Home directory permissions

24 posts / 0 new
Last post
#1 Mon, 12/15/2008 - 20:09
nickdwhite

Home directory permissions

Ok, so here is a strange problem that has just started happening:

Yesterday I added a new domain to Virtualmin (GPL), and immediately the site started throwing a 403 Forbidden error. No files had been uploaded yet. Usually, it will just give an index of the files in that folder, so I put some files in the folder, and still 403 errors. Even accessing files directly gave a 403 error.

I tracked it down to something related to permissions, but I'm not sure what. All user directories in /home/ are chmod 750. Oddly enough all previous existing sites are working fine. Only new sites show 403 errors.

If I change the /home/newuser and /home/newuser/public_html to chmod 755, then new domains will start working correctly, but I don't accept this as a fix. It's a workaround, and one I'm not happy with.

So... any clues as to why new domains have to have 755 to work, while old ones are content with 750 permissions? It's as if Apache can't get into the directories, but I've deleted and recreated several different domains as a test. I've made sure Apache is getting added in the new groups created. SuEXEC is on, but I've also disabled it to test.

I haven't made any configuration changes lately.

Tue, 12/16/2008 - 07:46
andreychek

Can you post the VirtualHost section related to that domain? I'm curious to see a few things, including the suexec related stuff.
-Eric

Sun, 06/07/2009 - 07:33 (Reply to #2)
nickdwhite

Sure. Here is the new domain that gives 403 Forbidden:
[code:1]SuexecUserGroup "#1041" "#1017"
ServerName a2zbailbonds.com
ServerAlias www.a2zbailbonds.com
ServerAlias admin.a2zbailbonds.com
DocumentRoot /home/a2zbailbonds/public_html
ErrorLog "|/etc/webmin/virtual-server/writelogs.pl 12294500936613 /home/a2zbailbonds/logs/error_log"
CustomLog "|/etc/webmin/virtual-server/writelogs.pl 12294500936613 /home/a2zbailbonds/logs/access_log" combined
ScriptAlias /cgi-bin/ /home/a2zbailbonds/cgi-bin/
ScriptAlias /awstats /home/a2zbailbonds/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/a2zbailbonds/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory /home/a2zbailbonds/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =admin.a2zbailbonds.com
RewriteRule ^(.*) https://a2zbailbonds.com:10000/ [R]
<Files awstats.pl>
AuthName "a2zbailbonds.com statistics"
AuthType Basic
AuthUserFile /home/a2zbailbonds/.awstats-htpasswd
require valid-user
</Files>
[/code:1]

Here is a previously existing one that works fine:
[code:1]SuexecUserGroup "#1029" "#1011"
ServerName midpac2009.com
ServerAlias www.midpac2009.com
ServerAlias webmail.midpac2009.com
ServerAlias admin.midpac2009.com
DocumentRoot /home/midpac2009/public_html
ErrorLog /home/midpac2009/logs/error_log
CustomLog /home/midpac2009/logs/access_log combined
ScriptAlias /cgi-bin/ /home/midpac2009/cgi-bin/
ScriptAlias /awstats /home/midpac2009/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/midpac2009/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory /home/midpac2009/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.midpac2009.com
RewriteRule ^(.*) https://midpac2009.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.midpac2009.com
RewriteRule ^(.*) https://midpac2009.com:10000/ [R]
<Files awstats.pl>
AuthName "midpac2009.com statistics"
AuthType Basic
AuthUserFile /home/midpac2009/.awstats-htpasswd
require valid-user
</Files>
[/code:1]

I've also noticed that if I create new domains as Sub-Servers of an already existing account, they work fine.

Sun, 06/07/2009 - 07:33 (Reply to #3)
nickdwhite

Sure. Here is the new domain that gives 403 Forbidden:
[code:1]SuexecUserGroup "#1041" "#1017"
ServerName a2zbailbonds.com
ServerAlias www.a2zbailbonds.com
ServerAlias admin.a2zbailbonds.com
DocumentRoot /home/a2zbailbonds/public_html
ErrorLog "|/etc/webmin/virtual-server/writelogs.pl 12294500936613 /home/a2zbailbonds/logs/error_log"
CustomLog "|/etc/webmin/virtual-server/writelogs.pl 12294500936613 /home/a2zbailbonds/logs/access_log" combined
ScriptAlias /cgi-bin/ /home/a2zbailbonds/cgi-bin/
ScriptAlias /awstats /home/a2zbailbonds/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/a2zbailbonds/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory /home/a2zbailbonds/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =admin.a2zbailbonds.com
RewriteRule ^(.*) https://a2zbailbonds.com:10000/ [R]
<Files awstats.pl>
AuthName "a2zbailbonds.com statistics"
AuthType Basic
AuthUserFile /home/a2zbailbonds/.awstats-htpasswd
require valid-user
</Files>
[/code:1]

