Ownership Issue on WordPress

[Arieh]

I didn't add the '2' on our boxes, also the file I had is mod_ruid.c not mod_ruid2.c

I based this on the latest version on http://sourceforge.net/projects/mod-ruid/

 

[daveyw]

I based this on the latest version on http://sourceforge.net/projects/mod-ruid/

Oh, at the time when we installed mod_ruid, was the latest version mod_ruid0.6b
Need to upgrade it on our systems.

 

[Arieh]

Is it possible this breaks ip/~username access? I'm getting forbidden on all users I've tried, while on a domain everything works.

 

[daveyw]

Is it possible this breaks ip/~username access? I'm getting forbidden on all users I've tried, while on a domain everything works.

No, tested here and still works for us.

You need the IP where the domain is running on and be sure an index file exist.

 

[Arieh]

I had to run

cd /usr/local/directadmin/scripts && ./set_permissions.sh user_homes

And it works now.

 

[Arieh]

Hm that didn't fully do the trick, when I restart http it gives forbidden again. Then when I run that script its fine for the moment. Any idea?

Edit: It seems when I disable http://www.directadmin.com/features.php?id=961, my problem goes away, however users can see eachothers files again.

daveyw how do you have this?

 

[daveyw]

We didn't change the configs for it, only we added the RMode things in the users httpd.conf's.

 

[Arieh]

I mean the secure_access_group=access feature, it makes sure users can't read other users files. When I have this enabled I have that /~user 403 problem, so I was wondering if you have this feature enabled or not

 

[daveyw]

As I said already: we didn't make changes, and since the /~user/ still works for us it means we didn't change/add that option.

 

[Scolpy]

I mean the secure_access_group=access feature, it makes sure users can't read other users files. When I have this enabled I have that /~user 403 problem, so I was wondering if you have this feature enabled or not

I already using this feature(secure_access_group) and I can access my user domain trough http://SERVERIP/~USERNAME.

 

[Arieh]

Yes, but in combination with mod_ruid it apparently gives problems. I can understand that, but that feature makes sure users cant see in other users files. Without it, in ssh a user can nano someone elses config.php and see their mysql password.

Default I don't give users SSH, but it is a security risk. Right now I keep it enabled, I'd rather have this security fixed and /~user disabled.

But as I understand it Scolpy, you have both and no problems? Then there must be something else going on.. however it should be related to this

Scolpy if I may ask what OS are you running?

 

[daveyw]

Maybe Scolpy is using also mod_ruid instead of mod_ruid2 ?
Also maybe the files/dirs in public_html are not owned by the user, but probably root or something else then the user ?

 

[Arieh]

User permissions are correct.

/home/admin/domains/mydomain.nl/

ls -l
total 20
drwxr-xr-x 4 admin admin 4096 2010-08-13 00:39 awstats
drwx------ 2 admin admin 4096 2010-08-13 00:39 logs
lrwxrwxrwx 1 admin admin   13 2010-07-29 12:05 private_html -> ./public_html
drwx--x--x 3 admin admin 4096 2010-07-18 02:49 public_ftp
drwxr-xr-x 3 admin admin 4096 2010-08-13 23:30 public_html
drwxr-xr-x 2 root  root  4096 2010-08-02 00:37 stats


/public_html# ls -l
total 220
-rwxr-xr-x 1 admin admin    515 2010-07-06 20:24 400.shtml
-rwxr-xr-x 1 admin admin    515 2010-07-06 20:24 401.shtml
-rwxr-xr-x 1 admin admin    515 2010-07-06 20:24 403.shtml
-rwxr-xr-x 1 admin admin    515 2010-07-06 20:24 404.shtml
-rwxr-xr-x 1 admin admin    515 2010-07-06 20:24 500.shtml
drwxr-xr-x 2 admin admin   4096 2010-07-18 02:49 cgi-bin
-rw-r--r-- 1 admin admin    535 2010-07-20 20:20 index.html
-rwxr-xr-x 1 admin admin  13954 2010-07-06 20:24 logo.jpg

 

[daveyw]

What says the error log when you are trying to use http://domainip/~username/ in '/var/log/httpd/domains/yourdomain.tld.error.log'

 

[Arieh]

The error log of the domain doesn't say anything on times of acces, the main error_log gives this (1 hit):

[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] Symbolic link not allowed or link target not accessible: /home/admin/public_html
[Sat Aug 14 00:04:49 2010] [error] [client 92.254.51.x] File does not exist: /var/www/html/403.shtml

And when I try to access /~admin/test.php it outputs this, and nothing in the log

Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0

Fatal error: Unknown: Failed opening required '/home/admin/public_html/test.php' (include_path='.:/usr/local/lib/php') in Unknown on line 0

 

[daveyw]

I guess it has something to do with the httpd.conf / user's httpd.conf
Maybe this helps you: http://www.directadmin.com/forum/showpost.php?p=179027&postcount=4

 

[Arieh]

That didn't had effect. I've discovered something else:

When I change in httpd.conf

#RUidGid apache apache
RUidGid admin admin


accesing /~admin works. /~randomuser doesn't.

Not sure what it means just yet.

edit: the set_permission script sets /home/username to chmod 711
When secure_access_group is enabled, /home/usernames are chmod 710.

If I change one user to chmod 711, /~thatusername works.

Maybe I should chmod them all to 711? I don't think that Other can execute does any harm. Though I still wonder what the difference between my and Scolpys setup is.

 

[daveyw]

I found your problem;

secure_access_group=access

where access is the group name to be used.

That means that you need to replace 'access' with your own created group. And not just copy-paste, so leave that away from directadmin.com

 

[Arieh]

That's not it, "What this feature does, is it creates a group called access (assuming you use this value)." the default is fine.

 

[daveyw]

That's not it, "What this feature does, is it creates a group called access (assuming you use this value)." the default is fine.

Ah.. now I see it yes..

If you have 'access' the ~username should still work, since its still from the user itself and not from root/admin.

Maybe DirectAdmin can explain something about this problem?