今天準備試著在Apache伺服器上設定使用者目錄(User Directory)。遇到一個棘手的問題,現將配置過程和問題及其解決總結如下:
1、常規的配置:
新增用戶web:
adduser web
passwd web
在web使用者目錄下建立public_html目錄,並將權限設定為755:
mkdir public_html
chmod 755 public_html -R
修改/etc/http/httpd.conf:
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# The path to the end user account 'public_html' directory must be
# accessible to the webserver userid. This usually means that ~userid
# must have permissions of 711, ~userid/public_html must have permissions
# of 755, and documents contained therein must be world-readable.
# Otherwise, the client will only receive a "403 Forbidden" message.
#
# 參見 also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
#
# UserDir is disabled by default since it can confirm the presence
# of a username on the system (depending on home directory
# permissions).
#
#UserDir disable
#
# To enable requests to /~user/ to serve the user's public_html
# directory, remove the "UserDir disable" line above, and uncomment
# the following line instead:
#
UserDir public_html
2、測試、問題出現:
http://127.0.0.1/~web
======================
Forbidden
You don't have permission to access /~web on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
-------------------------------------------------- ------------------------------
Apache/2.0.54 (Fedora) Server at 127.0.0.1 Port 80
一般出現這個問題,直覺地會想到的目錄的存取權問題,查了很久,調了很久也沒有解決問題。其間曾想到是否Selinux的問題,進去看了一圈,沒有發現什麼要改的地方。 (後來的事實證明,有時候直覺是很準的,能否找到答案,差異往往是:是否在直覺上走的更深入)。
3.問題的解決用Google以Apache 403搜了好一會,終於在一個博客裡看到,作者遇到和我完全相同的問題:Apache、目錄的配置都沒問題,但就是不能顯示頁面。而解決方法恰恰就是修改Selinux對public_html的存取控制。
用以下命令修改資料夾安全性屬性
chcon -R -t httpd_user_content_t public_html/
4、關聯知識的總結:
Fedora Core 5 SELinux FAQ
http://fedora.redhat.com/docs/selinux-faq-fc5/#faq-entry-public_html Q: How do I make a user public_html directory work under SELinux?
A: This process presumes that you have enabled user public HTML directories in your Apache configuration file, /etc/httpd/conf/httpd.conf. This process only covers serving static Web content. For more information about 方面http://fedora.redhat.com/docs/selinux-apache-fc3/.
If you do not already have a ~/public_html directory, create it and populate it with the files and folders to be served.
cd ~mkdir public_htmlcp /path/to/content ~/public_html
At this point, httpd is configured to serve the contents, but you still receive a 403 forbidden error. This is because httpd is not allowed to read the security type for the directory and files as they user created in the rech. security context of the folder and its contents recursively using the -R option:
ls -Z -d public_html/drwxrwxr-x auser auser user_u:object_r:user_home_t public_htmlchcon -R -t httpd_user_content_t public_html/ls -Z -d public_home_t public_htmlchcon -R -t httpd_user_content_t public_html/ls -Z -d public_html/drwxrfxr-x auseruser _public_obb_html_/_public_obs_L_obs_L: nwww:d:2_L:d:_d: n n nid none_public_Fm_bb_S_Fone_b_b_S_bone_b一切—— rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t bar.html-rw-rw-r-- auser auser user_u:object_r:httpd_user_content_t baz。 foo.html
You may notice at a later date that the user field, set here to user_u, is changed to system_u. This does not affect how the targeted policy works. The field that matters is the type field.
Your static webpages should now be served correctly. If you continue to have errors, ensure that the Boolean which enables user home directories is enabled. You can set it using system-config-securectories is enabled. You can set it using system-config-securitylevel. Select S. Policy area. Select Allow HTTPD to read home directories. The changes take effect immediately.
所用命令解析:
ls -Z -d public_html/
#顯示文件/目錄的安全語境-Z, --context
Display security context so it fits on most displays. Displays only mode, user, group, security context and file name.-d, --directory
list directory entries instead of contents, and do not dereference symbolic links
chcon -R -t httpd_user_content_t public_html/
#修改文件/目錄的安全語境-R, --recursive
change files and directories recursively-t, --type
set type TYPE in the target security context