Friday, October 29, 2010

Permission denied: /your/home/dir pcfg_openfile: unable to check htaccess file, ensure it is readable

I was creating a virtual host configuration for an Apache Server, running in CentOS 5, in a method I usually do, which I am almost certain would usually work until I got this dreaded 403 page.

The VHOST configuration: 
<virtualhost *:80="">
    ServerAdmin webmaster@dev.somesite.com
    DocumentRoot "/var/local/somesite/public"
    ServerName dev.somesite.com
    ErrorLog logs/somesite.com-error_log
    CustomLog logs/somesite.com-access_log common
    <directory local="" public="" somesite="" var="">
        Options FollowSymLinks
        Allow from all
        AllowOverride all
    </directory>
</virtualhost>

The Dreaded Error Page: 
Forbidden

You don't have permission to access / on this server.
Apache/2.2.3 (CentOS) Server at dev.somesite.com Port 80
The first thing that came to me was that I might have created the folder with user ownership and privileges that the Apache user/group (apache/apache). It wasn't the case. Changing the ownership to apache/apache and even giving it a blanket access level 777 didn't fix it. Checking the error log the actual error was, 
Permission denied: /var/local/somesite/public/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Consulting Google University, all that I got from a few scraps was that,

* Due to a permission and ownership problem (Nah, I already tried that.)
* Due to front page server extension (Why the hell would I need it?)
* Due to the "AllowOverride" Apache directive being on (50% true, but with the case that I have it will just transform the error to "Permission denied: access to / denied"

On to the real issue. I wasn't aware that SELinux was enabled. Turning on SELinux implements mandatory access control outside that of the default Linux kernel access control list that you manage using create user (setuid / useradd) and create group (setguid / groupadd). Using the latter as a method to change privileges and permission would be meaningless since it's when SELinux is enabled, it automatically creates file labels specific to type or role (e.g process), in my case a web server or an Apache httpd process. The apache process had no rights to the folder /var/local. Therefore it is not really an issue, but a violation to the default security settings of your system. More info on SELinux here - http://en.wikipedia.org/wiki/Security-Enhanced_Linux.

Then how do we solve the issue when you have SELinux on? Easy,

1) Use the permitted directory for web servers which is /var/www/html for RHEL/CentOS
2) Turn off SELinux (this is easy but be warned, turning SELinux back on again will require some work).
  • Related Links Widget for Blogspot

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)