PERMISSION DENIED on FEDORA 20, APACHE

Question

Last week I installed Fedora 20 on my computer, create a web server (LAMP) and change the Document Root to my Dropbox folder.

From

/var/www/html

to

/home/ivnbrv/Dropbox

At the start I found some problems with SELinux, googling I discovered that was solved in this way.

$ chcon-R-u system_u-t httpd_sys_content_t /home/ivnbrv/Dropbox 

Then changing the owner of this directory which was set in

/etc/httpd/conf/httpd.conf

User ivnbrv 
Group apache



$ chown-R ivnbrv.apache /home/ivnbrv/Dropbox 

Now when I try to upload a file using PHP

move_uploaded_file ()

I see this error

PHP Warning: move_uploaded_file (/ home/ivnbrv/Dropbox/Site/files/public/noticia/img/large/2010201.jpg): failed to open stream: Permission denied in / home / ivnbrv / Dropbox / Site / upload.php on line 113

What can i do to make this work???

Answer 1

Since your situation is somewhat far from standard--i.e. your Document Root directory is within a homedir, among other things--I'd like to remind you that the following suggestions are provided solely for you to determine the main cause of your problem with permissions. Keep in mind that the most important point of the SELinux system is to provide the minimum set of permissions needed; therefore, these steps are probably not all necessary, as they may further reduce the security of your system.

NOTE Additionally, perhaps most important, you need to make sure that your DAC policy allows the necessary rwx permissions to your server, since SELinux only goes into effect after the DAC permissions are allowed; i.e. if apache is not allowed rwx on the directory/file the DAC policy blocks it and SELinux doesn't even handle it.

---

• Try changing the file context of the public directory and subdirs to public_content_rw_t.

  # semanage fcontext -a -t public_content_rw_t "/home/ivnbrv/Dropbox/Site/files/public(/.*)?"
  

followed by

    # restorecon -R -v /home/ivnbrv/Dropbox/Site/files/public/

• Furthermore, you should check to make sure you have the proper sebooleans enabled with:

  # getsebool -a |grep -i http
  

AFAIK, httpd_builtin_scripting, httpd_can_network_connect, and httpd_enable_homedirs should be set to on.

    # setsebool httpd_... on

Execute the command above for any booleans that need to be enabled. This change is temporary, however, unless you also add the -P option to setsebool to make it persistent.

• Check to make sure that your php-script(s) have the necessary file context with

  ls -alZ /path/to/dir/with/scripts
  

If not, you can change them to httpd_sys_script_exec_t by executing

    # semanage fcontext -a -t httpd_sys_script_exec_t '/home/ivnbrv/Dropbox/Site/.*\/php5?'
    # semanage fcontext -a -t httpd_sys_script_rw_t '/home/ivnbrv/Dropbox/Site/files/public/noticia/img(/.*)?'
    # restorecon -R -v /home/ivnbrv/Dropbox/

As always, take a look at SELinux's wikipages for further details and information. There's also a wealth of useful information available on the fedora wiki pages with numerous scenarios and workflow methods; as well as the official Fedora Docs - Security Guide.

Answer 2

in your /etc/http/conf/httpd find lines like this:

<Directory />
    AllowOverride none
    Require all denied
</Directory>

And add something like this:

<Directory /home>
        AllowOverride None
        Require all granted
</Directory>

Then restart you apache service

Answer 3

Try set execution permission to: /home/, /home/ivnbrv/ and /home/ivnbrv/Dropbox:

chmod o+x /home/
chmod o+x /home/ivnbrv/
chmod o+x /home/ivnbrv/Dropbox

And restart your apache.

I recommend, add your user at group www-data (in my case) or apache:

adduser your-user www-data