Permission denied when html and cgi flies become persistent

tech_nerd · March 23, 2024, 11:14pm

Following this:

I connected 2 qubes, named client and server through a qube named firewall, and made an extremely basic apache server on server qube that could be accessed from client.
Firewall has no net qube, so everything should be contained on my machine.
It had only a single file in both /var/www/html and /var/www/cgi-bin with one word in each.
Everything worked as expected.

Then, I made the /var/www/html and /var/www/cgi-bin files persistent in server using bind-dirs with this guide:

Now, when I stat the server, I can’t access it from client.
I can’t even access it from another terminal in server.
I get a 403 error.
I can ping server from client and vice versa.
If I make a server in client, and let firewall allow server to connect to client, I can connect to the server in client from server.
The server I set up in client is identical to the one I made in server.
I wondered if bind-dirs could have messed with permissions, but I checked both servers and the permissions on both were identical.

I’m not entirely sure where to go from here to continue debugging.
It seems to me that it has something to do with bind-dirs, but I could be wrong.
Does anyone know why this could be happening or point me in the right direction to continue to debug this?

Thanks!

apparatus · March 24, 2024, 1:31am

Probably a problem with permissions. Check the apache logs for errors.

unman · March 24, 2024, 3:04pm

Have you checked that the bind dirs actually contain the files you want?

solene · March 24, 2024, 3:29pm

The 403 errors means the client correctly connects to the http server, but that the request content is denied.

You have an issue on the web server configuration (permissions maybe, as suggested above), but your problem is unrelated to qubes os itself.

tech_nerd · March 24, 2024, 3:32pm

Apache log gives this:
[Sun Mar 24 10:07:54.955508 2024] [core:error] [pid 1063:tid 1183] (13)Permission denied: [client 10.137.0.30:37264] AH00035: access to /hello.txt denied (filesystem path ‘/var/www/html/hello.txt’) because search permissions are missing on a component of the path

When I do
namei -l /var/www/html/hello.txt
this is the output
f: /var/www/html/hello.txt
dr-xr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root www
drwxr-xr-x root root html
-rwxr-xr-x root root hello.txt

It is my understanding that you must have x permissions for all files/directory’s in the path in order to view the webpage, but this shows that they can all be executed by everyone.

I can see the default fedora webpage test server, but I cannot access hello.txt.
When I change the permissions for www to not have x, I can no longer view the deafult webpage from client or firefox from within server.

tech_nerd · March 24, 2024, 3:34pm

Yes, they contain the same files with the same contents and the same permissions.

solene · March 24, 2024, 3:40pm

It may be selinux preventing apache to traverse different mountpoints. You could check its logs (/var/log/security.log IIRC) to see if there is something related.

At worse, you can disable it with setenforce 0 and see if it helps, in that case it’s up to you to learn how to fix the issue properly or deactivate selinux entirely.

tech_nerd · March 24, 2024, 3:47pm

setenforce 0 worked!

Now, I don’t know what that does, I obviously still have a lot to learn.
But you gave me a starting point! for what to learn from here on out!
Thank you so much!

solene · March 24, 2024, 3:58pm

this disabled selinux