Forbidden error in Apache -- I don't get this at all.

[jitspoe]

I'm trying to get the alternative server all set up with all the necessities, like the latest php/apache/mysql/phpmyadmin.  I can't get phpMyAdmin to work, though.  I keep getting a big, fat "Forbidden".  I'm going through the documentation (pretty desperate, I know), and at one point, it says to load up /scripts/setup.php.  Well, I can't.  I can't access anything in the MyAdmin directory.  I tried moving it out of that directory, just for kicks, but it still wouldn't work.

Here's the kicker.  I can make a new directory and copy the contents over, and not get the forbidden.  Everything is identical -- permissions, owner, everything.  It's not because of the name, either.  I tried renaming scripts to script3 (script2 being the copy that doesn't give a forbidden) and it still gives me an error.

Forbidden:

Code: [Select]

[admin@dpserverscom script3]$ ls -al
total 228
drwxrwxr-x  2 admin admin  4096 Apr 28 23:41 .
drwxr-xr-x  7 admin root   4096 Apr 29 00:14 ..
-rw-r--r--  1 admin admin  1813 Apr 23 23:06 check_lang.php
-rwxr-xr-x  1 admin admin   400 Apr 23 23:06 convertcfg.pl
-rwxr-xr-x  1 admin admin  8421 Apr 23 23:06 create-release.sh
-rw-r--r--  1 admin admin  6081 Apr 23 23:06 create_tables_mysql_4_1_2+.sql
-rw-r--r--  1 admin admin  5203 Apr 23 23:06 create_tables.sql
-rw-r--r--  1 admin admin  2737 Apr 23 23:06 decode_bug.php
-rwxr-xr-x  1 admin admin  1090 Apr 23 23:06 find_unused_messages.sh
-rw-rw-r--  1 admin admin     9 Apr 28 23:41 index.php
-rwxr-xr-x  1 admin admin  2125 Apr 23 23:06 lang-cleanup.sh
-rwxr-xr-x  1 admin admin   392 Apr 23 23:06 remove_control_m.sh
-rw-r--r--  1 admin admin 75819 Apr 23 23:06 setup.php
-rw-r--r--  1 admin admin  1728 Apr 23 23:06 signon.php
-rwxr-xr-x  1 admin admin  5017 Apr 23 23:06 upgrade.pl
-rw-r--r--  1 admin admin  6316 Apr 23 23:06 upgrade_tables_mysql_4_1_2+.sql


Forbidden

You don't have permission to access /script3 on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.52 (CentOS) Server at alt.dplogin.com Port 443

Not forbidden:

Code: [Select]

[admin@dpserverscom script2]$ ls -al
total 228
drwxrwxr-x  2 admin admin  4096 Apr 28 23:40 .
drwxr-xr-x  7 admin root   4096 Apr 29 00:14 ..
-rw-r--r--  1 admin admin  1813 Apr 28 23:40 check_lang.php
-rwxr-xr-x  1 admin admin   400 Apr 28 23:40 convertcfg.pl
-rwxr-xr-x  1 admin admin  8421 Apr 28 23:40 create-release.sh
-rw-r--r--  1 admin admin  6081 Apr 28 23:40 create_tables_mysql_4_1_2+.sql
-rw-r--r--  1 admin admin  5203 Apr 28 23:40 create_tables.sql
-rw-r--r--  1 admin admin  2737 Apr 28 23:40 decode_bug.php
-rwxr-xr-x  1 admin admin  1090 Apr 28 23:40 find_unused_messages.sh
-rw-rw-r--  1 admin admin     9 Apr 28 23:39 index.php
-rwxr-xr-x  1 admin admin  2125 Apr 28 23:40 lang-cleanup.sh
-rwxr-xr-x  1 admin admin   392 Apr 28 23:40 remove_control_m.sh
-rw-r--r--  1 admin admin 75819 Apr 28 23:40 setup.php
-rw-r--r--  1 admin admin  1728 Apr 28 23:40 signon.php
-rwxr-xr-x  1 admin admin  5017 Apr 28 23:40 upgrade.pl
-rw-r--r--  1 admin admin  6316 Apr 28 23:40 upgrade_tables_mysql_4_1_2+.sql

(blank page)

I don't get it!

