Apache-the-program can't see directiories apache-the-user can see

Dims · 03-04-2009, 12:32 AM

I have encountered strange behavior. When I ask the listing of the root directory under the rights of apache user, I see the different picture then I see when the same command is issued by Python and displayed on the web page.

Here is the first listing

Code:

[root@telesmi ~]# sudo -u apache ls -l /
total 150
drwxr-xr-x   2 root root  4096 2009-03-03 04:11 bin
drwxr-xr-x   5 root root  1024 2008-07-24 13:34 boot
drwxr-xr-x   4 root root  4096 2009-03-03 08:59 d4m
drwxr-xr-x  12 root root  4120 2009-03-03 09:20 dev
drwxr-xr-x  97 root root 12288 2009-03-03 09:20 etc
drwxr-xr-x   2 root root  4096 2009-03-03 09:02 fff
drwxr-xr-x   2 root root  4096 2009-03-03 10:02 ggg
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 home
drwxr-xr-x  15 root root 12288 2009-03-02 08:00 lib
-rw-r--r--   1 root root 34834 2009-03-02 08:31 libdrutils.a
drwx------   2 root root 16384 2008-07-18 22:40 lost+found
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 media
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 mnt
drwxr-xr-x   2 root root  4096 2009-03-03 02:47 opt
drwxr-xr-x   2 root root  4096 2009-02-27 11:10 prj
dr-xr-xr-x 111 root root     0 2009-03-03 09:20 proc
drwxr-x---  15 root root  4096 2009-03-03 19:06 root
drwxr-xr-x   2 root root 12288 2009-02-11 04:11 sbin
drwxr-xr-x   7 root root     0 2009-03-03 09:20 selinux
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 srv
drwxr-xr-x  11 root root     0 2009-03-03 09:20 sys
drwxrwxrwt   5 root root  4096 2009-03-03 10:10 tmp
drwxr-xr-x  13 root root  4096 2008-07-18 22:46 usr
drwxr-xr-x  20 root root  4096 2008-07-18 22:48 var

And here is the listing of the command ls -l / as it is seen by Python:

Code:

total 100
drwxr-xr-x   2 root root  4096 Mar  3 04:11 bin
d?????????   ? ?    ?        ?            ? boot
d?????????   ? ?    ?        ?            ? d4m
drwxr-xr-x  12 root root  4120 Mar  3 09:20 dev
drwxr-xr-x  97 root root 12288 Mar  3 09:20 etc
d?????????   ? ?    ?        ?            ? fff
drwxr-xr-x   2 root root  4096 Apr  7  2008 home
drwxr-xr-x  15 root root 12288 Mar  2 08:00 lib
-rw-r--r--   1 root root 34834 Mar  2 08:31 libdrutils.a
d?????????   ? ?    ?        ?            ? lost+found
d?????????   ? ?    ?        ?            ? media
d?????????   ? ?    ?        ?            ? mnt
drwxr-xr-x   2 root root  4096 Mar  3 02:47 opt
d?????????   ? ?    ?        ?            ? prj
dr-xr-xr-x 115 root root     0 Mar  3 09:20 proc
d?????????   ? ?    ?        ?            ? root
drwxr-xr-x   2 root root 12288 Feb 11 04:11 sbin
d?????????   ? ?    ?        ?            ? selinux
drwxr-xr-x   2 root root  4096 Apr  7  2008 srv
d?????????   ? ?    ?        ?            ? sys
drwxrwxrwt   4 root root  4096 Mar  3 09:22 tmp
drwxr-xr-x  13 root root  4096 Jul 18  2008 usr
drwxr-xr-x  20 root root  4096 Jul 18  2008 var

Evidently, that it can't see even access rights, owners, modification times etc.

Why?

Also, if I ask to list some directory inside one of these strange directories, I get the following error (for example)

ls: cannot access /d4m: Permission denied

while normal lack of access usually gives the following message

ls: cannot open directory /root: Permission denied

What is the difference between "cannot access" and "cannot open directory"?

Thanks.

win32sux · 03-04-2009, 01:07 AM

The read bit on a directory gives you the ability to list the contents ("cannot open" implies you don't have this ability). The execute bit on a directory gives you the ability to access the directory ("cannot access" implies you don't have this ability).

Dims · 03-04-2009, 02:09 AM

Thanks.

And what can prevent Apache to view access rights?

win32sux · 03-04-2009, 02:22 AM

I don't know why you're getting (apparently) unexpected results from within your Python code.

Does it happen only with / or with other directories (/usr, for example) too?

Dims · 03-04-2009, 02:32 AM

This happens for some directories. Below is listing for ls -l /usr

Code:

total 112
drwxr-xr-x   2 root root 36864 Mar  3 04:11 bin
drwxr-xr-x   2 root root  4096 Apr  7  2008 etc
drwxr-xr-x   2 root root  4096 Apr  7  2008 games
drwxr-xr-x  32 root root  4096 Mar  2 08:15 include
drwxr-xr-x   6 root root  4096 Jul 18  2008 kerberos
drwxr-xr-x  87 root root 36864 Mar  3 04:11 lib
drwxr-xr-x   8 root root  4096 Mar  2 08:00 libexec
drwxr-xr-x  15 root root  4096 Mar  2 08:19 local
drwxr-xr-x   2 root root 12288 Mar  2 08:56 sbin
drwxr-xr-x 116 root root  4096 Mar  2 07:59 share
d?????????   ? ?    ?        ?            ? src
lrwxrwxrwx   1 root root    10 Jul 18  2008 tmp -> ../var/tmp

Here we see, that every directory is normal except src.

Dims · 03-04-2009, 02:34 AM

While src has no apparent differences from the POV of the command line:

Code:

[root@telesmi /]# sudo -u apache ls -l /usr
total 116
drwxr-xr-x   2 root root 36864 2009-03-03 04:11 bin
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 etc
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 games
drwxr-xr-x  32 root root  4096 2009-03-02 08:15 include
drwxr-xr-x   6 root root  4096 2008-07-18 22:46 kerberos
drwxr-xr-x  87 root root 36864 2009-03-03 04:11 lib
drwxr-xr-x   8 root root  4096 2009-03-02 08:00 libexec
drwxr-xr-x  15 root root  4096 2009-03-02 08:19 local
drwxr-xr-x   2 root root 12288 2009-03-02 08:56 sbin
drwxr-xr-x 116 root root  4096 2009-03-02 07:59 share
drwxr-xr-x   2 root root  4096 2008-04-07 17:44 src
lrwxrwxrwx   1 root root    10 2008-07-18 22:45 tmp -> ../var/tmp

Dims · 03-04-2009, 02:36 AM

May be this can related with some restrictions, applied to Apache only? May be some nutshell or FUSE somehow used? I am a newbie hence not sure these are correct suggestions...

Dims · 03-04-2009, 02:34 PM

I found resolution. This was because of selinux security for httpd.

win32sux · 03-04-2009, 02:37 PM

Quote:

Originally Posted by Dims

I found resolution. This was because of selinux security for httpd.

That's awesome! I'm glad you worked it out. I had actually suspected SELinux but I didn't want to say anything since it was only a hunch and I have zero SELinux experience. What exactly did you change in order to fix it? Hopefully you didn't disable it entirely!

Dims · 04-27-2009, 12:24 PM

Quote:

Originally Posted by win32sux

What exactly did you change in order to fix it? Hopefully you didn't disable it entirely!

Sorry, I am not remember now what I did exactly, but most probably I have disabled it

I think I was fail to find a way to setup correct behavior for httpd, but I was trying honestly