Here is a previously existing one that works fine:
[code:1]SuexecUserGroup "#1029" "#1011"
ServerName midpac2009.com
ServerAlias www.midpac2009.com
ServerAlias webmail.midpac2009.com
ServerAlias admin.midpac2009.com
DocumentRoot /home/midpac2009/public_html
ErrorLog /home/midpac2009/logs/error_log
CustomLog /home/midpac2009/logs/access_log combined
ScriptAlias /cgi-bin/ /home/midpac2009/cgi-bin/
ScriptAlias /awstats /home/midpac2009/cgi-bin
DirectoryIndex index.html index.htm index.php index.php4 index.php5
<Directory /home/midpac2009/public_html>
Options Indexes IncludesNOEXEC FollowSymLinks
allow from all
AllowOverride All
</Directory>
<Directory /home/midpac2009/cgi-bin>
allow from all
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.midpac2009.com
RewriteRule ^(.*) https://midpac2009.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.midpac2009.com
RewriteRule ^(.*) https://midpac2009.com:10000/ [R]
<Files awstats.pl>
AuthName "midpac2009.com statistics"
AuthType Basic
AuthUserFile /home/midpac2009/.awstats-htpasswd
require valid-user
</Files>
[/code:1]

I've also noticed that if I create new domains as Sub-Servers of an already existing account, they work fine.

Tue, 12/16/2008 - 08:19 (Reply to #4)
nickdwhite

[code:1]# ls -nd /home/a2zbailbonds/
drwxr-x--- 10 1041 1017 4096 2008-12-16 09:55 /home/a2zbailbonds/[/code:1]
[code:1]# ls -nd /home/a2zbailbonds/public_html/
drwxr-x--- 3 1041 1017 4096 2008-12-16 09:55 /home/a2zbailbonds/public_html/[/code:1]

Wed, 12/17/2008 - 06:58 (Reply to #5)
nickdwhite

Any ideas? Permissions look correct.

Wed, 12/17/2008 - 07:08 (Reply to #6)
andreychek

Oh, right, my bad, I got lost in a sea of forum messages and completely forgot to get back to you. Very sorry :-)

That is odd though; you're right, the directory permissions match the suexec ones, I was curious if that would be it, but it doesn't appear that way.

Can you post the error that shows up in /home/a2zbailbonds/logs/error_log whenever you try to access the site? I wonder if perhaps it shows any more details. Also, is there anything interesting in the suexec log in /var/log/httpd/ (or /var/log/apache2 if you're on Debian/Ubuntu).
-Eric

Wed, 12/17/2008 - 07:11 (Reply to #7)
nickdwhite

Here is the error_log:
[code:1][Wed Dec 17 00:11:01 2008] [crit] [client 99.157.156.201] (13)Permission denied: /home/a2zbailbonds/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[Wed Dec 17 09:09:38 2008] [crit] [client 66.214.221.87] (13)Permission denied: /home/a2zbailbonds/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[/code:1]

Here is the access_log:
[code:1]99.157.156.201 - - [17/Dec/2008:00:11:01 -0800] "GET / HTTP/1.1" 403 431 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)"
66.214.221.87 - - [17/Dec/2008:09:09:38 -0800] "GET / HTTP/1.1" 403 427 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (.NET CLR 3.5.30729)"[/code:1]

suexec.log is empty.

Wed, 12/17/2008 - 07:16 (Reply to #8)
nickdwhite

Here is another thing I didn't mention. If instead of setting chmod 755, I change the group ownership of the home directory & public_html directory to www-data (I'm on Debian) the site starts showing up. I've checked the following:

Apache is running as www-data:www-data
www-data is a member of the a2zbailbonds group
I event tried adding a2zbailbonds to the www-data group

Wed, 12/17/2008 - 07:21 (Reply to #9)
andreychek

Ahh, that's interesting.

Is there a .htaccess file in there somewhere?

Does this show anything:

ls -l /home/a2zbailbonds/.htaccess

Wed, 12/17/2008 - 07:24 (Reply to #10)
nickdwhite

No, there is no .htaccess file. Nor should there be one. It's a freshly created account & directory. I've even tried creating one in there and changing permissions on it. The error still shows up.

