Re: User Directories On FreeBSD 8.0-RELEASE
On 02/19/10 03:05, Matthew Seaman wrote: > On 18/02/2010 21:26, Programmer In Training wrote: >> Possibly not the most secure permissions but I don't remember the >> default (I think it's 644). > > Nope. For directories it's 755. You need the x permission on a > directory to chdir to it. I figured as much, but the normal files (like text files, images and the like) when created don't show up red with an asterisk when I ls the directory as they do now (new files still don't) but I guess it really isn't an issue. >> Apache runs as user:group deamon:daemon > > The default is www:www but I guess you know your own configuration. I know the default is www:www but for some reason, when Apache installed it defaulted to daemon:daemon with nothing being set on my part. >> Trying to su in from root as daemon returns the following: > >> su - daemon >> This account is currently not available. > > Yep. That's because it (correctly) doesn't have a usable login shell. Try: > >su -m daemon Didn't think of that, thanks. > If you're getting 403 permission denied errors trying to access I am (did I forget to mention that, if so my apologies to the list). > userdirs, then the problem lies within the apache configuration. > What you need to do is configure the permissions based on the home > directory path returned from getpwent() -- by default under FreeBSD > that's /home/user1/ Nevermind that much of the time /home is a symlink > to /usr/home -- it's the path returned from the passwd file that apache > uses for comparison, long before trying to resolve any symlinks and open > anything on the hard-drive. That's entirely confusing (not your explanation, just the why). Will change it back to the default and see where it goes from there. Well, I just changed everything referring to the userdir's in http-userdir.conf to the way you suggested. Works just fine. I'd just like to thank everyone that helped me. Much appreciated! Now I can do some ports based virtual hosts so I can put all my websites to their own root. I believe I can handle it from here. (: Once again, a big thank you to everyone who helped. (: Also, to those who asked, I believe Apache 2.2 now compiles in with some of the most common modules by default but I reinstalled with the userdir mod as a dso, just in case. -- Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. signature.asc Description: OpenPGP digital signature
[SOLVED]Re: User Directories On FreeBSD 8.0-RELEASE
Sorry this hasn't been made clear, seems that the list is dropping some of my emails, but this issue has been solved. I'll post the answer here and hopefully the list will pick it up this time (or at least deliver it to me so I know it's been delivered): > On 02/19/10 03:05, Matthew Seaman wrote: >> If you're getting 403 permission denied errors trying to access >> userdirs, then the problem lies within the apache configuration. >> What you need to do is configure the permissions based on the home >> directory path returned from getpwent() -- by default under FreeBSD >> that's /home/user1/ Nevermind that much of the time /home is a symlink >> to /usr/home -- it's the path returned from the passwd file that apache >> uses for comparison, long before trying to resolve any symlinks and open >> anything on the hard-drive. I had defined the path as since I knew that /home was a symlink to /usr/home and did not want to take the chance of Apache having problems following the symlink. I didn't realize that Apache takes the path from getpwent(). I now have Apache configured and working properly. As for the user:group setting, that was something Apache set itself when installed (non-ports version, since the ports version wouldn't start for me with even just the default httpd.conf and no edits at all). I can change that and most likely will if it's very bad to have Apache running as daemon:daemon In case no one saw before, I would like once again to thank everyone for their help. -- Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. signature.asc Description: OpenPGP digital signature
Re: User Directories On FreeBSD 8.0-RELEASE
In freebsd-questions Digest, Vol 298, Issue 8, Message: 3 On Thu, 18 Feb 2010 15:26:58 -0600 Programmer In Training wrote: > On 02/18/10 14:54, Craig Whipp wrote: > > > What are the permissions for your $HOME and $HOME/public_html? The user > > that apache is running as must be able read from these directories. > > > > - Craig > > drwxr-xr-x 49 user1 user1 1536 Feb 18 14:31 user1/ > drwxr-xr-x 18 user1 user1 2560 Feb 14 09:25 public_html/ It's not quite clear what question produced those answers .. is the directory structure /home/user1/public_html/ ? Also check that 'ls -ld /home/' (with trailing /) itself has 755 perms, since Apache has to descend from / to get there (also see below ..) Presumably /home/user1/public_html/index.html is world-readable? eg 644 > Possibly not the most secure permissions but I don't remember the > default (I think it's 644). No, you need the x bits to descend into directories (755) > Apache runs as user:group deamon:daemon Why is that? Default www:www provides a user that no other processes use, but other processes likely run as user daemon .. security issue? > Trying to su in from root as daemon returns the following: > > su - daemon > This account is currently not available. Matthew covered that. > user and group do exist (quadruple verified). What have you got configured for ? I've noticed that recent Debian Apache2 configs do not default FollowSymLinks here, and where /home is a symlink to /usr/home that may be problematic; eg: Options FollowSymLinks AllowOverride None order allow,deny deny from all cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User Directories On FreeBSD 8.0-RELEASE
