Wrong permissions on web folder

Discussion in 'Installation/Configuration' started by awd.pt, Feb 12, 2011.

  1. awd.pt

    awd.pt New Member

    I'm having the following problem.

    I'm running latest ISPConfig3 release on CentOS 5.5.

    All the sites are running with Fast-CGI and suExec.

    Each time I make any modification on a site by SPConfig Panel I have to manually change the perms to 711 on the web folder.

    On /etc/group I have this:
    The output of groups apache shows:
    The perm on a site when I create are:
    And I always get a Permission denied until i change them to:
    Other workaround is to change the group owner of the web directory to apache.

    I need help on sorting this out.

    I followed the multiserver installation as detailed on the ISPConfig Manual I bought.

    I have a dedicated mysql server, that is my multiserver setup.

    Thank you in advance,
    Sergio Rosa
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    This are the correct permissions for the site.

    Under which user and group does the apache server run on your server?
     
  3. awd.pt

    awd.pt New Member

    hello till,

    yes, does are the right perms. But with them apache can't access the directory.

    Apache (web server) is running as user/group apache.
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    But then apache must be able to access the directory. Do you have any security extensions like selinux enabled that might prevent apache accessing the files?
     
  5. awd.pt

    awd.pt New Member

    0 enable
    1 disable

    selinux is disable.

    What other thing might be causing this?

    I've banged my head to the wall but I can't see what is wrong.
     
  6. awd.pt

    awd.pt New Member

    just another info, showing that everything should be fine...

     
  7. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    I have no idea.

    What is the exact error message that you get in the error.log of the website?
     
  8. awd.pt

    awd.pt New Member

    If I activate the account apache in order to login (su - apache) when I try do browse the user's directories I get an "access denied". No matter if apache belongs to the group or not.

    For some reason CentOS is not respecting the user/group permissions and access.

    Any tool I can use to debug this dam thing?
     
    Last edited: Feb 14, 2011
  9. awd.pt

    awd.pt New Member

    I think that a litle thing was missed by me.

    on the nfs server, the export is made like this
    I think that this might be the problem.

    Any suggestion on what flags to use to export the mpoint?
     
  10. awd.pt

    awd.pt New Member

    Just to update this, it might be of some utility.

    If the /var/www is mounted from a remote nfs server you'll have trouble with the permissions of the web directory.

    I moved all data to a system disk and everything is running fine now.

    Thank you 4 your help.
     
  11. emanation

    emanation New Member

    I have related issue.

    Joomla site gives error for some functionality. It's related with trying to open/read/close folder tree with PHP functions.

    Warning: opendir(/var/www/clients/client0/web4/web): failed to open dir: Permission denied in /var/www/clients/client0/web4/web/components/com_component/elements/directories.php on line 102
    Warning: readdir(): supplied argument is not a valid Directory resource in /var/www/clients/client0/web4/web/components/com_component/elements/directories.php on line 103
    Warning: closedir(): supplied argument is not a valid Directory resource in /var/www/clients/client0/web4/web/components/com_component/elements/directories.php on line 129

    if I set web folder 0755 it works without errors and problems
    it's sad that IPSConfig changes all web folders to 0710.
    What can I do?

    BTW:
    Code:
    [root@server www]# selinuxenabled
    [root@server www]# echo $?
    1
    [root@server www]# id apache
    uid=48(apache) gid=48(apache) groups=48(apache),5004(ispconfig),5005(client0)
     
  12. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Which php mode do you use and do you have suexec enabled. Also post the ouput of:

    ls -la /var/www/clients/client0/web4/web

    The correct permissions are 710. This works on all joomla sites on my server.
     
  13. emanation

    emanation New Member

    Code:
    total 116
    drwx--x--- 19 web4 client0  4096 Sep 19 06:18 .
    drwxr-x--x  6 web4 client0  4096 Sep 14 01:49 ..
    drwxr-xr-x 11 web4 client0  4096 Aug 25 11:32 administrator
    drwxr-xr-x 40 web4 client0  4096 Sep 15 05:15 cache
    drwxr-xr-x 25 web4 client0  4096 Dec 13  2010 components
    -rw-r--r--  1 web4 client0  1949 Sep 14 11:20 configuration.php
    drwxr-xr-x  2 web4 client0  4096 Sep 14 01:49 error
    drwxr-xr-x 14 web4 client0  4096 Apr 25 06:54 files
    -r--r--r--  1 web4 client0  3755 Mar 21  2011 .htaccess
    drwxr-xr-x 10 web4 client0  4096 May 26  2010 images
    drwxr-xr-x  8 web4 client0  4096 May 28  2010 includes
    -rw-r--r--  1 web4 client0   588 May 28  2010 index2.php
    -rw-r--r--  1 web4 client0  2049 May 28  2010 index.php
    drwxr-xr-x  4 web4 client0  4096 May 28  2010 language
    drwxr-xr-x 16 web4 client0  4096 Dec 10  2010 libraries
    drwxr-xr-x  2 web4 client0  4096 Jul  6  2009 logs
    drwxr-xr-x  6 web4 client0  4096 Dec 10  2010 media
    drwxr-xr-x 26 web4 client0  4096 Dec 10  2010 modules
    drwxr-xr-x 16 web4 client0  4096 Dec 10  2010 plugins
    -rw-r--r--  1 web4 client0   388 Jan 14  2010 robots.txt
    -rw-r--r--  1 web4 client0 11417 Jun 25  2010 sitemap.xml
    drwxr-xr-x  2 web4 client0  4096 Sep 15 00:31 stats
    drwxr-xr-x  4 web4 client0  4096 Feb 10  2010 templates
    drwxr-xr-x  2 web4 client0 12288 Dec 13  2010 tmp
    drwxr-xr-x  4 web4 client0  4096 May 28  2010 xmlrpc
    
    I use PHP-mod (PHP as Apache module) for all sites and suexec checkbox is not selected for each website.

    BTW, if I set permission for web folder 750 it works without warnings. And It's obvious because
    Code:
    [root@server www]# id apache
    uid=48(apache) gid=48(apache) groups=48(apache),5004(ispconfig),5005(client0)
    
    I think that read for group must be, mustn't it?
     
    Last edited: Sep 20, 2011
  14. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Your problem is that you use the wrong php mode. For a website that run a cms system which accesses the filesystem you should always use php-fastcgi plus suexec and not mod-php, so that the php scripts run under the user of the website and not the apache user. Using mod-php with joomla is also a security risk, as its easy for a hacker to infect all your sites when one joomla system is hacked and all sites run under the apache user instead of the website user.
     
  15. emanation

    emanation New Member

  16. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    You should use php-fcgi and suexec. Of course you can use suphp too as it does basically the same, but suphp is a lot slower when used for larger cms systems like joomla or typo3.
     

Share This Page