Jump to content

Apache2 et permissions


Recommended Posts

Bonjour,

Je vais essayer de résumer le problème :

La config :

Debian Testing sur x86

Apache/2.0.52, PHP/4.3.10-2

Le dossier Web :

/var/www/ (contient index.php, parfaitement exécutée par le serveur)

Un dossier projet/ dedans. Il se trouve que quelque soient les permissions que je mette dessus et sur le index.php qu'il contient, j'ai une 403 Forbidden

Ensuite, il y a une subtilité : ce dossier contient un lien symbolique 'ln -s ...' vers /home/projet/

Les permissions d'écriture sont données à /home/projet/ pour le groupe 'projet' auquel j'appartiens (en tant qu'utilisateur). (Le but étant que tous les utilisateurs de la machine puissent modifier son contenu).

Et là, toujours 403 :(

Voici encore mon apache2.conf, désolé, c'est long

Par ailleurs, ce fichier me semble incomplet j'ai essayé de lui ajouter des bribes, mais sans succès.

# Based upon the NCSA server configuration files originally by Rob McCool.

# Changed extensively for the Debian package by Daniel Stone <daniel@sfarc.net>

# and also by Thom May <thom@debian.org>.

# ServerRoot: The top of the directory tree under which the server's

# configuration, error, and log files are kept.

#

# NOTE!  If you intend to place this on an NFS (or otherwise network)

# mounted filesystem then please read the LockFile documentation

# (available at <URL:http://www.apache.org/docs/mod/core.html#lockfile>);

# you will save yourself a lot of trouble.

ServerRoot "/etc/apache2"

# The LockFile directive sets the path to the lockfile used when Apache

# is compiled with either USE_FCNTL_SERIALIZED_ACCEPT or

# USE_FLOCK_SERIALIZED_ACCEPT. This directive should normally be left at

# its default value. The main reason for changing it is if the logs

# directory is NFS mounted, since the lockfile MUST BE STORED ON A LOCAL

# DISK. The PID of the main server process is automatically appended to

# the filename.

LockFile /var/lock/apache2/accept.lock

# PidFile: The file in which the server should record its process

# identification number when it starts.

PidFile /var/run/apache2.pid

# Timeout: The number of seconds before receives and sends time out.

Timeout 300

# KeepAlive: Whether or not to allow persistent connections (more than

# one request per connection). Set to "Off" to deactivate.

KeepAlive On

# MaxKeepAliveRequests: The maximum number of requests to allow

# during a persistent connection. Set to 0 to allow an unlimited amount.

# We recommend you leave this number high, for maximum performance.

MaxKeepAliveRequests 100

# KeepAliveTimeout: Number of seconds to wait for the next request from the

# same client on the same connection.

KeepAliveTimeout 15

##

## Server-Pool Size Regulation (MPM specific)

##

# prefork MPM

# StartServers ......... number of server processes to start

# MinSpareServers ...... minimum number of server processes which are kept spare

# MaxSpareServers ...... maximum number of server processes which are kept spare

# MaxClients ........... maximum number of server processes allowed to start

# MaxRequestsPerChild .. maximum number of requests a server process serves

<IfModule prefork.c>

StartServers        5

MinSpareServers      5

MaxSpareServers    10

MaxClients          20

MaxRequestsPerChild  0

</IfModule>

# pthread MPM

# StartServers ......... initial  number of server processes to start

# MaxClients ........... maximum  number of server processes allowed to start

# MinSpareThreads ...... minimum  number of worker threads which are kept spare

# MaxSpareThreads ...... maximum  number of worker threads which are kept spare

# ThreadsPerChild ...... constant number of worker threads in each server process

# MaxRequestsPerChild .. maximum  number of requests a server process serves

<IfModule worker.c>

StartServers        2

MaxClients        150

MinSpareThreads    25

MaxSpareThreads    75

ThreadsPerChild    25

MaxRequestsPerChild  0

</IfModule>

# perchild MPM

# NumServers ........... constant number of server processes

# StartThreads ......... initial  number of worker threads in each server process

# MinSpareThreads ...... minimum  number of worker threads which are kept spare

# MaxSpareThreads ...... maximum  number of worker threads which are kept spare

# MaxThreadsPerChild ... maximum  number of worker threads in each server process

# MaxRequestsPerChild .. maximum  number of connections per server process (then

it dies)

