3

I've hit a problem on Centos 6.5:

[Mon Dec 28 12:10:52 2012] [a] [client 127.0.0.1] (13) Permission denied: /srv/www/website/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Basically, I was building a brand new server and trying to migrate all of my websites over into /srv/www folder instead of /var/www as it appears to be the future standard (there is a whole discussion about it so just google).

What I did:

1) added a new group (groupadd developers)

2) added users a (gid 501), root, apache, nobody to the above group (usermod -G develoeprs a && usermod -G develoeprs apache && usermod -G develoeprs root && usermod -G develoeprs nobody)

3) copied all folders & files into /srv/www

4) changed ownership of entire /srv/www to apache:developers (chown -R apache:developers /srv/www)

5) changed mode so /srv/www is group readable/writable/searchable (chmod -R 2775 /srv/www)

6) added 'umask 002' to the end of /etc/sysconfig/httpd so it runs in group writable mode

7) added virtual host(s) and to /etc/httpd/conf.d/vhosts.conf (service httpd configtest throws OK)

NameVirtualHost *:80
NameVirtualHost *:443

SSLStrictSNIVHostCheck off

<VirtualHost *:443>
    ServerAdmin webmaster@domain.ext
    DocumentRoot /srv/www/test
    ServerName test.domain.com
    ServerAlias test.domain
    SSLEngine on
    SSLCertificateFile /etc/httpd/certs/domain.com/server.crt
    SSLCertificateKeyFile /etc/httpd/certs/domain.com/server.key
    <Directory /srv/www/test>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>

8) restarted the server 9) started httpd manually because it asks for SSL certificate password otherwise autostart fails (need to look into how to start it automatically after rebooting)

I am still getting the same above error message.

Then, I tried changing the home folder in /etc/passwd for apache user to /srv/www (server restart) but still no joy i.e. Permission denied. I even renamed the old /var/www folder and created a symlink in /var/www to /srv/www. Another attempt was to chown back to root:root, apache:apache and :developers group for both.

/srv/www/ [NOT WORKING]

drwxr-xr-x. 2 root root (cgi-bin, error, html,icons)

drwxrwsr-x. 5 apache developers (all other website folders)

-rwxrwsr-x. 1 apache developers (all files)

/srv/

drwxrwsr-x. 4 apache developers www

/var/www [WORKING]

drwxr-xr-x. 2 root root (cgi-bin, error, html,icons)

drwxrwxr-x. 3 apache developers (all other website folders)

-rwxrwxr-x. 1 apache developers (all website files)

Then, as soon as I copy my one of my website's folder into /var/www and point paths in /etc/httpd/conf.d/vhosts.conf it starts to work fine!

DOES ANYONE KNOW WHY IT'S NOT WORKING IN /SRV/WWW folder??

4

2 回答 2

7

我终于找到了问题的根源。这是由于 SELinux 策略覆盖了基本的传统自主访问控制 (DAC) 方法,例如通常用于控制用户文件访问的文件权限或访问控制列表 (ACL)!

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

$ setenforce
usage:  setenforce [ Enforcing | Permissive | 1 | 0 ]

$ setenforce Permissive

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted

Centos上有关 SELinux 的更多信息。一旦我切换到 Permissive 模式,我的 /srv/ 就开始工作了。

如果您知道这样做的目的和原因,那么您可以通过更改以下行来永久禁用 /etc/selinux/config 中的 SELinux:

SELINUX=enforcing


SELINUX=disabled

重新启动您的服务器,您应该将其永久禁用。

注意:当从 Disabled 切换到 Permissive 或 Enforcing 模式时,强烈建议重新启动系统并重新标记文件系统。

于 2014-01-30T22:58:47.847 回答
0

您确定用户“apache”可以跨文件夹“/src”吗?文件夹“/src”的所有者和权限是什么?

于 2014-01-20T12:33:02.743 回答