Rails - Oct 2004 - rails 0.8 + apache + 403 Forbidden Message

I had rails 0.7 running fine with Apache under OS X.

I downloaded installed .0.8 everything else remains the same however  
now I keep getting 403 Forbidden error.

When I try to http://scuttlebug/

  I edited the /private/etc/httpd/users/helmutburri.conf

  <VirtualHost *:80>
  ServerName scuttlebug
  DocumentRoot  
/Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug/public/
  ErrorLog  
/Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug/log/ 
apache.log

  <Directory  
/Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug/public/>
  Options ExecCGI FollowSymLinks
  AllowOverride all
  Allow from all
  Order allow,deny
  </Directory>
  </VirtualHost>

  and my /etc/hosts

  looks this way

  ##
  # Host Database
  #
  # localhost is used to configure the loopback interface
  # when the system is booting. Do not change this entry.
  ##
  127.0.0.1 localhost
  255.255.255.255 broadcasthost
  ::1 localhost
  127.0.0.1 scuttlebug

  Then restarted Apache only to get the 403.

  Now my firewall was set to allow access to port 80 and even if I  
turned the firewall of it had not effect.

  All the folders have the correct permissions as it came from un  
tarring rails 0.8:

  drwxr-xr-x 15 helmutburri helmutburri 510 26 Oct 12:07 .
  drwxr-xr-x 8 helmutburri helmutburri 272 26 Oct 12:07 ..
  -rw-r--r-- 1 helmutburri helmutburri 6148 26 Oct 12:07 .DS_Store
  -rw-r--r-- 1 helmutburri helmutburri 4591 25 Oct 12:15 README
  -rwxr-xr-x 1 helmutburri helmutburri 4129 25 Oct 12:15 Rakefile
  drwxr-xr-x 6 helmutburri helmutburri 204 25 Oct 12:15 app
  drwxr-xr-x 4 helmutburri helmutburri 136 25 Oct 12:15 config
  drwxr-xr-x 2 helmutburri helmutburri 68 25 Oct 12:15 db
  drwxr-xr-x 3 helmutburri helmutburri 102 25 Oct 12:15 doc
  drwxr-xr-x 2 helmutburri helmutburri 68 25 Oct 12:15 lib
  drwxrwxrwx 4 helmutburri helmutburri 136 25 Oct 12:15 log
  drwxr-xr-x 14 helmutburri helmutburri 476 25 Oct 12:15 public
  drwxr-xr-x 5 helmutburri helmutburri 170 25 Oct 12:15 script
  drwxr-xr-x 6 helmutburri helmutburri 204 25 Oct 12:15 test
  drwxr-xr-x 6 helmutburri helmutburri 204 25 Oct 12:15 vendor

  ANy suggestions as to were I should look next.

As to why this has happend.

Kurt

> I downloaded installed .0.8 everything else remains the same however 
> now I keep getting 403 Forbidden error.
Could it be that the dispatchers aren''t 755? And now that
you''ve
installed a new version they''re owned by you and Apache can''t
run them.
--
David Heinemeier Hansson,
http://www.basecamphq.com/   -- Web-based Project Management
http://www.rubyonrails.org/  -- Web-application framework for Ruby
http://macromates.com/       -- TextMate: Code and markup editor (OS X)
http://www.loudthinking.com/ -- Broadcasting Brain

dumb question - what are the dispatchers?

i had a look at the log files and found this:

[Tue Oct 26 12:10:52 2004] [error] [client 127.0.0.1] (13)Permission 
denied: access to / failed because search permissions are missing on a 
component of the path

I chmod -R 755 the path:

/Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug

  and restarted apache but to no effect

On Tue, 2004-10-26 at 23:17 +1000, helmutburri wrote:
> dumb question - what are the dispatchers?
> 
> i had a look at the log files and found this:
> 
> [Tue Oct 26 12:10:52 2004] [error] [client 127.0.0.1] (13)Permission 
> denied: access to / failed because search permissions are missing on a 
> component of the path
> 
> I chmod -R 755 the path:
> 
> /Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug
> 
>   and restarted apache but to no effect
Make sure +x is available to the web server user from the root up to the
final directory with dispatch in it.
-- 
Steven Critchfield <critch-wQLwMjUOumVBDgjK7y7TUQ@public.gmane.org>