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 18/02/2010 21:26, Programmer In Training wrote: > On 02/18/10 14:54, Craig Whipp wrote: > >> What are the permissions for your $HOME and $HOME/public_html? The user >> that apache is running as must be able read from these directories. >> >> - Craig > > drwxr-xr-x 49 user1 user1 1536 Feb 18 14:31 user1/ > drwxr-xr-x 18 user1 user1 2560 Feb 14 09:25 public_html/ > > Possibly not the most secure permissions but I don't remember the > default (I think it's 644). Nope. For directories it's 755. You need the x permission on a directory to chdir to it. > Apache runs as user:group deamon:daemon The default is www:www but I guess you know your own configuration. > Trying to su in from root as daemon returns the following: > > su - daemon > This account is currently not available. Yep. That's because it (correctly) doesn't have a usable login shell. Try: su -m daemon > user and group do exist (quadruple verified). Given that the ~user1/public_html directory has world-read permissions, apache won't have any trouble reading the files. So long as apache doesn't have *write* permission on the directory, everything is prety much hunky-dory security-wise. If you're getting 403 permission denied errors trying to access userdirs, then the problem lies within the apache configuration. What you need to do is configure the permissions based on the home directory path returned from getpwent() -- by default under FreeBSD that's /home/user1/ Nevermind that much of the time /home is a symlink to /usr/home -- it's the path returned from the passwd file that apache uses for comparison, long before trying to resolve any symlinks and open anything on the hard-drive. Like this: AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt+VGsACgkQ8Mjk52CukIz/mQCfeQ4RKiu8R7VpkT0FbWp6J99R iY0An2yOqdZz0fE21soYvslXB8K9kc2r =KRGI -END PGP SIGNATURE- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User Directories On FreeBSD 8.0-RELEASE
On Thu, Feb 18, 2010 at 02:09:20PM -0600, Programmer In Training wrote: > On 02/18/10 13:46, Chuck Swiger wrote: > > > Whether the path to user home directories is honored or whether > > Apache goes somewhere else for HTTP requests for /~user/foo.html > > depends on what you set UserDir to: > > > > http://httpd.apache.org/docs/2.2/mod/mod_userdir.html > > > > It's possible that using: > > > > UserDir /usr/home/*/public_html > > > > will do better, if that is the actual path being used. > > That's what I have it set to and it isn't honoring that. That's part of > what is bothering me (and what I suspect the issue might be). Hmmm. I haven't followed this thread much, so you may have dealt with this already or specified some need I don't see here. Is it possible that you do not have the mod_UserDir installed? It won't do any of this without that. You can do: 'httpd -M' to list which modules are loaded. (You may have to put the full path on the httpd command - /usr/local/sbin/httpd might be typical) Is it possible that permissions somewhere along the path to the users' web site directories are getting in the way? The files need read permission and directories need read and execute permission. Secondly, Although 'UserDir /usr/home/*/public_html' appears to be listed as one possible syntax in that mod_userdir doc, but I never use it that way. If you want Apache httpd to look in the passwd file, pull out the home directory string and append the value of UserDir on to it to get the path to the start of the web site then I would set UserDir more simply, as follows. I set it to something like: UserDir public_html If you want ~username/public_html to be where that user's web site starts. Of course, the exact path spec depends on how you define the home directory. This assumes that /home/username is what is entered in the /etc/passwd file. Since the doc says the UserDir /home/*/public_html is an accepted syntax, probably the problem lies in getting the path names correct and getting the file and directory permissions set correctly. The simpler form I use would seem to me to introduce less confusion getting the paths correct. I think those other syntax forms are intended for use when the web sites are set up to start in some directory tree other than the users' own home directories. This might be the case if you create space for a web site, but do not allow logins - so the users do not actually have home directories. Just some stabs in the dark, jerry > > >> See, now that's helpful. Thank you. No one suggested that. Will add > >> it and see if that changes anything. > > > > I suspect you already have it, according to what you'd shown in the > > prior mail. Using FollowSymLinks instead might be necessary > > depending on what you do with UserDir. > > I did, but now I have both in the httpd-userdir.conf to no avail, same > with main conf. > > > >> I rolled my own because I couldn't