| Summary: | Mythweb Forbidden due to conflicts between httpd.conf and mythweb.conf | ||
|---|---|---|---|
| Product: | Fedora | Reporter: | James A R Brown <jamesarbrown1> |
| Component: | mythtv | Assignee: | Richard <hobbes1069> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | chemobejk, jarod |
| Priority: | P5 | ||
| Version: | 19 | ||
| Hardware: | All | ||
| OS: | GNU/Linux | ||
| namespace: | |||
| Attachments: | Proposed patch for mythweb.conf for Apache 2.2 & 2.4 compatibility | ||
This must be due to some change in apache since this is the same conf file used since Fedora 10... As I'm not an apache expert I may run this by additonal people to see if that is the only/best solution... If it installed mythweb in /var/www the security is preset in Apache. As Apache allows this directory in Fedora by default.
As its installing in /usr/share/mythweb Apache gives a 403-Forbidden (which is correct as its "elsewhere" in the file system). The master httpd.conf bars file system wandering by containing :-
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
It maybe more sense for mythweb to land in /var/www from the RPM rather than messing with security of apache.
If you enable the Auth security options and configure it works, failing that you need to give the mythweb directory "Require all granted", however I would say an RPM package as default should work out of the box and perhaps give a warning that Apache security should be considered.
James
I added the following to mythweb.conf and it seemed to fix things.
<Directory "/usr/share/mythweb">
...
<RequireAll>
Require all granted
</RequireAll>
...
Confirmed after my F18 upgrade
- "-All" must be removed to start httpd.service at all
- after adding <RequireAll>... inside the first <Sirectory> section mythweb access was working again.
F18 has Apache 2.4.x, F17 still has 2.22.x, that's the reason for the RequireAll. I guess you'll need to add a F18+ mythweb.conf file.
Side note: for F18 there seems to be a SPEC error too. This line:
%dir %{perl_vendorlib}/IO/Socket
collides with several perl-IO-* RPMs. I removed the line from the SPEC.
(In reply to comment #4) > Confirmed after my F18 upgrade > > - "-All" must be removed to start httpd.service at all > > - after adding <RequireAll>... inside the first <Sirectory> section mythweb > access was working again. > > F18 has Apache 2.4.x, F17 still has 2.22.x, that's the reason for the > RequireAll. I guess you'll need to add a F18+ mythweb.conf file. I wonder if the changes are backwards compatible? I'd rather not have to maintain two different versions of the file... > Side note: for F18 there seems to be a SPEC error too. This line: > > %dir %{perl_vendorlib}/IO/Socket > > collides with several perl-IO-* RPMs. I removed the line from the SPEC. Not sure... It's been that way for as long as I've maintained it. I know there's probably a rpm command or maybe repoquery command to check who all claims to own this directory. The only instance I can think of where multiple packages can own the same directory is when multiple packages need to place files in the folder but none of them actually require anything that the other packages provide (or something like that). (In reply to comment #5) > > F18 has Apache 2.4.x, F17 still has 2.22.x, that's the reason for the > > RequireAll. I guess you'll need to add a F18+ mythweb.conf file. > > I wonder if the changes are backwards compatible? I'd rather not have to > maintain two different versions of the file... Judging by this http://httpd.apache.org/docs/2.4/upgrading.html#run-time it's a new 2.4 feature. I would assume that httpd 2.2.x will barf on it, sorry. (In reply to comment #6) > (In reply to comment #5) > > > F18 has Apache 2.4.x, F17 still has 2.22.x, that's the reason for the > > > RequireAll. I guess you'll need to add a F18+ mythweb.conf file. > > > > I wonder if the changes are backwards compatible? I'd rather not have to > > maintain two different versions of the file... > > Judging by this > > http://httpd.apache.org/docs/2.4/upgrading.html#run-time > > it's a new 2.4 feature. I would assume that httpd 2.2.x will barf on it, sorry. Hmm maybe this would work: <IfModule mod_authz_core.c> # Apache 2.4 <RequireAll> Require all granted </RequireAll> </IfModule> Similar construct could be used to exclude the -All from the Options: <IfModule !mod_authz_core.c> # Apache 2.2 Options -All +FollowSymLinks +IncludesNoExec </IfModule> <IfModule mod_authz_core.c> # Apache 2.4 Options +FollowSymLinks +IncludesNoExec </IfModule> (In reply to comment #7) > Hmm maybe this would work: Works fine with the httpd on my F18 at least. Created attachment 1016 [details]
Proposed patch for mythweb.conf for Apache 2.2 & 2.4 compatibility
Seems to work on F17 with apache 2.2 as well. I'll commit something soonish :) New builds completed for rawhide and F-18. Builds have made it to the testing repos. Closing. |
1/ mythweb-0.26.0-1.fc18.noarch As this is set in httpd.conf <Directory /> AllowOverride none Require all denied </Directory> Then subsequent directories specified (/usr/share/mythweb) in mythweb.conf must have Require all granted For apache to be able to access. 2/ Apache will not start by default due to mythweb.conf with this error Dec 26 09:34:06 pvr.jamesarbrown.com httpd[22537]: AH00526: Syntax error on line 204 of /etc/httpd/conf.d/mythweb.conf: Dec 26 09:34:06 pvr.jamesarbrown.com httpd[22537]: You may not use 'Options +All' or 'Options -All'. Refering to in mythweb.conf <Directory "/usr/share/mythweb/data"> Options -All +FollowSymLinks +IncludesNoExec Require all granted </Directory> I had to delete the -All to be able to start httpd Hope this helps. James