Apache server error 403 on Fedora-34

[Jonathan Ryshpan]

There are Forbidden (403) errors attempting to access weewx data on a newly installed system.  The error log reports:

# more error_log

...

[Wed Sep 15 12:09:54.602687 2021] [core:error] [pid 22344:tid 22450] (13)Permission denied: [client 27.0.0.1:36102] AH00035: access to /weewx/index.html denied (filesystem path '/var/www/h tml/weewx/index.html') because search permissions are missing on a component of the path

...

Weewx and Apache both appear to be running OK.  I suspect the problem is that weewx is running as user root, while the httpd server (apache) is running as user apache.  Thoughts?  If so, what's the easiest way to configure weewx to run as apache (which would be a little more secure)?

System Info:

Operating System: Fedora 34

KDE Plasma Version: 5.22.4

KDE Frameworks Version: 5.85.0

Qt Version: 5.15.2

Kernel Version: 5.13.15-200.fc34.x86_64 (64-bit)

Graphics Platform: Wayland

Processors: 2 × Intel® Pentium® CPU G2030 @ 3.00GHz

Memory: 7.6 GiB of RAM

Graphics Processor: Mesa DRI Intel® HD Graphics 2500

-- 

Thanks - Jonathan Ryshpan <jon...@pacbell.net>

	Three percent exceeds 2 percent by 50 percent, 
	not by 1 percent.
	--Edward Denison

[Clifford Snow]

I'm running weewx on Fedora 34 also with the same concerns about the weewx folder being owned by root. However, it runs okay.

Do you have a weewx.conf in /etc/httpd/conf.d? Mine looks like

alias /weewx /home/weewx/public_html
<Directory /home/weewx/public_html>
  WSGIApplicationGroup %{GLOBAL}
  Options FollowSymlinks
  AllowOverride None
  <IfModule mod_authz_core.c>
# Apache 2.4
Require all granted
   </IfModule>
</Directory>

Best,

Clifford

--
You received this message because you are subscribed to the Google Groups "weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/f80331d8dfd12e38844cf68b698986d3e3d7ccd7.camel%40pacbell.net.

--

@osm_washington

www.snowandsnow.us

OpenStreetMap: Maps with a human touch

[vince]

On Wednesday, September 15, 2021 at 12:54:07 PM UTC-7 jonatha...@gmail.com wrote:

There are Forbidden (403) errors attempting to access weewx data on a newly installed system.  The error log reports:

...

[Wed Sep 15 12:09:54.602687 2021] [core:error] [pid 22344:tid 22450] (13)Permission denied: [client 27.0.0.1:36102] AH00035: access to /weewx/index.html denied (filesystem path '/var/www/h tml/weewx/index.html') because search permissions are missing on a component of the path

...

Weewx and Apache both appear to be running OK.  I suspect the problem is that weewx is running as user root, while the httpd server (apache) is running as user apache.  Thoughts?  If so, what's the easiest way to configure weewx to run as apache (which would be a little more secure)?

I'd suggest google search for "AH00035: access denied because search permissions are missing on a component of the path".  (this page) has some reasonably good comments as does (this one)

If you're running selinux, that is more likely the thing you should check first.  Check your security log for how to set the context for the web docroot weewx writes into.   The  first link has a chcon example for how to make selinux happy.

[Jonathan Ryshpan]

The problem was selinux.  I checked this by setting enforcement to Permissive which made the web page accessible.  I then followed the magic in  (this page) to make the selinux permissions for /var/www/html/weewx the same as those for /var/www/html; now everything works OK with enforcement set to Enforcing.

I presume that if weewx creates new files under .../weewx/ then they will inherit correct permissions (or possibly weewx won't create any such files after its initialization).  Also it doesn't look like there's any worry about security.

-- 

Sincerely Jonathan Ryshpan <jon...@pacbell.net>

	Do you ever feel thankful that you know me and have
	access to my dementia?  Explain and be prepared to 
	discuss in class.

[vince]

On Wednesday, September 15, 2021 at 3:31:01 PM UTC-7 jonatha...@gmail.com wrote:

I presume that if weewx creates new files under .../weewx/ then they will inherit correct permissions (or possibly weewx won't create any such files after its initialization).  Also it doesn't look like there's any worry about security.

It's not weewx, it's selinux, and you can't presume anything about selinux.  It has 'its' ideas about where things are located and how they got there, so if you do anything other than that selinux will block you when in enforcement mode, since it thinks you're actively trying to get around the security setup on the system.  It's actually a feature.

The better way to work around things is to put things where selinux expects it, or just run the chcon command in the linked article to set the security context of the files weewx writes to.

 

[Jonathan Ryshpan]

I did in fact run:

# chcon -R -t httpd_sys_content_t weewx

but didn't make clear that I had done so.   The question was to make sure that the chcon would fix things permanently, or is there any chance that weewx will create future files with a wrong security context.

-- 

Thanks very much for your help - Jonathan Ryshpan <jon...@pacbell.net>

	And God fulfills himself in many ways
	Lest one good custom should corrupt the world.
	-- Tennyson