My permissions must be at fault, but I cannot figure out what.

[kingoslo]

Hello there,

Thanks for looking at my thread. As usual, I feel like I am in big trouble, so please read on. I have ubuntu server + lamp.

I get forbidden messages or HTTP 500 Internal Server Errors depending on my permissions. For troubleshooting, this is what I did:

Code:

$ ps aux | grep apache

root     2551 0.0 0.4 87576  8744  ? Ss 07:43 0:00 /usr/sbin/apache2 -k start
www-data 2556 0.0 0.4 88988  10276 ? S  07:43 0:00 /usr/sbin/apache2 -k start
www-data 2557 0.0 0.2 88044  5844  ? S  07:43 0:00 /usr/sbin/apache2 -k start
www-data 2558 0.0 0.2 88052  4888  ? S  07:43 0:00 /usr/sbin/apache2 -k start
www-data 2559 0.0 0.6 913772 10276 ? S  07:43 0:00 /usr/sbin/apache2 -k start

...








...

www-data 2618 0.0 0.2 88044 4888 ? S 07:43 0:00 /usr/sbin/apache2 -k start

Does this mean I have n-number of apache2 services running, one being ran as user root whilst the rest as user www-data? This is what I thought, so I added UserName to www-data group:

Code:

$ usermod -g www-data kingoslo

I also edited my /etc/passwd to (just to be on the safe side ):

Code:

...

UserName:x:1001:33:www-data,,,:/var/www:/bin/bash

...

I changed ownership of /var/www recursively to UserName:www-data. UserName is the user I will use for ftp:

Code:

$ chown -R UserName:www-data /var/www

I change permissions of entire /var/www recursively to 644:

Code:

$ chmod -R 644 /var/www

Clients got forbidden messages everywhere.

I tried 755, but with these setting I got HTTP 500 Internal Server Errors in my php files, but clients could browse the indexes and read config files containing db-passwords and all sorts of sensitive information.

I quickly set the permissions to 700, to save myself from being hacked, but this effectively shut down the website, but I felt like I had to to avoid getting leaking sensitive information

As you may expect, I am keen to figure out what is wrong Thank you for reading and for your help

Kind regards,
Marius

[atreyu]

The apache directory structure should have been set up correctly permissions-wise when you initially installed it. Your best bet is to back up config files you care about and reinstall the apache package.

Yes, (typically) root launches the initial httpd daemon, and sub-processes are run/owned by the User defined in the config file.

Keep in mind that any directories need to have executable bit set in order to cd into it, and the read bit in order to read the contents (i.e., 0755 is fine). As to files, they should all be owned by root, and anything public needs to have group-readable permissions set.

In order to control the accessibility of files, use Apache's built-in features to do that. You can use .htaccess files, or directives in the config file itself to control whether or not directory contents are listed.

If you are having specific PHP-related errors, post the errors (in PHP.ini, you can set display_errors = On, but turn it off before you go "live")

Edit: if you are worried about being "hacked" before you've gotten everything working, just tell apache to only listen on loopback (Listen 127.0.0.0 in httpd.conf, then restart it), while you dev.