fix was to set the directive to:
AllowOverride AuthConfig
Then all you need to do is restart your apache server