<IfModule perchild.c>

NumServers          5

StartThreads        5

MinSpareThreads      5

MaxSpareThreads    10

MaxThreadsPerChild  20

MaxRequestsPerChild  0

AcceptMutex fcntl

</IfModule>

User www-data

Group www-data

# The following directives define some format nicknames for use with

# a CustomLog directive (see below).

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined

LogFormat "%h %l %u %t \"%r\" %>s %b" common

LogFormat "%{Referer}i -> %U" referer

LogFormat "%{User-agent}i" agent

# Global error log.

ErrorLog /var/log/apache2/error.log

# Include module configuration:

Include /etc/apache2/mods-enabled/*.load

Include /etc/apache2/mods-enabled/*.conf

# Include all the user configurations:

Include /etc/apache2/httpd.conf

# Include ports listing

Include /etc/apache2/ports.conf

# Include generic snippets of statements

Include /etc/apache2/conf.d/[^.#]*

#Let's have some Icons, shall we?

Alias /icons/ "/usr/share/apache2/icons/"

<Directory "/usr/share/apache2/icons">

    Options Indexes MultiViews

    AllowOverride None

    Order allow,deny

    Allow from all

</Directory>

# Set up the default error docs.

#

# Customizable error responses come in three flavors:

# 1) plain text 2) local redirects 3) external redirects

#

# Some examples:

#ErrorDocument 500 "The server made a boo boo."

#ErrorDocument 404 /missing.html

#ErrorDocument 404 "/cgi-bin/missing_handler.pl"

#ErrorDocument 402 http://www.example.com/subscription_info.html

#

#

# Putting this all together, we can Internationalize error responses.

#

# We use Alias to redirect any /error/HTTP_<error>.html.var response to

# our collection of by-error message multi-language collections.  We use

# includes to substitute the appropriate text.

#

# You can modify the messages' appearance without changing any of the

# default HTTP_<error>.html.var files by adding the line;

#

#  Alias /error/include/ "/your/include/path/"

#

# which allows you to create your own set of files by starting with the

# /usr/local/apache2/error/include/ files and

# copying them to /your/include/path/, even on a per-VirtualHost basis.

#

<IfModule mod_negotiation.c>

<IfModule mod_include.c>

    Alias /error/ "/usr/share/apache2/error/"

    <Directory "/usr/share/apache2/error">

        AllowOverride None

        Options IncludesNoExec

AddOutputFilter Includes html

        AddHandler type-map var

        Order allow,deny

        Allow from all

        LanguagePriority en es de fr

        ForceLanguagePriority Prefer Fallback

    </Directory>

    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var

    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var

    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var

    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var

    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var

    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var

    ErrorDocument 410 /error/HTTP_GONE.html.var

    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var

    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var

    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var

    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var

    ErrorDocument 415 /error/HTTP_SERVICE_UNAVAILABLE.html.var

    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var

    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var

    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var

    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var

    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

</IfModule>

</IfModule>

#Ajouté, TNorth, 01.2005

ServerAdmin tnorth@bluewin.ch

DocumentRoot "/var/www/"

