CentOS - Dec 2016 - Help with httpd userdir recovery

On 12/27/2016 07:06 PM, John Fawcett wrote:
> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>>
>> On 12/27/2016 05:44 PM, John Fawcett wrote:
>>> That error should be caused by having MultiViews options but
incorrect
>>> permissions (711 instead of 755) on the directory.
>> I just did chmod -R 755 /home/rgm/public_html and no change in
behavior.
>>
>> Even tried chmod -R 755 /home/rgm
> Are you actually using MultiViews? If you don't need that option, maybe
> the easiest thing is to take it out and see if the error message changes.
I am using the default conf file for userdir.

/etc/httpd/conf.d/userdir.conf

So I deleted Multiviews and now the error is:

[Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] 
(13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't open 
directory for index: /home/rgm/public_html/family/

On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
>
>
> On 12/27/2016 07:06 PM, John Fawcett wrote:
>> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>>>
>>> On 12/27/2016 05:44 PM, John Fawcett wrote:
>>>> That error should be caused by having MultiViews options but
incorrect
>>>> permissions (711 instead of 755) on the directory.
>>> I just did chmod -R 755 /home/rgm/public_html and no change in
>>> behavior.
>>>
>>> Even tried chmod -R 755 /home/rgm
>> Are you actually using MultiViews? If you don't need that option,
maybe
>> the easiest thing is to take it out and see if the error message
>> changes.
>
> I am using the default conf file for userdir.
>
> /etc/httpd/conf.d/userdir.conf
>
> So I deleted Multiviews and now the error is:
>
> [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
> open directory for index: /home/rgm/public_html/family/
>
>
> ____
I know this is not going to help, but that error means that apache does
not have access to read the directory /home/rgm/public_html/family/.
That doesn't really fit with the rest of the evidence, that you have
chmod 755 everything from /home/rgm/public_html downwards and that
apache can read specific files from /home/rgm/public_html.
John

On 12/28/2016 01:43 AM, John Fawcett wrote:
> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
>>
>> On 12/27/2016 07:06 PM, John Fawcett wrote:
>>> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>>>> On 12/27/2016 05:44 PM, John Fawcett wrote:
>>>>> That error should be caused by having MultiViews options
but incorrect
>>>>> permissions (711 instead of 755) on the directory.
>>>> I just did chmod -R 755 /home/rgm/public_html and no change in
>>>> behavior.
>>>>
>>>> Even tried chmod -R 755 /home/rgm
>>> Are you actually using MultiViews? If you don't need that
option, maybe
>>> the easiest thing is to take it out and see if the error message
>>> changes.
>> I am using the default conf file for userdir.
>>
>> /etc/httpd/conf.d/userdir.conf
>>
>> So I deleted Multiviews and now the error is:
>>
>> [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
>> (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
>> open directory for index: /home/rgm/public_html/family/
>>
>>
>> ____
> I know this is not going to help, but that error means that apache does
> not have access to read the directory /home/rgm/public_html/family/.
> That doesn't really fit with the rest of the evidence, that you have
> chmod 755 everything from /home/rgm/public_html downwards and that
> apache can read specific files from /home/rgm/public_html.
> John
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
Here is a small test program that you can use to check the permissions.

You can compile it with:

cc -o test test.c

then run it with:

./test apache /home/rgm/public_html/family/

where apache is the name of the user that your web server runs under
(check it with ps -ef | grep http). You should run it as root (or from
sudo).

John

------test.c-------

#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <dirent.h>

int
main(int argc, char *argv[])
{
    struct passwd pwd;
    struct passwd *result;
    char *buf;
    size_t bufsize;
    int s;

   if (argc != 3) {
        fprintf(stderr, "Usage: %s username directory\n", argv[0]);
        exit(EXIT_FAILURE);
    }

   bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
    if (bufsize == -1)          /* Value was indeterminate */
        bufsize = 16384;        /* Should be more than enough */

   buf = malloc(bufsize);
    if (buf == NULL) {
        perror("malloc");
        exit(EXIT_FAILURE);
    }

   s = getpwnam_r(argv[1], &pwd, buf, bufsize, &result);
    if (result == NULL) {
        if (s == 0)
            printf("Not found\n");
        else {
            errno = s;
            perror("getpwnam_r");
        }
        exit(EXIT_FAILURE);
    }

    printf("Name: %s; UID: %ld GID: %ld\n", pwd.pw_gecos, (long)
pwd.pw_uid, (long) pwd.pw_gid);