even get Apache from ports to > >> start with the default http.conf file provided. > > > > Hmm, unexpected. What did apachectl configtest say? > > > I don't remember, but I was so frustrated I wasn't really paying that > much attention (it's been a month since I tried ports Apache). > > > Alright, here is the errors I'm getting (I set the loglevel to debug > instead of just warn): > > [Thu Feb 18 14:01:01 2010] [notice] Apache/2.2.14 (Unix) configured -- > resuming normal operations > [Thu Feb 18 14:01:01 2010] [info] Server built: Feb 13 2010 06:46:20 > [Thu Feb 18 14:01:01 2010] [debug] prefork.c(1013): AcceptMutex: flock > (default: flock) <--- not sure what that is all about > [Thu Feb 18 14:01:08 2010] [error] [client 127.0.0.1] client denied by > server configuration: /home/user1/public_html > [Thu Feb 18 14:01:10 2010] [error] [client 127.0.0.1] client denied by > server configuration: /home/user1/public_html > > UserDir file configuration: > > UserDir disabled > UserDir enabled user1 user2 > ^<--- Those options as per the UserDir section in the manual, just > added them not two minutes before typing this out > UserDir public_html > > # > # Control access to UserDir directories. The following is an example > # for a site where these directories are restricted to read-only. > # > > AllowOverride FileInfo AuthConfig Limit Indexes > Options MultiViews Indexes FollowSymlinks SymLinksIfOwnerMatch > IncludesNoExec > > Order allow,deny > Allow from all > > > Order deny,allow > Deny from all > > > > > This really stinks. Is Apache 1.13 available? I don't remember having > these problems with it. > -- > Yours In Christ, > > PIT > Emails are not formal business letters, whatever businesses may want. > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail
Re: User Directories On FreeBSD 8.0-RELEASE
On 02/18/10 14:54, Craig Whipp wrote: > What are the permissions for your $HOME and $HOME/public_html? The user > that apache is running as must be able read from these directories. > > - Craig drwxr-xr-x 49 user1 user1 1536 Feb 18 14:31 user1/ drwxr-xr-x 18 user1 user1 2560 Feb 14 09:25 public_html/ Possibly not the most secure permissions but I don't remember the default (I think it's 644). Apache runs as user:group deamon:daemon Trying to su in from root as daemon returns the following: su - daemon This account is currently not available. user and group do exist (quadruple verified). -- Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. signature.asc Description: OpenPGP digital signature
Re: User Directories On FreeBSD 8.0-RELEASE
On 02/18/10 13:46, Chuck Swiger wrote: > Whether the path to user home directories is honored or whether > Apache goes somewhere else for HTTP requests for /~user/foo.html > depends on what you set UserDir to: > > http://httpd.apache.org/docs/2.2/mod/mod_userdir.html > > It's possible that using: > > UserDir /usr/home/*/public_html > > will do better, if that is the actual path being used. That's what I have it set to and it isn't honoring that. That's part of what is bothering me (and what I suspect the issue might be). >> See, now that's helpful. Thank you. No one suggested that. Will add >> it and see if that changes anything. > > I suspect you already have it, according to what you'd shown in the > prior mail. Using FollowSymLinks instead might be necessary > depending on what you do with UserDir. I did, but now I have both in the httpd-userdir.conf to no avail, same with main conf. >> I rolled my own because I couldn't even get Apache from ports to >> start with the default http.conf file provided. > > Hmm, unexpected. What did apachectl configtest say? I don't remember, but I was so frustrated I wasn't really paying that much attention (it's been a month since I tried ports Apache). Alright, here is the errors I'm getting (I set the loglevel to debug instead of just warn): [Thu Feb 18 14:01:01 2010] [notice] Apache/2.2.14 (Unix) configured -- resuming normal operations [Thu Feb 18 14:01:01 2010] [info] Server built: Feb 13 2010 06:46:20 [Thu Feb 18 14:01:01 2010] [debug] prefork.c(1013): AcceptMutex: flock (default: flock) <--- not sure what that is all about [Thu Feb 18 14:01:08 2010] [error] [client 127.0.0.1] client denied by server configuration: /home/user1/public_html [Thu Feb 18 14:01:10 2010] [error] [client 127.0.0.1] client denied by server configuration: /home/user1/public_html UserDir file configuration: UserDir disabled UserDir enabled user1 user2 ^<--- Those options as per the UserDir section in the manual, just added them not two minutes before typing this out UserDir public_html # # Control access to UserDir directories. The following is an example # for a site where these directories are restricted to read-only. # AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes FollowSymlinks SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all This really stinks. Is Apache 1.13 available? I don't remember having these problems with it. -- Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. signature.asc Description: OpenPGP digital signature
Re: User Directories On FreeBSD 8.0-RELEASE