> dumb question - what are the dispatchers?
public/dispatcher.*

You might want to compare the .htaccess from 0.7 to 0.8 too and see if 
anything you had in there is now missing.
--
David Heinemeier Hansson,
http://www.basecamphq.com/   -- Web-based Project Management
http://www.rubyonrails.org/  -- Web-application framework for Ruby
http://macromates.com/       -- TextMate: Code and markup editor (OS X)
http://www.loudthinking.com/ -- Broadcasting Brain

This did it:

chmod -R +x  /Users

because my site sits in my users folder.

Question does this not expose me by having a whole path from root to 
deep inside my users folder executable, by the world?

Kurt


On 26/10/2004, at 11:23 PM, Steven Critchfield wrote:
> On Tue, 2004-10-26 at 23:17 +1000, helmutburri wrote:
>> dumb question - what are the dispatchers?
>>
>> i had a look at the log files and found this:
>>
>> [Tue Oct 26 12:10:52 2004] [error] [client 127.0.0.1] (13)Permission
>> denied: access to / failed because search permissions are missing on a
>> component of the path
>>
>> I chmod -R 755 the path:
>>
>> /Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug
>>
>>   and restarted apache but to no effect
>
> Make sure +x is available to the web server user from the root up to 
> the
> final directory with dispatch in it.
> -- 
> Steven Critchfield <critch-wQLwMjUOumVBDgjK7y7TUQ@public.gmane.org>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

On Wed, 2004-10-27 at 09:44 +1000, helmutburri wrote:
> This did it:
> 
> chmod -R +x  /Users
> 
> because my site sits in my users folder.
> 
> Question does this not expose me by having a whole path from root to 
> deep inside my users folder executable, by the world?
+x on directories is the search permision. Yes it means that anyone else
on your system might be able to read the directories. I''m sure there
are
plenty of reference docs that could tell you other options to secure
your system without haveing the problem of not being able to run your
app.
> On 26/10/2004, at 11:23 PM, Steven Critchfield wrote:
> 
> > On Tue, 2004-10-26 at 23:17 +1000, helmutburri wrote:
> >> dumb question - what are the dispatchers?
> >>
> >> i had a look at the log files and found this:
> >>
> >> [Tue Oct 26 12:10:52 2004] [error] [client 127.0.0.1]
(13)Permission
> >> denied: access to / failed because search permissions are missing
on a
> >> component of the path
> >>
> >> I chmod -R 755 the path:
> >>
> >> /Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug
> >>
> >>   and restarted apache but to no effect
> >
> > Make sure +x is available to the web server user from the root up to 
> > the
> > final directory with dispatch in it.
-- 
Steven Critchfield <critch-wQLwMjUOumVBDgjK7y7TUQ@public.gmane.org>

You certainly don''t want that ... as you say, that exposes (or at least
allows execution) to the world ... :(

I am running rails 0.8 / Apache / PGSQL on my PG4 and have no such 
error ...

The problem of doing "chmod -R +x /Users" is that all your files and 
directories are now executable and you can''t roll back easily ... But 
let''s focus on the Rails problem ... How does you "public"
directory
looks like in your rails application one?

Cheers

/B

On 27/10/2004, at 9:44 AM, helmutburri wrote:
> This did it:
>
> chmod -R +x  /Users
>
> because my site sits in my users folder.
>
> Question does this not expose me by having a whole path from root to 
> deep inside my users folder executable, by the world?
-- 
Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
Currently in: Sydney, Australia
[ http://pokies.typepad.com/virtual_possum/ ]


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

OK - removed old rails 0.8 and repaired permissions to default:

I ran repair permissions and reset my users permissions back to the  
default values.

