Giving the Webserver User Write Access to the Directory
-
30th May 2015,05:16 PM #1
Give webserver write access to directory
from a headless server:
dnf install owncloud
after that in a browser:
server_ip/owncloudshows me a setup of an admin user, and where to save the data of all users.
i changes the data dir into /home/USER/DATAError
can not create or writte in datadir /home/USER/DATA
how do i give httpd user write access to /home/USER/DATA
because i think that is the solutionotherwise, how do i solve this issue?
Most statisfied user of Fedora Core in the Netherlands
-
30th May 2015,09:39 PM #2
Re: Give webserver write access to directory
Short answer - turn off SELinux (Security Enhanced Linux)!
Temporary solution (until rebooted)
Permanent - edit /etc/selinux/config and set or And then reboot. "Permissive" mode logs any access violations but does not prevent access (useful if you want to add policies later), "Disabled" turns off completely.SELinux is enabled by default in Fedora which prevents applications writing to 'random' locations, which is what hackers will want to do with your system if they hijack an application.
Of course, the "correct" (or perhaps "secure") way would be to:
- Enable any SELinux boolians affecting application behaviour when writing to home directories
- Apply the appropriate SELinux labels to the directories concerned
- Add an SELinux policy with your changes so they survive a SELinux relabel of the file system
- Set the Unix file permissions to allow the HTTPD server user (or group) write access to the files
But I think the Red Hat SELinux course is a week long and I certainly haven't been on it, so you will need to do a lot more research!
-
30th May 2015,09:59 PM #3
Re: Give webserver write access to directory
SELinux is rather simple.
1. there are a set of booleans that allow for php/home directory access - the full list is:
2. There are also some predefined types that are availableCode:
httpd_anon_write --> off httpd_builtin_scripting --> on <**** if you want PHP httpd_can_check_spam --> off httpd_can_connect_ftp --> off httpd_can_connect_ldap --> off httpd_can_connect_mythtv --> off httpd_can_connect_zabbix --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_dbus_sssd --> off httpd_dontaudit_search_dirs --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> on <**** if you want access to home directories httpd_execmem --> off httpd_graceful_shutdown --> on httpd_manage_ipa --> off httpd_mod_auth_ntlm_winbind --> off httpd_mod_auth_pam --> off httpd_read_user_content --> off httpd_run_preupgrade --> off httpd_run_stickshift --> off httpd_serve_cobbler_files --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_sys_script_anon_write --> off httpd_tmp_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_fusefs --> off httpd_use_gpg --> off httpd_use_nfs --> off httpd_use_openstack --> off httpd_use_sasl --> off httpd_verify_dns --> off
Note - where ever apache will attempt to write must also have the permissions set to allow it to write.Code:
httpd_sys_script_exec_t -> CGI httpd_sys_content_t -> prevents apache processes from corrupting data httpd_sys_rw_content_t ->allows apache process to write to the data or create files (if on a directory) httpd_user_content_t -> user owned but read only to apache httpd_user_rw_content_t ->user owned but allowes apache to write.
-
31st May 2015,07:23 AM #4
Re: Give webserver write access to directory
selinux has been disabled, and i got rebooted
Originally Posted by SteveGYBE Short answer - turn off SELinux (Security Enhanced Linux)!
Temporary solution (until rebooted)
Permanent - edit /etc/selinux/config and set
or
And then reboot. "Permissive" mode logs any access violations but does not prevent access (useful if you want to add policies later), "Disabled" turns off completely.
SELinux is enabled by default in Fedora which prevents applications writing to 'random' locations, which is what hackers will want to do with your system if they hijack an application.
Of course, the "correct" (or perhaps "secure") way would be to:
- Enable any SELinux boolians affecting application behaviour when writing to home directories
- Apply the appropriate SELinux labels to the directories concerned
- Add an SELinux policy with your changes so they survive a SELinux relabel of the file system
- Set the Unix file permissions to allow the HTTPD server user (or group) write access to the files
But I think the Red Hat SELinux course is a week long and I certainly haven't been on it, so you will need to do a lot more research!
still the same issueMost statisfied user of Fedora Core in the Netherlands
-
31st May 2015,03:15 PM #5
Re: Give webserver write access to directory
works
created /home/owncloud/data
the owncloud dir and the data dir are chmodded 777, and now owncloud is setit complains about chmod 0770 to data dir:
do
chmod 0770 /home/owncloud/data
it complains about write acess by webserver
do:
chown -R apache:apache /home/owncloud/data
yes, i am good
Most statisfied user of Fedora Core in the Netherlands
-
31st May 2015,11:48 PM #6
Re: Give webserver write access to directory
With SELinux disabled your system is now open to any vulnerability in the web server...
Fortunately the default is to run apache as a user, so at least the system files are mostly protected.
Giving the Webserver User Write Access to the Directory
Source: https://forums.fedoraforum.org/showthread.php?304767-Give-webserver-write-access-to-directory
0 Response to "Giving the Webserver User Write Access to the Directory"
Post a Comment