• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solved [Solved] ZFS + Apache 2.2 permissions problem

soulreaver1

Member

Thanks: 4
Messages: 36

#1
Hi,

I have a problem with Apache permissions, while configuring it with DocumentRoot directory on ZFS filesystem. In default configuration with
Code:
DocumentRoot "/usr/local/www/apache22/data
everything is fine, but if I switch it to
Code:
DocumentRoot "/storage/www/data"
(my ZFS location) it stops to work.

httpd-error.log:

Code:
[Sun Nov 27 14:02:49 2011] [error] [client 192.168.1.102] (13)Permission denied: access to / denied
[Sun Nov 27 14:02:49 2011] [error] [client 192.168.1.102] (13)Permission denied: access to /favicon.ico
I've set following permissions to /storage/www/data:

[cmd=]chown -R www:www /storage/www/data[/cmd]
[cmd=]chmod -R 775 /storage/www/data[/cmd]


I've no idea what's going on :(.
 

gkontos

Daemon

Thanks: 454
Messages: 2,094

#3
Hi, this is irrelevant to ZFS. In one of my servers all apache directories are stored in a ZFS pool.

Check all your server directives.

DocumentRoot is just one. See below:

Code:
    <Directory "/storage/www/data/">
	Options +FollowSymLinks
	AllowOverride none 
	
	Order Deny,Allow
	Deny from all
	Allow from all
    </Directory>
Also, change the ownership back to root, you don't need this and it is not safe!

Regards,
George
 

mix_room

Aspiring Daemon

Thanks: 45
Messages: 598

#4
gkontos said:
Also, change the ownership back to root, you don't need this and it is not safe!
Why is having www:www ownership on the file in $WWWlocation unsafe? And how would this be solved by changing them to root:wheel?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 6,098
Messages: 26,991

#5
mix_room said:
Why is having www:www ownership on the file in $WWWlocation unsafe? And how would this be solved by changing them to root:wheel?
Suppose one of your web applications had a bug. When that bug gets exploited your attacker can read/write all files owned by the www user. When the file is root owned and permissions are set to 644 this isn't possible.
 

nORKy

Well-Known Member

Thanks: 18
Messages: 307

#7
That's why I use php-fpm. It can use different ownership and execute permissions for each application.
 

soulreaver1

Member

Thanks: 4
Messages: 36

#8
Thanks all for your replies. The problem is solved. It was caused by incorrect permissions on zfs root /storage. It is owned by user root and group wheel so it need to be set at least with chmod 601 (others "www" need to have an executive permission do get up the tree), somehow i haven't set it before :\. My first post was a little inexact, I've mislead you with it, sorry for that. I've managed with groups and chmod-s recently, because of Samba on the same zfs filesystem.
 
Top