<Directory "/var/www/">

Options Indexes Includes FollowSymLinks

# AllowOverride = All pour donner la priorité aux fichiers .htaccess

AllowOverride All

order allow,deny

# allow from = all pour permettre à tout le monde d'accéder aux documents

allow from all

DirectoryIndex index.html index.cgi index.pl index.php index.xhtml

</Directory>

#Fin ajouté TNorth

# UserDir is now a module

#UserDir public_html

#UserDir disabled root

#<Directory /home/*/public_html>

#      AllowOverride FileInfo AuthConfig Limit

#      Options Indexes SymLinksIfOwnerMatch IncludesNoExec

#</Directory>

AccessFileName .htaccess

<Files ~ "^\.ht">

    Order allow,deny

    Deny from all

</Files>

UseCanonicalName Off

TypesConfig /etc/mime.types

DefaultType text/plain

HostnameLookups Off

IndexOptions FancyIndexing VersionSort

AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*

AddIconByType (IMG,/icons/image2.gif) image/*

AddIconByType (SND,/icons/sound2.gif) audio/*

AddIconByType (VID,/icons/movie.gif) video/*

# This really should be .jpg.

AddIcon /icons/binary.gif .bin .exe

AddIcon /icons/binhex.gif .hqx

AddIcon /icons/tar.gif .tar

AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv

AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip

AddIcon /icons/a.gif .ps .ai .eps

AddIcon /icons/layout.gif .html .shtml .htm .pdf

AddIcon /icons/text.gif .txt

AddIcon /icons/c.gif .c

AddIcon /icons/p.gif .pl .py

AddIcon /icons/f.gif .for

AddIcon /icons/dvi.gif .dvi

AddIcon /icons/uuencoded.gif .uu

AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl

AddIcon /icons/tex.gif .tex

AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..