    /* process is running as root, drop privileges */

    if (getuid() == 0) {
        if (setgid(pwd.pw_gid) != 0) {
            perror("setgid: Unable to drop group privileges");
            exit(EXIT_FAILURE);
        }
        if (setuid(pwd.pw_uid) != 0) {
            perror("setuid: Unable to drop user privileges");
            exit(EXIT_FAILURE);
        }
        printf("dropped privileges\n");
    } else {
        errno = ENOTSUP;
        perror("process is not running as root cannot change user\n");
        exit(EXIT_FAILURE);
    }

    /* check privileges really dropped */

    if (setuid(0) != -1) {
        errno = ENOTSUP;
        perror("ERROR: Managed to regain root privileges");
        exit(EXIT_FAILURE);
    }

    /* open directory */

    DIR * d;
    d = opendir(argv[2]);
    printf("Attempting to open directory %s\n",argv[2]);
    if (d == NULL) {
        perror("Error opening directory");
        exit(EXIT_FAILURE);
    } else {
        printf("Success opening directory %s\n",argv[2]);
    }
    exit(EXIT_SUCCESS);
}

On 12/27/2016 07:43 PM, John Fawcett wrote:
> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
>>
>> On 12/27/2016 07:06 PM, John Fawcett wrote:
>>> On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
>>>> On 12/27/2016 05:44 PM, John Fawcett wrote:
>>>>> That error should be caused by having MultiViews options
but incorrect
>>>>> permissions (711 instead of 755) on the directory.
>>>> I just did chmod -R 755 /home/rgm/public_html and no change in
>>>> behavior.
>>>>
>>>> Even tried chmod -R 755 /home/rgm
>>> Are you actually using MultiViews? If you don't need that
option, maybe
>>> the easiest thing is to take it out and see if the error message
>>> changes.
>> I am using the default conf file for userdir.
>>
>> /etc/httpd/conf.d/userdir.conf
>>
>> So I deleted Multiviews and now the error is:
>>
>> [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
>> (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't
>> open directory for index: /home/rgm/public_html/family/
>>
>>
>> ____
> I know this is not going to help, but that error means that apache does
> not have access to read the directory /home/rgm/public_html/family/.
> That doesn't really fit with the rest of the evidence, that you have
> chmod 755 everything from /home/rgm/public_html downwards and that
> apache can read specific files from /home/rgm/public_html.
Which is why I wonder if there is some different config for the C7.3 
version of apache.

Or something with the C7-arm build...

Robert,
On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote:
> On 12/28/2016 01:12 AM, Robert Moskowitz wrote:
> > 
> > 
> > On 12/27/2016 07:06 PM, John Fawcett wrote:
> > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote:
> > > > 
> > > > On 12/27/2016 05:44 PM, John Fawcett wrote:
> > > > > That error should be caused by having MultiViews
options but
> > > > > incorrect
> > > > > permissions (711 instead of 755) on the directory.
> > > > 
> > > > I just did chmod -R 755 /home/rgm/public_html and no change
in
> > > > behavior.
> > > > 
> > > > Even tried chmod -R 755 /home/rgm
> > > 
> > > Are you actually using MultiViews? If you don't need that
option,
> > > maybe
> > > the easiest thing is to take it out and see if the error message
> > > changes.
> > 
> > I am using the default conf file for userdir.
> > 
> > /etc/httpd/conf.d/userdir.conf
> > 
> > So I deleted Multiviews and now the error is:
> > 
> > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138]
> > (13)Permission denied: [client 192.168.160.12:55762] AH01275:
Can't
> > open directory for index: /home/rgm/public_html/family/
> > 
> > 
> > ____
> 
> I know this is not going to help, but that error means that apache
> does
> not have access to read the directory /home/rgm/public_html/family/.
> That doesn't really fit with the rest of the evidence, that you have
> chmod 755 everything from /home/rgm/public_html downwards and that
> apache can read specific files from /home/rgm/public_html.
> John
but is apache allowed access to /home/rgm ?
Try su - apache -s /bin/bash to run a shell as apache and see how far
you get starting from cd /home and if that works cd /home/rgm and so
on... That will check normal user permissions, but not selinux
/Louis