[TinMan]

So...the folder doesn't have permissions readable to all? 755 it?

[jitspoe]

drwxrwxr-x  2 admin admin  4096 Apr 28 23:41 .

drwxrwxr-x  2 admin admin  4096 Apr 28 23:40 .

They both have read/execute access for all users.

[TinMan]

Anything in your apache config restricting it? Such as, do you have one .htaccess that handles everything up a couple directories?

[jitspoe]

No .htaccess files, and nothing in the httpd.conf that would pertain to these directories specifically.  The only difference is that the forbidden files/directories were extracted from a tar.gz file.  If I make a fresh directory and copy the files over, I don't get a forbidden.  If I move the contents, however, I get a forbidden again.  If I remove the contents of the directory from the tar file, I still get a forbidden, even if I create a fresh php file.  In short, anything from the tar file results in a forbidden.  The permissions and owner are the same, though, so I don't know what other factors there could be.  Must be something that isn't showing up in ls -la.

[XtremeBain]

Make sure 'apache' or whatever user/group your httpd is running as has sufficient access to 'cd' to the directory you're trying to access.  There's probably a weird ownership somewhere a few directories deep that prevent you from browsing a directory.  The easiest way to test this is to do a 'su - apache' as root and try to 'cd' to the location going one directory at a time.

[jitspoe]

I get "This account is currently not available." when I try to su - apache.  I tried that earlier.

I did a chmod -R 777 * just for kicks, but still no go.  It should have permissions.  It can access other directories with identical permissions just fine.  I don't get it.

I tried the zip version just for kicks, but the same deal.

[XtremeBain]

Change your phpMyAdmin config.inc.php to require http authentication or whatever.  It's probably throwing a 403 because 'root'/'' isn't the login for the MySQL server.

[jitspoe]

Yeah, I did that.

Man, this is so messed up.  Once a directory becomes "forbidden", it stays forbidden, anything put in that directory becomes forbidden, too, even after an apache restart.  Example:

I extract phpMyAdmin-blahblahblah, try to access it, forbidden.  Rename the directory to "ma".  Still forbidden.  Entirely delete all the contents of the directory and create a new php file, both the directory and php file are forbidden.  Move the php file to another directory, and the php file is still forbidden, even though other php files in that directory are not forbidden and have the exact same owner and permissions.  It's like apache is somehow caching the forbiddenness of files and keeping them forbidden no matter what.

Code: [Select]

drwxr-xr-x  10 admin  root  4096 Apr 29 02:25 .
drwxr-xr-x   8 admin  root  4096 Feb 17 06:28 ..
-rw-rw-r--   1 admin  admin   18 Apr 27 22:40 index.php
drwxr-xr-x   2 apache admin 4096 Apr 29 02:19 ma
drwxrwxr-x  12 admin  admin 4096 Apr 29 00:52 myadmin
drwxr-xr-x  11 admin  admin 4096 Apr 23 23:06 phpMyAdmin-2.10.1-english
drwxrwxr-x   2 admin  admin 4096 Apr 29 01:46 script3
drwxr-xr-x   2 root   root  4096 Apr 29 01:46 script4
drwxrwxr-x   2 apache admin 4096 Apr 29 02:16 test
drwxr-xr-x   2 admin  root  4096 Apr 28 20:09 test2
-rw-r--r--   1 apache root    10 Apr 29 02:23 test2.php <=- fresh file, not forbidden
-rw-r--r--   1 apache root    24 Apr 29 02:25 test3.php <=- copy of test.php, not forbidden.
drwxrwxr-x   2 admin  admin 4096 Apr 29 01:15 testadmin
-rw-r--r--   1 apache root    24 Apr 29 02:18 test.php <=- moved from forbidden directory, forbidden.

Edit: Got it working.  So whack.  I had to untar the files, re-tar the files, then un-tar them again, and it worked.  The permissions are exactly the same.  I still don't get it, but I've literally spent hours on this.  Time to move on.