AddIcon /icons/hand.right.gif README

AddIcon /icons/folder.gif ^^DIRECTORY^^

AddIcon /icons/blank.gif ^^BLANKICON^^

# This is from Matty J's patch. Anyone want to make the icons?

#AddIcon /icons/dirsymlink.jpg ^^SYMDIR^^

#AddIcon /icons/symlink.jpg ^^SYMLINK^^

DefaultIcon /icons/unknown.gif

ReadmeName README.html

HeaderName HEADER.html

IndexIgnore .??* *~ *# HEADER* RCS CVS *,t

AddEncoding x-compress Z

AddEncoding x-gzip gz tgz

AddLanguage da .dk

AddLanguage nl .nl

AddLanguage en .en

AddLanguage et .et

AddLanguage fr .fr

AddLanguage de .de

AddLanguage el .el

AddLanguage it .it

AddLanguage ja .ja

AddLanguage pl .po

AddLanguage ko .ko

AddLanguage pt .pt

AddLanguage no .no

AddLanguage pt-br .pt-br

AddLanguage ltz .ltz

AddLanguage ca .ca

AddLanguage es .es

AddLanguage sv .se

AddLanguage cz .cz

AddLanguage ru .ru

AddLanguage tw .tw

AddLanguage zh-tw .tw

LanguagePriority en da nl et fr de el it ja ko no pl pt pt-br ltz ca es sv tw

#AddDefaultCharset      ISO-8859-1

AddCharset ISO-8859-1  .iso8859-1  .latin1

AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen

AddCharset ISO-8859-3  .iso8859-3  .latin3

AddCharset ISO-8859-4  .iso8859-4  .latin4

AddCharset ISO-8859-5  .iso8859-5  .latin5 .cyr .iso-ru

AddCharset ISO-8859-6  .iso8859-6  .latin6 .arb

AddCharset ISO-8859-7  .iso8859-7  .latin7 .grk

AddCharset ISO-8859-8  .iso8859-8  .latin8 .heb

AddCharset ISO-8859-9  .iso8859-9  .latin9 .trk

AddCharset ISO-2022-JP .iso2022-jp .jis

AddCharset ISO-2022-KR .iso2022-kr .kis

AddCharset ISO-2022-CN .iso2022-cn .cis

AddCharset Big5        .Big5      .big5

# For russian, more than one charset is used (depends on client, mostly):

AddCharset WINDOWS-1251 .cp-1251  .win-1251

AddCharset CP866      .cp866

AddCharset KOI8-r      .koi8-r .koi8-ru

AddCharset KOI8-ru    .koi8-uk .ua

AddCharset ISO-10646-UCS-2 .ucs2

AddCharset ISO-10646-UCS-4 .ucs4

AddCharset UTF-8      .utf8

AddCharset GB2312      .gb2312 .gb

AddCharset utf-7      .utf7

AddCharset utf-8      .utf8

AddCharset big5        .big5 .b5

AddCharset EUC-TW      .euc-tw

AddCharset EUC-JP      .euc-jp

AddCharset EUC-KR      .euc-kr

AddCharset shift_jis  .sjis

AddType application/x-httpd-php .php

AddType application/x-httpd-php-source .phps

AddType application/x-tar .tgz

# To use CGI scripts outside /cgi-bin/:

#

#AddHandler cgi-script .cgi

# To use server-parsed HTML files

#

<FilesMatch "\.shtml(\..+)?$">

    SetOutputFilter INCLUDES

</FilesMatch>

# If you wish to use server-parsed imagemap files, use

#

#AddHandler imap-file map

BrowserMatch "Mozilla/2" nokeepalive

BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

BrowserMatch "RealPlayer 4\.0" force-response-1.0

BrowserMatch "Java/1\.0" force-response-1.0

BrowserMatch "JDK/1\.0" force-response-1.0

#

# The following directive disables redirects on non-GET requests for

# a directory that does not include the trailing slash.  This fixes a

# problem with Microsoft WebFolders which does not appropriately handle

# redirects for folders with DAV methods.

#

BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefu

lly

BrowserMatch "^WebDrive" redirect-carefully

BrowserMatch "^gnome-vfs" redirect-carefully

BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully

# Allow server status reports, with the URL of http://servername/server-status

# Change the ".your_domain.com" to match your domain to enable.

#

#<Location /server-status>

#    SetHandler server-status

#    Order deny,allow

#    Deny from all

#    Allow from .your_domain.com

#</Location>

# Allow remote server configuration reports, with the URL of

http://servername/server-info (requires that mod_info.c be loaded).

# Change the ".your_domain.com" to match your domain to enable.

#

#<Location /server-info>

#    SetHandler server-info

#    Order deny,allow

#    Deny from all

#    Allow from .your_domain.com

#</Location>

# Include the virtual host configurations:

Include /etc/apache2/sites-enabled/[^.#]*

(ouf !)

:p

Link to comment
Share on other sites

quelques pistes :

quels sont les droits du user qui fait tourner apache ?

ps faux [ grep apache

si ce user n'a pas les droits d'aller dans /home/projets, apache va faire du 403

tu mets dans ce que tu as rajouté le filtrage pas .htaccess... mais as-tu créé un fichier .htaccess ?

que dit tail /var/log/apache/access.log ?

Link to comment
Share on other sites

root      2514  0.0  1.7 11708 4504 ?        Ss  10:25  0:00 /usr/sbin/apache2 -k start -DSSL

www-data  2515  0.0  1.1 10296 2988 ?        S    10:25  0:00  \_ /usr/sbin/apache2 -k start -DSSL

www-data  2517  0.0  1.8 11832 4852 ?        S    10:25  0:00  \_ /usr/sbin/apache2 -k start -DSSL

www-data  2518  0.0  1.8 11708 4660 ?        S    10:25  0:00  \_ /usr/sbin/apache2 -k start -DSSL

www-data  2519  0.0  1.8 11708 4660 ?        S    10:25  0:00  \_ /usr/sbin/apache2 -k start -DSSL

www-data  2520  0.0  1.8 11708 4652 ?        S    10:25  0:00  \_ /usr/sbin/apache2 -k start -DSSL

www-data  2521  0.0  1.8 11708 4652 ?        S    10:25  0:00  \_ /usr/sbin/apache2 -k start -DSSL

www-data  2632  0.0  1.8 11708 4652 ?        S    10:28  0:00  \_ /usr/sbin/apache2 -k start -DSSL

Pourtant j'ai fait un chown .projet /usr/sbin/apache2

Sinon je n'ai pas de htacces...

faut supprimer quoi ? (je me perds dans ce fichier de conf :( )

tail /var/log/apache2/access.log

[...] "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0"

