FC3 issue with apache 2

Alexander Dalloz ad+lists at uni-x.org
Tue Nov 23 18:51:35 UTC 2004


Am Di, den 23.11.2004 schrieb Neil Marjoram um 16:06:

Please don't top-post. Now replying to your mail makes it necessary that
I resort the mail to make your initial question and the rest to anything
understandable.

>>> I installed FC3 and I wanted to move my apache2 documentroot from
its 
> >> default /var/www/html to another volume located at /space/vhosts. 
> >> When I do this apache2 complains:
> >>
> >> Syntax error on line 265 of /etc/httpd/conf/httpd.conf:
> >> DocumentRoot must be a directory
> >>

>> The directory and all files in it must be writable by apache and (if
I 
> > remember correctly) must be owned by the user running httpd.
> > See if changing this will allow httpd to run.
> >

> I am sorry I picked up on this late, but I have the same trouble.  Did 
> this fix the problem?

The above problem and error message is not caused by wrong filesystem
permissions but due to SELinux. Please see the beta doc

http://fedora.redhat.com/docs/selinux-apache-fc3/

> I have a small issue with the fix (if it did). Apache runs as user 
> apache, so naturally I set all my file ownership to my webdev user who 
> has write access, and group to apache  who only has read access (accept 
> directories of course where apache has execute), with no permissions for 
> other. This means if  Apache is compromised it can't write into the 
> directory  or over write a file with something very probably unwanted. 
> If the apache user needs write access this security model would be 
> rather useless!! Any comments anyone?

Right, I share your opinion. Give a service just those permission it
needs. Apache (the user/group it runs as, on Fedora as apache:apache)
does not need write permission to ordinary files. It is only then needed
if you run dynamic content where Apache itself creates content. James
McKenzie's answer was incorrect and even dangerous if followed. Simply
take the default DocumentRoot and all directories above:

$ ls -ld /var /var/www /var/www/html
drwxr-xr-x  21 root root 4096 11. Sep 21:18 /var
drwxr-xr-x   9 root root 4096 25. Okt 21:23 /var/www
drwxr-xr-x  23 root root 4096  2. Nov 00:22 /var/www/html

Obvious that the default setup works. You see any write permissions for
apache:apache? No, because not needed. Apache only has to be able to see
the files it shall process.

> Neil.

Btw. I thought it was already clear from the thread that the whole
trouble was caused by moving the DocumentRoot to a custom location and
not paying attention at least not customizing the SELinux setup. SELinux
enforces you to take care for other permissions than the usual
filesystem permissions when handling protected daemons, like httpd.

Alexander


-- 
Alexander Dalloz | Enger, Germany | new address - new key: 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora GNU/Linux Core 2 (Tettnang) on Athlon kernel 2.6.9-1.6_FC2smp 
Serendipity 19:48:45 up 3 days, 14:36, load average: 0.19, 0.15, 0.19 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20041123/d4916431/attachment-0001.sig>


More information about the fedora-list mailing list