[Krizdo4]

I you have any more trouble with this, could you post the relevant error_log lines and access_log.

[jitspoe]

I you have any more trouble with this, could you post the relevant error_log lines and access_log.

Where are those logs located?

[TinMan]

/var/log/apache2/

[jitspoe]

24.199.129.138 - - [01/May/2007:17:12:28 -0500] "GET /files/maps HTTP/1.1" 403 408 "-" "Opera/9.00 (Windows NT 5.0; U; en)"

[Tue May 01 17:12:28 2007] [error] [client 24.199.129.138] Symbolic link not allowed: /var/www/html/files/maps

Edit: Oh, that was the symlink issue.  Let me try to reproduce the tar one.

24.199.129.138 - - [01/May/2007:17:17:59 -0500] "GET /phpMyAdmin-2.10.1-english HTTP/1.1" 403 423 "-" "Opera/9.00 (Windows NT 5.0; U; en)"

[Tue May 01 17:17:59 2007] [error] [client 24.199.129.138] (13)Permission denied: access to /phpMyAdmin-2.10.1-english denied

Doesn't really tell me anything more...

[Krizdo4]

24.199.129.138 - - [01/May/2007:17:17:59 -0500] "GET /phpMyAdmin-2.10.1-english HTTP/1.1" 403 423 "-" "Opera/9.00 (Windows NT 5.0; U; en)"

[Tue May 01 17:17:59 2007] [error] [client 24.199.129.138] (13)Permission denied: access to /phpMyAdmin-2.10.1-english denied

Doesn't really tell me anything more...

(13)Permission denied: access to /phpMyAdmin-2.10.1-english denied

That location seems wrong (other than that it's an error)
I would expect it to have a path like /var/www/html/phpMyAdmin-2.10.1-english or /usr/share/phpMyAdmin-2.10.1-english
Then maybe it just doesn't print the full path on your system.


If you haven't sorted out the symlink problem yet
in the apache conf, in the section: <Directory "/var/www/html">
Check that FollowSymLinks is on the options line
e.g.
    Options Indexes FollowSymLinks

edit: also check that all the directories leading upto the target is in are have the execute bit set.

[jitspoe]

That must just be the way it logs it.  I made an intentionally inaccessable directory (chmod 000'd it), and got the same thing:

[Wed May 02 01:31:30 2007] [error] [client 71.75.4.26] (13)Permission denied: access to /testbad/index.php denied
[Wed May 02 01:31:30 2007] [error] [client 71.75.4.26] (13)Permission denied: access to /testbad/index.html denied
[Wed May 02 01:31:30 2007] [error] [client 71.75.4.26] (13)Permission denied: access to /testbad/index.html.var denied

The directory is located in /var/www/html, though.

FollowSymLinks is enabled, and it does work, but only within the html directory.  If I try to link somewhere outside of that, it has issues.  I do have <Directory> entries for those external paths, though.  I thought that was all I needed to add, but maybe there was something else.

Edit: Here's the whole httpd.conf file.

[Krizdo4]

This is about the symlink stuff...
The .conf looks good.
I'd suggest creating another user on the server and see if you can change directory to the target of the symlink.

As root:

usermod -s /bin/bash apache
su apache
cd /home/admin/paintball2/pball/maps
ls -al

if you can't browse that directory, start working your way up from home to see which is stopping you.

cd /home
cd admin
cd paintball2
cd pball
cd maps

and also as apache

cd /var/www/error/
ls -al

since the error documents aren't working.

When you're done being logged in as apache

usermod -s /sbin/nologin apache

edit: Got rid of making a new user and added the enabling of apache account.

[jitspoe]

Ok, the admin directory was inaccessible, so I fixed that.  I can browse to the maps directory as apache now.  I'm still getting a forbidden on the web server, though.

Also, I can browse to the phpMyAdmin directory that was extracted from a tar.gz just fine.