Here is what I have now:

/Users == drwxrwxr-t   5 root      admin      170 25 Oct 16:32 Users
/Users/helmutburri == drwxr-xr-x  22 helmutbu  helmutbu   748 26 Oct  
22:18 helmutburri
/Users/helmutburri/ =
drwx------   5 helmutbu  helmutbu    170 26 Oct 15:51 Desktop
drwx------   6 helmutbu  helmutbu    204 25 Oct 16:32 Developer
drwx------  18 helmutbu  helmutbu    612 27 Oct 10:33 Documents
drwx------  31 helmutbu  helmutbu   1054 26 Oct 22:14 Library
drwx------   3 helmutbu  helmutbu    102 26 Oct 22:18 Movies
drwx------   3 helmutbu  helmutbu    102 17 Sep 19:56 Music
drwx------   3 helmutbu  helmutbu    102 26 Oct 22:18 Pictures

This seams to be the default permission - Can any one confirm this for  
me?

I then removed my old rails 0.8 install that I had.

Then I "tar -pxzvf rails-0.8.0.tgz" and "mv rails
scuttlebug"

At this location:

/Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug

Now my rails 0.8 is plain and unchanged at all from the rails-0.8.0.tgz  
using the tar -pxzvf rails-0.8.0.tgz. I have not added or removed  
anything to it.

this is the output from ls -al of my rails public:

Helmut-Kurt-Burris-Computer:~/Developer/serverside/scuttlebug/ 
scuttlebug/public helmutburri$ ls -al
total 64
drwxr-xr-x  14 helmutbu  helmutbu   476 25 Oct 12:15 .
drwxr-xr-x  14 helmutbu  helmutbu   476 25 Oct 12:15 ..
-rwxr-xr-x   1 helmutbu  helmutbu  1831 25 Oct 12:15 .htaccess
-rw-r--r--   1 helmutbu  helmutbu   129 25 Oct 12:15 404.html
-rw-r--r--   1 helmutbu  helmutbu   212 25 Oct 12:15 500.html
drwxr-xr-x   3 helmutbu  helmutbu   102 25 Oct 12:15 _doc
-rwxr-xr-x   1 helmutbu  helmutbu   435 25 Oct 12:15 dispatch.cgi
-rwxr-xr-x   1 helmutbu  helmutbu   253 25 Oct 12:15 dispatch.fcgi
-rwxr-xr-x   1 helmutbu  helmutbu   435 25 Oct 12:15 dispatch.rb
-rw-r--r--   1 helmutbu  helmutbu  1477 25 Oct 12:15 dispatch.servlet
drwxr-xr-x   2 helmutbu  helmutbu    68 25 Oct 12:15 images
-rw-r--r--   1 helmutbu  helmutbu    85 25 Oct 12:15 index.html
drwxr-xr-x   2 helmutbu  helmutbu    68 25 Oct 12:15 javascripts
drwxr-xr-x   2 helmutbu  helmutbu    68 25 Oct 12:15 stylesheets
Helmut-Kurt-Burris-Computer:~/Developer/serverside/scuttlebug/ 
scuttlebug/public helmutburri$

I restarted Apache and now I am back to 403 Forbidden.

Now how do we get this to work other then compromising the security of  
my Machine.

Kurt
				
On 27/10/2004, at 10:09 AM, Bruno Mattarollo wrote:
> You certainly don''t want that ... as you say, that exposes (or at
> least allows execution) to the world ... :(
>
> I am running rails 0.8 / Apache / PGSQL on my PG4 and have no such  
> error ...
>
> The problem of doing "chmod -R +x /Users" is that all your files
and
> directories are now executable and you can''t roll back easily ...
But
> let''s focus on the Rails problem ... How does you
"public" directory
> looks like in your rails application one?
>
> Cheers
>
> /B
>
> On 27/10/2004, at 9:44 AM, helmutburri wrote:
>
>> This did it:
>>
>> chmod -R +x  /Users
>>
>> because my site sits in my users folder.
>>
>> Question does this not expose me by having a whole path from root to  
>> deep inside my users folder executable, by the world?
> -- 
> Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
> Currently in: Sydney, Australia
> [ http://pokies.typepad.com/virtual_possum/ ]
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Hello again,

