2

I have an appache server running on Linux - CentOS.

In order to be able to edit my php files on Windows, I linked the server to my Dropbox account and created a symlink from the Dropbox folder, which is located under /root/Dropbox, to my public_html folder. Then when I tried to edit a file in public_html through Windows, its permission turned to root and thus I got the famous 500 error. I guessed it has to do with the mentioned symlink's permission, so I changed the permission for the symlink to my user account but it didn't change. But what happed next overwhelmed me: suddenly when I try to access any page on my site I get:

Forbidden You don't have permission to access /My/site/name/page.php on this server.

Digging around I found out that the public_html owner and group is root, ps aux | grep apache showed 

root      4533  0.0  0.0  10892  1604 ?        S    Jul31   0:00     /usr/local/apache/bin/httpd -k start -DSSL
nobody    4534  0.0  0.1  10892  2956 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4535  0.0  0.1  10892  2952 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4536  0.0  0.1  10892  2956 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4537  0.0  0.1  10892  2956 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4538  0.0  0.1  10892  2956 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4551  0.0  0.1  10892  2208 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4556  0.0  0.1  10892  2200 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4565  0.0  0.1  10892  2200 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL
nobody    4572  0.0  0.1  10892  2200 ?        S    Jul31   0:00 /usr/local/apache/bin/httpd -k start -DSSL

changing the group of public_html to nobody did the trick and got this error off. But I don't know if it should be like this, I mean, I don't know what group it had before.

So I have two qustions:

1. Given the mentioned apache's user, to what user should public_html be belong to?

2. If the answer to 1 is root, can you think of any reason that caused this error to suddenly happen, and what should be done in order to solve it?

It's worth to mention that I started by posting the question here but I didn't get any answer so I'm trying here. Hope it's legal.

Community
  • 1
Subway
  • 123
  • 4
  • also look at the folder permissions? – Loopo May 11 '13 at 07:40
  • Oh, you are right, public_html's ownership has changed to root and its permission is rwxr-x---. Genius! But can you please guess how did it happen? I can tell for sure that it didn't happen right after I created the symlink even though the symlink is under root. – Subway May 11 '13 at 07:46
  • the owner of the files/folders should be the web-server user, I think this is 'apache' on CentOs. – Loopo May 11 '13 at 07:49
  • Sorry I edited my comment. Is the rwxr-x--- permission for public_html good enough? – Subway May 11 '13 at 07:51
  • OK, I changed the owner of public_html but the error still occurs. – Subway May 11 '13 at 07:56
  • Also, "ps aux | grep apache" shows that the Appache owner is root, should it be this way? – Subway May 11 '13 at 08:10
  • I'm editing my question according to new things I noticed. – Subway May 11 '13 at 11:22

1 Answers1

2

You could run Dropbox as a non-root user, have public_html owned by that user and the apache group, and permissioned rwxrwx--- (i.e. 770) so that both your user and Apache can read and write.

Also, as a general principle of Linux/Unix administration, you should never run applications as root unless you absolutely have to.

To explain why Apache appears to use root, applications are only allowed to listen on privileged ports (those below 1024) if they are started with root privileges. As HTTP/HTTPS is served on ports 80/443 (respectively), Apache is started as root, and then forks processes under its own user (by default, called 'apache' on Red Hat based distributions - of which CentOS is one - or 'www-data' on Debian-based distribufions - e.g. Ubuntu). The unprivileged user can be configured in your Apache configuration, though for 95% of applications the default is fine.

Craig Watson
  • 9,575
  • 3
  • 32
  • 47
  • Thanks for answering, I’ll try it. I'd +1 it for the explanation if I had the privilege. I’m curious to understand though what caused my server not to respond to requests. So you are saying that since I ran Dropbox as root and made a symlink from the Dropbox folder to public_html, that's why public_html turned to be under the root group? – Subway May 11 '13 at 13:09
  • And just a little question, why is it that on my CentOS, apache's sub processes are running under 'nobody', not 'apache'? – Subway May 11 '13 at 13:12
  • You can check your Apache configuration - usually in /etc/httpd on CentOS, look for the 'User' and 'Group' directives. Running DropBox as root would cause all files within your DropBox folder (of which public_html is one via the symlink) to be owned by root. Another option would be to add the 'apache' user to your non-privileged group, and chmod 770 as above. – Craig Watson May 11 '13 at 13:25
  • Thank you. What do you mean by "add the 'apache' user to your non-privileged group"? Sorry for the ignorance. – Subway May 11 '13 at 13:32
  • 1
    No worries - details are here: http://www.cyberciti.biz/faq/howto-linux-add-user-to-group - you will need to create a user to use with DropBox, and also create a group with the same name. Once you've created both, you can add the user that Apache runs as to the created group, so that it will be able to read your 'public_html' folder (the second 'rwx' in the permissions list are for the group). – Craig Watson May 11 '13 at 13:48