Code: [Select]

bash-3.00$ pwd
/var/www/error
bash-3.00$ ls -la
total 300
drwxr-xr-x  3 root  root  4096 Apr 28 19:23 .
drwxr-xr-x  8 admin root  4096 Feb 17 06:28 ..
-rw-r--r--  1 root  root  4256 Jan 23  2006 contact.html.var
-rw-r--r--  1 root  root  9108 Jan 23  2006 HTTP_BAD_GATEWAY.html.var
-rw-r--r--  1 root  root  6633 Jan 23  2006 HTTP_BAD_REQUEST.html.var
-rw-r--r--  1 root  root 11193 Jan 23  2006 HTTP_FORBIDDEN.html.var
-rw-r--r--  1 root  root 12700 Jan 23  2006 HTTP_GONE.html.var
-rw-r--r--  1 root  root 12846 Jan 23  2006 HTTP_INTERNAL_SERVER_ERROR.html.var
-rw-r--r--  1 root  root  7539 Jan 23  2006 HTTP_LENGTH_REQUIRED.html.var
-rw-r--r--  1 root  root  6773 Jan 23  2006 HTTP_METHOD_NOT_ALLOWED.html.var
-rw-r--r--  1 root  root 13255 Jan 23  2006 HTTP_NOT_FOUND.html.var
-rw-r--r--  1 root  root  6336 Jan 23  2006 HTTP_NOT_IMPLEMENTED.html.var
-rw-r--r--  1 root  root  6565 Jan 23  2006 HTTP_PRECONDITION_FAILED.html.var
-rw-r--r--  1 root  root  7802 Jan 23  2006 HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
-rw-r--r--  1 root  root  7099 Jan 23  2006 HTTP_REQUEST_TIME_OUT.html.var
-rw-r--r--  1 root  root  7103 Jan 23  2006 HTTP_REQUEST_URI_TOO_LARGE.html.var
-rw-r--r--  1 root  root  7822 Jan 23  2006 HTTP_SERVICE_UNAVAILABLE.html.var
-rw-r--r--  1 root  root 13035 Jan 23  2006 HTTP_UNAUTHORIZED.html.var
-rw-r--r--  1 root  root  6353 Jan 23  2006 HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
-rw-r--r--  1 root  root  7009 Jan 23  2006 HTTP_VARIANT_ALSO_VARIES.html.var
drwxr-xr-x  2 root  root  4096 Apr 28 19:23 include
-rw-r--r--  1 root  root  5044 Feb 17 06:28 noindex.html
-rw-r--r--  1 root  root  1979 Jul 12  2006 README

The error documents do work... in some situations.  In the case of my "testbad" directory which was chmod'd to 000: http://dplogin.com/testbad/

Forbidden

You don't have permission to access /testbad/ on this server.
Apache/2.0.59 (CentOS) Server at dplogin.com Port 80

However, if I try to access phpMyAdmin: http://dplogin.com/phpMyAdmin-2.10.1-english ...

Forbidden

You don't have permission to access /phpMyAdmin-2.10.1-english on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.0.59 (CentOS) Server at dplogin.com Port 80

Hm, actually, the error in HTTP_FORBIDDEN.html.var isn't the same as what gets displayed, but it doesn't complain about not having access to the ErrorDocument with the testbad directory.

Another thing, it doesn't seem to be reading the .htaccess file from the html/files directory.  I have indexes set globally, so that doesn't really matter, but I know it's not working because the .htaccess was set to not use fancy indexing, but it still is.

[Krizdo4]

When you change config settings were you using reload or restart?

Oh here's something, is selinux enabled?

edit:

Well in the case that the answer is yes and you don't want to disable it, use this:

chcon -R -t httpd_sys_content_t /home/admin/paintball2/pball/maps

It will recurse through maps directory marking the files as web content.

[jitspoe]

I'm using /usr/sbin/apachectl restart.  Doesn't look like it has a reload option.

I'm not sure if selinux is enabled.  How do I check/configure that?

Edit: Yes.

SELINUX=enforcing
SELINUXTYPE=targeted

[Krizdo4]

cat /etc/selinux/config |grep SELINUX=


edit: I'm in #paintball