On 12/27/2016 11:48 AM, Leonard den Ottolander wrote:> Hello Robert, > > On Tue, 2016-12-27 at 10:25 -0500, Robert Moskowitz wrote: >> I can display the /home/rgm/public_html/index.html file that only has >> "Hello World' in it (to prevent anyone from walking my file tree from >> the root). > To prevent people walking a directory structure you better disable > Options Indexes.If I tell someone about ~rgm/mydir (really no such dir), then I want them to find ~rgm/mydir/subdir, but not know about ~rgm/otherdir. My understanding (most likely flawed) is that Indexes are needed to see the list of files in mydir, and to be able to walk down to subdir. By having a ~rgm/index.html file, they can't query what other files are directly in the public_html directory.> >> But when I try to display the files in a subdir with ipaddr/~rgm/mydir >> >> I get >> >> You don't have permission to access /~rgm/mydir/ on this server. > The fact that you see the index page makes me assume SELinux is not the > problem. If you do have it enabled you might want to check out the > sebooleans that affect apache. > > $ getsebool -a | grep http > > httpd_enable_homedirs is one of those.I ran setsebool -P httpd_enable_homedirs on restorecon -Rv /home And I see: httpd_enable_homedirs --> on> Remember that file access is based on file permissions in combination > with file ownership. This means that if apache is neither owner nor > group owner of a file world must have read access for apache to access > such files. A 711 permission on a directory is then insufficient. It > allows apache to cd to, but not read the directory.the owner is rgm:rgm, but the permissions is 755, not 711. So still scratching my head here..
On 12/27/2016 06:43 PM, Robert Moskowitz wrote:> > the owner is rgm:rgm, but the permissions is 755, not 711. > > So still scratching my head here..is the error message you mention displayed in the browser? Have you looked into the logging produced by the web server itself? John
On 12/27/2016 02:19 PM, John Fawcett wrote:> On 12/27/2016 06:43 PM, Robert Moskowitz wrote: >> the owner is rgm:rgm, but the permissions is 755, not 711. >> >> So still scratching my head here.. > is the error message you mention displayed in the browser? Have you > looked into the logging produced by the web server itself?That was what the browser showed. The error_log is: [Tue Dec 27 12:42:57.513529 2016] [authz_core:error] [pid 2060] [client 192.168.160.12:41588] AH01630: client denied by server configuration: /home/rgm/public_html/mydir/
Hello Robert, On Tue, 2016-12-27 at 12:43 -0500, Robert Moskowitz wrote:> My understanding (most likely flawed) is that Indexes are needed to see > the list of files in mydir,Correct.> and to be able to walk down to subdir.Incorrect. The index is a convenience. Without it directories with the right permissions are still accessible with a direct url. So there's not much point enabling indexes when you use an index file to avoid the index showing up...> restorecon -Rv /homeThe man page for restorecon explicitly states it does not follow symlinks, and it might not cross file system boundaries either, so make sure they are not causing your issue.> the owner is rgm:rgm, but the permissions is 755, not 711.You have to make sure apache can access the whole path, meaning you need at least o+x on all directories in the path. This is quite likely *not* the case for /home/rgm. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
On 12/27/2016 02:58 PM, Leonard den Ottolander wrote:> Hello Robert, > > On Tue, 2016-12-27 at 12:43 -0500, Robert Moskowitz wrote: >> My understanding (most likely flawed) is that Indexes are needed to see >> the list of files in mydir, > Correct. > >> and to be able to walk down to subdir. > Incorrect. The index is a convenience. Without it directories with the > right permissions are still accessible with a direct url. So there's not > much point enabling indexes when you use an index file to avoid the > index showing up... > >> restorecon -Rv /home > The man page for restorecon explicitly states it does not follow > symlinks, and it might not cross file system boundaries either, so make > sure they are not causing your issue.No symlinks.>> the owner is rgm:rgm, but the permissions is 755, not 711. > You have to make sure apache can access the whole path, meaning you need > at least o+x on all directories in the path. This is quite likely *not* > the case for /home/rgm.So I deleted the whole public_html directory. Re moved the files over. I went back to the default user_dir setup of: <Directory "/home/*/public_html"> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS </Directory> Restarted httpd and tried again. I get my ~/public_html/index.html to display, cannot get a directory list to display. I can display a file. If I list a specific jpg in one of the directories it comes up ok, but I am not getting the listing option. access_log: 192.168.160.12 - - [27/Dec/2016:16:53:00 -0500] "GET /~rgm/cubieboard/cubietower-2.JPG HTTP/1.1" 200 1450256 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" 192.168.160.12 - - [27/Dec/2016:16:53:08 -0500] "GET /~rgm/cubieboard/ HTTP/1.1" 403 218 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" error_log: [Tue Dec 27 16:53:08.858042 2016] [negotiation:error] [pid 1965] (13)Permission denied: [client 192.168.160.12:55644] AH00686: cannot read directory for multi: /home/rgm/public_html/cubieboard/ So I have the permissions right to retrieve files. Something is wrong for displaying the directory list. :(