Home directory permissions

Ok, so here is a strange problem that has just started happening:

Yesterday I added a new domain to Virtualmin (GPL), and immediately the site started throwing a 403 Forbidden error. No files had been uploaded yet. Usually, it will just give an index of the files in that folder, so I put some files in the folder, and still 403 errors. Even accessing files directly gave a 403 error.

I tracked it down to something related to permissions, but I’m not sure what. All user directories in /home/ are chmod 750. Oddly enough all previous existing sites are working fine. Only new sites show 403 errors.

If I change the /home/newuser and /home/newuser/public_html to chmod 755, then new domains will start working correctly, but I don’t accept this as a fix. It’s a workaround, and one I’m not happy with.

So… any clues as to why new domains have to have 755 to work, while old ones are content with 750 permissions? It’s as if Apache can’t get into the directories, but I’ve deleted and recreated several different domains as a test. I’ve made sure Apache is getting added in the new groups created. SuEXEC is on, but I’ve also disabled it to test.

I haven’t made any configuration changes lately.

Can you post the VirtualHost section related to that domain? I’m curious to see a few things, including the suexec related stuff.
-Eric

Okay – what do you get if you type this on the command line:

ls -nd /home/a2zbailbonds/

and

ls -nd /home/a2zbailbonds/public_html/

[code:1]# ls -nd /home/a2zbailbonds/
drwxr-x— 10 1041 1017 4096 2008-12-16 09:55 /home/a2zbailbonds/[/code:1]

[code:1]# ls -nd /home/a2zbailbonds/public_html/
drwxr-x— 3 1041 1017 4096 2008-12-16 09:55 /home/a2zbailbonds/public_html/[/code:1]

Any ideas? Permissions look correct.

Oh, right, my bad, I got lost in a sea of forum messages and completely forgot to get back to you. Very sorry :slight_smile:

That is odd though; you’re right, the directory permissions match the suexec ones, I was curious if that would be it, but it doesn’t appear that way.

Can you post the error that shows up in /home/a2zbailbonds/logs/error_log whenever you try to access the site? I wonder if perhaps it shows any more details. Also, is there anything interesting in the suexec log in /var/log/httpd/ (or /var/log/apache2 if you’re on Debian/Ubuntu).
-Eric

Here is the error_log:

[code:1][Wed Dec 17 00:11:01 2008] [crit] [client 99.157.156.201] (13)Permission denied: /home/a2zbailbonds/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[Wed Dec 17 09:09:38 2008] [crit] [client 66.214.221.87] (13)Permission denied: /home/a2zbailbonds/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
[/code:1]

Here is the access_log:

[code:1]99.157.156.201 - - [17/Dec/2008:00:11:01 -0800] "GET / HTTP/1.1" 403 431 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)"
66.214.221.87 - - [17/Dec/2008:09:09:38 -0800] "GET / HTTP/1.1" 403 427 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 (.NET CLR 3.5.30729)"[/code:1]

suexec.log is empty.

Here is another thing I didn’t mention. If instead of setting chmod 755, I change the group ownership of the home directory & public_html directory to www-data (I’m on Debian) the site starts showing up. I’ve checked the following:

Apache is running as www-data:www-data
www-data is a member of the a2zbailbonds group
I event tried adding a2zbailbonds to the www-data group

Ahh, that’s interesting.

Is there a .htaccess file in there somewhere?

Does this show anything:

ls -l /home/a2zbailbonds/.htaccess

No, there is no .htaccess file. Nor should there be one. It’s a freshly created account & directory. I’ve even tried creating one in there and changing permissions on it. The error still shows up.

Hrm, so just for fun – if you create a test.php for that domain, and you put something simple in it, such as this:

[code:1]
<?php
phpinfo();
?>
[/code:1]

And then try to pull that up in your browser – does the suexec log show that it accessed a file for that user?

Each and every file access should show up in the suexec log, it’s a little odd that nothing’s in there…
-Eric

Nope, nothing comes up in the log. And I get 403 when accessing the file. The log is empty, except for one line when I tried running suexec from the commandline a few days ago (troubleshooting):

[code:1][2008-12-14 21:37:03]: too few arguments[/code:1]

Okay. If you’d like some suexec info, you can run it with -V:

suexec -V

You say you’re on Debian? What does this command show:

find /etc/apache2 | xargs grep suexec

When I run that on a Debian system here, I see:

find /etc/apache2/ | grep suexec

/etc/apache2/mods-enabled/suexec.load
/etc/apache2/mods-available/suexec.load

I’m suspicious that something is wrong with suexec on there, but I’m not sure what yet :slight_smile:
-Eric

I get the same results as you. The suexec module is in the ‘available’ and ‘enabled’ folders.

I get this additional one as well:
/etc/apache2/mods-available/fastcgi.conf: #FastCgiWrapper /usr/lib/apache2/suexec2

Try to create .htaccess in that directory and give it right suexec user and right permissions.

Alright – I pinged Joe and Jamie for some ideas – they pointed out that the group for any new account that’s created should contain Apache’s group as a member.

So you’re using Debian, that means when you look at /etc/group, that the group for the account owning this domain should have www-data listed at the end of it. Is that the case?

Also, what Debian version do you have? And what does this command show:

grep www-data /etc/group | wc -l

Thanks,
-Eric

Apache is set up to run as ‘www-data’ for user and group. That group is a part of the new group, as seen in the /etc/group file:

[code:1]a2zbailbonds:«»x:1017:www-data[/code:1]

That command shows this:

[code:1]# grep www-data /etc/group | wc -l
18[/code:1]

I’m running Debian Etch.

rawww wrote:

Try to create .htaccess in that directory and give it right suexec user and right permissions.

I tried that, but still get 403. I made sure it was chmod 644 and owned by the user/group. The thing is there shouldn’t be a .htaccess file there, there isn’t one on any of the other accounts that are working fine.

Alright, well, I’m a little confused as to why it’s not working :slight_smile:

If you like, I’d be happy to log in and poke around a bit to see if I can figure out what’s going on with that.

If you’re using Virtualmin Pro, there’s info here on how to setup remote access:

http://www.virtualmin.com/documentation/id,support_requests_and_remote_login_access/

And then, all I’d need is your hostname or IP address (which I suppose is actually mentioned in your Apache config above).

Or, if you’re using the GPL version, you could email me your root login info.

You can email that to eric@virtualmin.com – be sure to include a link to this thread in the message body somewhere.

Thanks!
-Eric