Solved [Solved] ZFS + Apache 2.2 permissions problem

Hi,

I have a problem with Apache permissions, while configuring it with DocumentRoot directory on ZFS filesystem. In default configuration with
Code:
DocumentRoot "/usr/local/www/apache22/data
everything is fine, but if I switch it to
Code:
DocumentRoot "/storage/www/data"
(my ZFS location) it stops to work.

httpd-error.log:

Code:
[Sun Nov 27 14:02:49 2011] [error] [client 192.168.1.102] (13)Permission denied: access to / denied
[Sun Nov 27 14:02:49 2011] [error] [client 192.168.1.102] (13)Permission denied: access to /favicon.ico

I've set following permissions to /storage/www/data:

[cmd=]chown -R www:www /storage/www/data[/cmd]
[cmd=]chmod -R 775 /storage/www/data[/cmd]


I've no idea what's going on :(.
 
Hi, this is irrelevant to ZFS. In one of my servers all apache directories are stored in a ZFS pool.

Check all your server directives.

DocumentRoot is just one. See below:

Code:
    <Directory "/storage/www/data/">
	Options +FollowSymLinks
	AllowOverride none 
	
	Order Deny,Allow
	Deny from all
	Allow from all
    </Directory>

Also, change the ownership back to root, you don't need this and it is not safe!

Regards,
George
 
gkontos said:
Also, change the ownership back to root, you don't need this and it is not safe!

Why is having www:www ownership on the file in $WWWlocation unsafe? And how would this be solved by changing them to root:wheel?
 
mix_room said:
Why is having www:www ownership on the file in $WWWlocation unsafe? And how would this be solved by changing them to root:wheel?

Suppose one of your web applications had a bug. When that bug gets exploited your attacker can read/write all files owned by the www user. When the file is root owned and permissions are set to 644 this isn't possible.
 
Thanks all for your replies. The problem is solved. It was caused by incorrect permissions on zfs root /storage. It is owned by user root and group wheel so it need to be set at least with chmod 601 (others "www" need to have an executive permission do get up the tree), somehow i haven't set it before :\. My first post was a little inexact, I've mislead you with it, sorry for that. I've managed with groups and chmod-s recently, because of Samba on the same zfs filesystem.
 
Back
Top