Wed, 12/17/2008 - 08:32 (Reply to #11)
andreychek

Hrm, so just for fun -- if you create a test.php for that domain, and you put something simple in it, such as this:

[code:1]
<?php
phpinfo();
?>
[/code:1]

And then try to pull that up in your browser -- does the suexec log show that it accessed a file for that user?

Each and every file access should show up in the suexec log, it's a little odd that nothing's in there...
-Eric

Wed, 12/17/2008 - 09:03 (Reply to #12)
nickdwhite

Nope, nothing comes up in the log. And I get 403 when accessing the file. The log is empty, except for one line when I tried running suexec from the commandline a few days ago (troubleshooting):
[code:1][2008-12-14 21:37:03]: too few arguments[/code:1]

Wed, 12/17/2008 - 09:18 (Reply to #13)
andreychek

Okay. If you'd like some suexec info, you can run it with -V:

suexec -V

You say you're on Debian? What does this command show:

find /etc/apache2 | xargs grep suexec

When I run that on a Debian system here, I see:

# find /etc/apache2/ | grep suexec
/etc/apache2/mods-enabled/suexec.load
/etc/apache2/mods-available/suexec.load

I'm suspicious that something is wrong with suexec on there, but I'm not sure what yet :-)
-Eric

Wed, 12/17/2008 - 17:46 (Reply to #14)
nickdwhite

I get the same results as you. The suexec module is in the 'available' and 'enabled' folders.

Wed, 12/17/2008 - 17:56 (Reply to #15)
nickdwhite

I get this additional one as well:
/etc/apache2/mods-available/fastcgi.conf: #FastCgiWrapper /usr/lib/apache2/suexec2

Thu, 12/18/2008 - 04:20 (Reply to #16)
andreychek

Alright -- I pinged Joe and Jamie for some ideas -- they pointed out that the group for any new account that's created should contain Apache's group as a member.

So you're using Debian, that means when you look at /etc/group, that the group for the account owning this domain should have www-data listed at the end of it. Is that the case?

Also, what Debian version do you have? And what does this command show:

grep www-data /etc/group | wc -l

Thanks,
-Eric

Wed, 12/17/2008 - 23:38 (Reply to #17)
David.Strejc

Try to create .htaccess in that directory and give it right suexec user and right permissions.

Thu, 12/18/2008 - 07:08 (Reply to #18)
nickdwhite

<b>rawww wrote:</b>
<div class='quote'>Try to create .htaccess in that directory and give it right suexec user and right permissions. </div>

I tried that, but still get 403. I made sure it was chmod 644 and owned by the user/group. The thing is there shouldn't be a .htaccess file there, there isn't one on any of the other accounts that are working fine.

Thu, 12/18/2008 - 11:43 (Reply to #19)
andreychek

Alright, well, I'm a little confused as to why it's not working :-)

If you like, I'd be happy to log in and poke around a bit to see if I can figure out what's going on with that.

If you're using Virtualmin Pro, there's info here on how to setup remote access:

http://www.virtualmin.com/documentation/id,support_requests_and_remote_l...

And then, all I'd need is your hostname or IP address (which I suppose is actually mentioned in your Apache config above).

Or, if you're using the GPL version, you could email me your root login info.

You can email that to eric@virtualmin.com -- be sure to include a link to this thread in the message body somewhere.

Thanks!
-Eric

Thu, 12/18/2008 - 16:46 (Reply to #20)
nickdwhite

Email sent. Thanks again for all of your help.

Thu, 12/18/2008 - 21:58 (Reply to #21)
nickdwhite

A quick update for anyone who might be following this, or who comes across this thread in the future. It looks like NFS was the culprit. I have my /home directory mounted through NFS (two backend servers for failover), and the NFS server was running as version 3, which has a 16 group limitation on files/directories. I'm making the switch to version 4 and will report back here.

Tue, 12/16/2008 - 08:05
andreychek

Okay -- what do you get if you type this on the command line:

ls -nd /home/a2zbailbonds/

and

ls -nd /home/a2zbailbonds/public_html/

Thu, 12/18/2008 - 07:02
nickdwhite

Apache is set up to run as 'www-data' for user and group. That group is a part of the new group, as seen in the /etc/group file:
[code:1]a2zbailbonds:&Acirc;&laquo;&Acirc;&raquo;x:1017:www-data[/code:1]

That command shows this:
[code:1]# grep www-data /etc/group | wc -l
18[/code:1]

I'm running Debian Etch.

Topic locked