1

I want to access a user's directory from a cgi script. I set the acl on the directory successfully but the script still gets "Permission denied" when trying to access that directory. I su'd to apache and have the same problem (so it is not a webserver/script issue). What am I missing?

# getfacl /home/pmedrano/Maildir/cur/
getfacl: Removing leading '/' from absolute path names
# file: home/pmedrano/Maildir/cur/
# owner: pmedrano
# group: pmedrano
user::rwx
user:apache:r-x
group::---
group:apache:r-x
mask::r-x
other::---
default:user::rwx
default:user:apache:r-x
default:group::---
default:group:apache:r-x
default:mask::r-x
default:other::---

# su -s /bin/bash apache
bash-4.2$ ls /home/pmedrano/Maildir/cur/
ls: cannot access /home/pmedrano/Maildir/cur/: Permission denied
bash-4.2$ whoami
apache
bash-4.2$ getfacl /home/pmedrano/Maildir/cur/
getfacl: /home/pmedrano/Maildir/cur/: Permission denied
bash-4.2$
Pascal
  • 493
  • 3
  • 11
  • What do the permissions look like on:/home/pmedrano/Maildir and higher in the directory tree? –  Nov 19 '14 at 00:49
  • They were standard, but I just did "setfacl -m u:apache:rx" for pmedrano & Maildir and now apache can access cur, but apache can also now see the files in those two directories (but not the file contents). – Pascal Nov 19 '14 at 00:55

1 Answers1

0

Most likely you've got SELinux enabled - that prevents Apache from accessing your Maildir regardless of permissions.

You can either

  1. Disable SELinux altogether in /etc/sysconfig/selinux - not recommended
  2. Give Apache access to the Maildir files - check out audit2allow tool

Be aware that misconfiguring SELinux may have a negative impact on your server's security.

MLu
  • 24,849
  • 5
  • 59
  • 86
  • SELinux is not even installed on this box. – Pascal Nov 19 '14 at 01:47
  • Interesting, I thought it comes by default with CentOS 7 and often catches unsuspecting users. Never mind, I see you already resolved the problem. – MLu Nov 19 '14 at 01:51