Hi-- On Feb 18, 2010, at 11:31 AM, Programmer In Training wrote: > On 02/18/10 13:21, Chuck Swiger wrote: > >> Apache is going to look up the home directories specified in >> /etc/passwd via getpwent() or similar. If allowed, it would chase a > > Then it shouldn't even bother with having a setting for specifying the > path to user directories (or at least that behavior should be documented). Whether the path to user home directories is honored or whether Apache goes somewhere else for HTTP requests for /~user/foo.html depends on what you set UserDir to: http://httpd.apache.org/docs/2.2/mod/mod_userdir.html It's possible that using: UserDir /usr/home/*/public_html will do better, if that is the actual path being used. >> symlink from /home to under /usr/home, but SymLinksIfOwnerMatch is >> likely to matter here. > > See, now that's helpful. Thank you. No one suggested that. Will add it > and see if that changes anything. I suspect you already have it, according to what you'd shown in the prior mail. Using FollowSymLinks instead might be necessary depending on what you do with UserDir. >> You should be getting more useful information in the Apache error >> log...perhaps /var/log/httpd-error.log, depending on whether you used >> the Apache from ports or rolled your own. >> >> Regards, > > I rolled my own because I couldn't even get Apache from ports to start > with the default http.conf file provided. Hmm, unexpected. What did apachectl configtest say? > I think the log level is set to warn, I'll chase that down, too. More > useful information is good. > > Thank you so much for the help. This has been bothering me for almost a > two weeks now. You're most welcome... Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: User Directories On FreeBSD 8.0-RELEASE
On 02/18/10 13:21, Chuck Swiger wrote: > Apache is going to look up the home directories specified in > /etc/passwd via getpwent() or similar. If allowed, it would chase a Then it shouldn't even bother with having a setting for specifying the path to user directories (or at least that behavior should be documented). > symlink from /home to under /usr/home, but SymLinksIfOwnerMatch is > likely to matter here. See, now that's helpful. Thank you. No one suggested that. Will add it and see if that changes anything. > You should be getting more useful information in the Apache error > log...perhaps /var/log/httpd-error.log, depending on whether you used > the Apache from ports or rolled your own. > > Regards, I rolled my own because I couldn't even get Apache from ports to start with the default http.conf file provided. I think the log level is set to warn, I'll chase that down, too. More useful information is good. Thank you so much for the help. This has been bothering me for almost a two weeks now. -- Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. signature.asc Description: OpenPGP digital signature
Re: User Directories On FreeBSD 8.0-RELEASE
Hi-- On Feb 18, 2010, at 11:10 AM, Programmer In Training wrote: > Am I just having a case of the stupids here? It has been a few years > since I've managed Apache even for local testing. I've also adjusted the > permissions for that directory with no change. Also, the log files show > Apache going to /home/*/public_html instead of /usr/home/*/public_html, > basically ignoring the settings I gave it. Apache is going to look up the home directories specified in /etc/passwd via getpwent() or similar. If allowed, it would chase a symlink from /home to under /usr/home, but SymLinksIfOwnerMatch is likely to matter here. You should be getting more useful information in the Apache error log...perhaps /var/log/httpd-error.log, depending on whether you used the Apache from ports or rolled your own. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
User Directories On FreeBSD 8.0-RELEASE
I am using the non-ports version of Apache. I downloaded 2.2.14 from http://httpd.apache.org/download.cgi#apache22 just a little while ago. I compiled, installed, got it running with minimal fuss. The issue is with my user directories (e.g. $HOME/public_html ). I uncommented the line to include the userdir conf file in the main configuration and started apache. I get the "It Works" from 127.0.0.1 (this is purely for local testing). When I go to 127.0.0.1/~username/ I get 403 Forbidden. I've adjusted some of the settings in the userdir conf (instead of it pointing to /home/*/public_html as is the default I switched it to /usr/home/*/public_html) and I still get the same message. I returned the userdir.conf file to it's default settings (except for the path to user dirs) with no luck. Included below is the default setup that was installed with Apache (I enabled the settings to install the local manual and that pulls up just fine, nothing in it points to a solution to this issue) for the userdir conf file. AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Order allow,deny Allow from all Order deny,allow Deny from all Am I just having a case of the stupids here? It has been a few years since I've managed Apache even for local testing. I've also adjusted the permissions for that directory with no change. Also, the log files show Apache going to /home/*/public_html instead of /usr/home/*/public_html, basically ignoring the settings I gave it. I've posted to the Apache mailing list with absolutely no help (and the claim that I changed the location of $HOME) -- Yours In Christ, PIT Emails are not formal business letters, whatever businesses may want. signature.asc Description: OpenPGP digital signature