On 27/10/2004, at 10:59 AM, helmutburri wrote:
> /Users == drwxrwxr-t   5 root      admin      170 25 Oct 16:32 Users
> /Users/helmutburri == drwxr-xr-x  22 helmutbu  helmutbu   748 26 Oct 
> 22:18 helmutburri
> /Users/helmutburri/ =>
> drwx------   5 helmutbu  helmutbu    170 26 Oct 15:51 Desktop
> drwx------   6 helmutbu  helmutbu    204 25 Oct 16:32 Developer
> drwx------  18 helmutbu  helmutbu    612 27 Oct 10:33 Documents
> drwx------  31 helmutbu  helmutbu   1054 26 Oct 22:14 Library
> drwx------   3 helmutbu  helmutbu    102 26 Oct 22:18 Movies
> drwx------   3 helmutbu  helmutbu    102 17 Sep 19:56 Music
> drwx------   3 helmutbu  helmutbu    102 26 Oct 22:18 Pictures
>
> This seams to be the default permission - Can any one confirm this for 
> me?
Looks very similar to my permissions. I also have the "~/Sites/" 
directory in my home, from which I serve my public_html content, which 
has permissions 755.
> At this location:
>
> /Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug
I think that the problem is that "~/Developer/" having restricted 
permissions is blocking Apache to read your directory. In my case, I 
did test:

$ cd
$ chmod 700 Sites

Tried to access and get 403

then

$ chmod 755 Sites

and I can see my Rails (which is at ~/Sites/myrailapp/ )

Hope this helps,

/B

-- 
Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
Currently in: Sydney, Australia
[ http://pokies.typepad.com/virtual_possum/ ]


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Hi - again

Ok - I chmod 755 only the specific folders in the path for my rail app.

And since ~/Sites comes with 755 out of the box on OS X - I will assume 
that this is safe or deemed to be tolerable.

It is now working.

Thanks

Kurt

On 27/10/2004, at 11:09 AM, Bruno Mattarollo wrote:
> Hello again,
>
> On 27/10/2004, at 10:59 AM, helmutburri wrote:
>
>> /Users == drwxrwxr-t   5 root      admin      170 25 Oct 16:32 Users
>> /Users/helmutburri == drwxr-xr-x  22 helmutbu  helmutbu   748 26 Oct 
>> 22:18 helmutburri
>> /Users/helmutburri/ =>>
>> drwx------   5 helmutbu  helmutbu    170 26 Oct 15:51 Desktop
>> drwx------   6 helmutbu  helmutbu    204 25 Oct 16:32 Developer
>> drwx------  18 helmutbu  helmutbu    612 27 Oct 10:33 Documents
>> drwx------  31 helmutbu  helmutbu   1054 26 Oct 22:14 Library
>> drwx------   3 helmutbu  helmutbu    102 26 Oct 22:18 Movies
>> drwx------   3 helmutbu  helmutbu    102 17 Sep 19:56 Music
>> drwx------   3 helmutbu  helmutbu    102 26 Oct 22:18 Pictures
>>
>> This seams to be the default permission - Can any one confirm this 
>> for me?
>
> Looks very similar to my permissions. I also have the "~/Sites/" 
> directory in my home, from which I serve my public_html content, which 
> has permissions 755.
>
>> At this location:
>>
>> /Users/helmutburri/Developer/serverside/scuttlebug/scuttlebug
>
> I think that the problem is that "~/Developer/" having restricted
> permissions is blocking Apache to read your directory. In my case, I 
> did test:
>
> $ cd
> $ chmod 700 Sites
>
> Tried to access and get 403
>
> then
>
> $ chmod 755 Sites
>
> and I can see my Rails (which is at ~/Sites/myrailapp/ )
>
> Hope this helps,
>
> /B
>
> -- 
> Bruno Mattarollo <bmatt-ee4meeAH724@public.gmane.org>
> Currently in: Sydney, Australia
> [ http://pokies.typepad.com/virtual_possum/ ]
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

One tip, most unixes should allow you to ''chmod -R a+X
{basedir}''
(note the _capital_ ''X''). This would set the execute bit on
directories only, and prevent any scripts from becoming
world-executable.

My other tip to you would be to simply move your website document
roots out of the user path and into a special directory of their own.
That way you can set them to allow world access without allowing it
into the home directories of the users.

-- 
Regards,
John Wilger

-----------
Alice came to a fork in the road. "Which road do I take?" she asked.
"Where do you want to go?" responded the Cheshire cat.
"I don''t know," Alice answered.
"Then," said the cat, "it doesn''t matter."
- Lewis Carrol, Alice in Wonderland