192.168.0.2 - - [08/Jan/2005:10:41:57 +0100] "GET /favicon.ico HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0"

192.168.0.2 - - [08/Jan/2005:11:13:23 +0100] "GET /projet/ HTTP/1.1" 403 427 "-" "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0"

192.168.0.2 - - [08/Jan/2005:11:13:23 +0100] "GET /favicon.ico HTTP/1.1" 404 311 "-" "Mozilla/5.0 (Windows; U; Win98; fr-FR; rv:1.7.5) Gecko/20041108 Firefox/1.0"

(tu veux pas plutot error.log :)

[sat Jan 08 10:41:57 2005] [error] [client 192.168.0.2] File does not exist: /var/www/favicon.ico

[sat Jan 08 11:13:23 2005] [error] [client 192.168.0.2] (13)Permission denied: access to /projet/ denied

[sat Jan 08 11:13:23 2005] [error] [client 192.168.0.2] File does not exist: /var/www/favicon.ico

(edit2 : je travaille ici par SSH, l'écran de la machine en question m'explose les yeux !)

(edit 3 : voila l'arborescence et ses droits:)

ls -lR

.:

total 8

drwxr-xr-x  2 root projet      4096 Jan  8 11:23 projet

-rw-rwxr--  1 root projet  26 Jan  5 19:33 index.php

./projet:

total 4

lrwxrwxrwx  1 root projet 18 Jan  8 11:23 current -> /home/projet/current/

-rwxrwxrwx  1 root projet 20 Jan  8 10:31 index.php

Link to comment
Share on other sites

Pourtant j'ai fait un chown .projet /usr/sbin/apache2
Je ne vois pas l'intérêt. Il est très bien en root:root.

Alors le apache2.conf à l'air bon (j'ai pratiquement la même chose et les liens symboliques fonctionnent)

Fais plutôt un tail -10, parce que là, c'est un peu léger (et change le log level comme le dit Gauret)

(edit2 : je travaille ici par SSH, l'écran de la machine en question m'explose les yeux !)
Il dit qu'il n'as plus de genoux. :keskidit:
(edit 3 : voila  l'arborescence et ses droits:)

 ls -lR
.:
total 8
drwxr-xr-x  2 root projet      4096 Jan  8 11:23 projet
-rw-rwxr--  1 root projet  26 Jan  5 19:33 index.php

./projet:
total 4
lrwxrwxrwx  1 root projet 18 Jan  8 11:23 current -> /home/projet/current/
-rwxrwxrwx  1 root projet 20 Jan  8 10:31 index.php

Si c'est ton /home/projet, alors tu as un lien récursif.

Si c'est ton /var/www, alors les fichiers doivent tous être en www-data. Apparament si il exécute parce qu'il est dans le même groupe qu'apache (projet), mais c'est super crade.

N'oublies pas que tu as ces lignes dans ton apache2.conf :

User www-data
Group www-data

Link to comment
Share on other sites

Hello !

Je réapparais tard, dsl.

Voila j'ai modifié le groupe de apache, c'est parfait :)

Maintenant c'est mysql qui fait des siennes : j'aimerai avoir des bases en dehors de /var/lib/mysql/

avec un lien ln -s /home/projet/mysql/ nom_base dedans.

Évidement, mysql tourne en mysql.mysql et ne passe pas dans le lien symbolique. D'ailleurs, phpmyadmin ne voit pas de nouvelles bases :(

Comment changer le groupe de mysql ? my.cnf contient les infos de users, mais il aime pas qu'on mette

user=mysql.projet

Y a une possbilité pas trop foireuse, ou je fais un cron qui syncronise les 2 réps ?

Link to comment
Share on other sites

Je pourrais mais c'est darcs, un système de gestion de projet, qui travaille dans ces dossiers et qui est incapable de suivre un lien symbolique.

Il peut par contre suivre un lien physique, mais comme on peut pas faire de liens physiques sur les dossiers...

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...