I have an appache server running on Linux - CentOS.
In order to be able to edit my php files on Windows, I linked the server to my Dropbox account and created a symlink from the Dropbox folder, which is located under /root/Dropbox, to my public_html folder.
Then when I tried to edit a file in public_html through Windows, its permission turned to root and thus I got the famous 500 error. I guessed it has to do with the mentioned symlink's permission, so I changed the permission for the symlink to my user account but it didn't change.
But what happed next overwhelmed me: suddenly when I try to access any page on my site I get:
Forbidden You don't have permission to access /My/site/name/page.php on this server.
Digging around I found out that the public_html owner and group is root, ps aux | grep apache
showed
root 4533 0.0 0.0 10892 1604 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4534 0.0 0.1 10892 2956 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4535 0.0 0.1 10892 2952 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4536 0.0 0.1 10892 2956 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4537 0.0 0.1 10892 2956 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4538 0.0 0.1 10892 2956 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4551 0.0 0.1 10892 2208 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4556 0.0 0.1 10892 2200 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4565 0.0 0.1 10892 2200 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody 4572 0.0 0.1 10892 2200 ? S Jul31 0:00 /usr/local/apache/bin/httpd -k start -DSSL
changing the group of public_html to nobody did the trick and got this error off. But I don't know if it should be like this,
I mean, I don't know what group it had before.
So I have two qustions:
1. Given the mentioned apache's user, to what user should public_html be belong to?
2. If the answer to 1 is root, can you think of any reason that caused this error to suddenly happen, and what should be done in order to solve it?
It's worth to mention that I started by posting the question here but I didn't get any answer so I'm trying here. Hope it's legal.
Answer
You could run Dropbox as a non-root user, have public_html owned by that user and the apache group, and permissioned rwxrwx--- (i.e. 770) so that both your user and Apache can read and write.
Also, as a general principle of Linux/Unix administration, you should never run applications as root unless you absolutely have to.
To explain why Apache appears to use root, applications are only allowed to listen on privileged ports (those below 1024) if they are started with root privileges. As HTTP/HTTPS is served on ports 80/443 (respectively), Apache is started as root, and then forks processes under its own user (by default, called 'apache' on Red Hat based distributions - of which CentOS is one - or 'www-data' on Debian-based distribufions - e.g. Ubuntu). The unprivileged user can be configured in your Apache configuration, though for 95% of applications the default is fine.
No comments:
Post a Comment