From mweisman@gci.net Fri Jan 12 18:57:24 2001 Received: from mxu1.u.washington.edu (mxu1.u.washington.edu [140.142.32.8]) by lists.u.washington.edu (8.9.3+UW00.05/8.9.3+UW00.12) with ESMTP id SAA53316 for ; Fri, 12 Jan 2001 18:57:22 -0800 Received: from mta-1.gci.net (mta-1.gci.net [208.138.130.82]) by mxu1.u.washington.edu (8.9.3+UW00.02/8.9.3+UW99.09) with ESMTP id SAA16781 for ; Fri, 12 Jan 2001 18:57:21 -0800 Received: from mmp-2.gci.net ([208.138.130.81]) by mta-1.gci.net (Netscape Messaging Server 4.15) with ESMTP id G72YVK02.CS3 for ; Fri, 12 Jan 2001 17:57:20 -0900 Received: from OUTLANDR ([24.237.0.66]) by mmp-2.gci.net (Netscape Messaging Server 4.15) with SMTP id G72YVJ01.N4H for ; Fri, 12 Jan 2001 17:57:19 -0900 From: "Mark Weisman" To: Subject: RE: Question about apache. Date: Fri, 12 Jan 2001 13:11:11 -0900 Message-ID: <000001c07d0d$bd006360$4200ed18@outland> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Mike, I've already looked in my httpd.conf file, and I forward a copy attached to this email in (text format) for you to look at, however, I've gone in and checked my DNS settings, and they seem to be working. I've checked telnet, and it seems to work fine. I've looked at the services file, as well as inetd.conf and identd.conf and I see no changes other than my latest security patches. I am able to login as nobody, then navigate to the subdirectory in question. I can move freely around the site as nobody, and yet I still receive the message that the server is a 403 forbidden. However, my concern is that the website error says that you don't have permission at "/". This isn't root is it? I don't see where I have stepped off the track here. .htpaccess is almost empty (normal), and there are a couple of files located in the etc/httpd/conf folder that all look normal. I've checked almost everything, yet no answer. It would seem taht I have the port unlocked because you can get the error, however, it's got something to do with rights, and I can't figure it out. Any assistance would be greatly appreciated. Thanks, Mark -----Original Message----- From: LINUX-owner@u.washington.edu [mailto:LINUX-owner@u.washington.edu]On Behalf Of Mike Sent: Thursday, January 11, 2001 8:30 AM To: UW Linux Group Subject: Re: Question about apache. Well, you have a number of things to take into consideration. You need to consider the filesystem permissions, and the Apache permissions. First you need to know what user/group Apache is going to run as. This is dictated in httpd.conf by the "User" and "Group" directives. Once you know this, you need to make sure either that user or that group have at least READ and EXECUTE privilege to whichever directories are going to contain HTML documents, and READ access to those documents. To test this, you could possibly even use 'su' to log into the 'nobody' account and try to read the files. Once those changes have been secured, then you need to make sure your access controls in httpd.conf are properly defined. These usually take the shape of directory-specific "Order", "Deny", and "Allow" directives. For example, I've got one system running apache as nobody/www: User nobody Group www The DocumentRoot is set to: DocumentRoot "/home/html" The permissions on /home/html are: % ls -ld /home/html drwxr-s--- 11 hornung www 1024 Dec 26 12:56 /home/html/ % ls -l index.html -rwxr----- 1 hornung www 1511 Jun 27 2000 index.html And the access controls are: Options ExecCGI MultiViews FollowSymLinks AllowOverride All Order deny,allow Deny from all Allow from XX.YY.ZZ.0/24 AA.BB.0.0/16 24.19.YY.ZZ --------------------------- -=<(| mike@boobaz.net |)>=- On Thu, 11 Jan 2001 at 07:59, Mark Weisman wrote: |Network Blitz |Hello, | |Been awhile since I've dropped a line, and finally it's happened. My Apache |web server has decided to not let anyone have rights to view the web pages |contained within. I have a gone through all the files I can think of, |however users still receive a "403 Forbidden error" that says they don't |have the permission to view "/". This is perplexing because my document root |for the apache server is "/web/html"? Any ideas would be greatly |appreciated. | |Thank you, | |Mark Weisman | |God Bless, |Mark-Nathaniel Weisman |Systems Operator |Outland Domain Group of Alaska |Anchorage, Alaska | |PGP FingerPrint |900E 2693 D42C B66D D96E F6F7 8E91 54CE | | | | .