0

Ubuntu + Debian / Apache 2.4

I've been trying to get mod_ruid2 working for quite some time. I think something is wrong with my basic configuration.

mod_ruid2 documentation

To confirm, before installed mod_ruid2 and updating vHosts, everything works fine.

I installed mod_ruid2 via apt and configured a vHost to use ruid as seen below

apachectl confirms ruid2 is loaded. Passes configtest after updating vHost with ruid syntax too.

Created user and group 'cb' via useradd cb -M to use as the vHost user.

Here is the vHost 

<VirtualHost *:80> ServerName cb.xxx.xx DocumentRoot /var/www/cb.xxx.xx/public_html/ RDocumentChRoot /var/www /cb.xxx.xx/public_html RUidGid cb cb <Directory "/var/www/cb.xxx.xx/public_html/"> Require all granted RMode config RUidGid cb cb </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined

And at this point the vHost advises 403 forbidden. The directory was previously owned by www-data - so I ran the following - 

chown -R cb:cb /var/www/cb.xxx.xx/public_html/

I get the same issue. The Apache log at debug levels shows the following each time I hit cb.xxx.xx - nothing else

[authz_core:error] [pid 3736] [client 31.53.4.77:63626] AH01630: client denied by server configuration: /cb.xxx.xx/public_html/

Researching the AH01630 error leads to most others not having 'Require all granted' in their vHost, I do and a grep of the Apache dir ensured all other vHosts have this too.

I replicated the same fault on a Debian server and got the same problem. I believe this is something wrong with my config of mod_ruid2 in the vHost. Specifically I believe its the ChRoot I have incorrect.

RDocumentChrRoot - Set chroot directory and the document root inside RDocumentChRoot /home /example.com/public_html

Documentation on this seems to be very limited, and I'm finding sparse other people with a similar issue. Can anyone share some thoughts please?

It's often used in cPanel/DirectAdmin multi-tenant scenarios - I'd be grateful if you had a working config you could look at

Improve this question
2
  • Wild guess would be that RDocumentChRoot changes the path before Apache checks for authorization, and your <Directory> should be /cb.xxx.xx/public_html/ since /var/www is outside the chroot. Commented Nov 8, 2016 at 22:27
  • You know that feeling when you've spent a very long time looking everywhere other than whats right in front of you.. Thank you, DerkF. Commented Nov 8, 2016 at 22:34

1 Answer 1

Reset to default
1

Based on the path given in the error message

client denied by server configuration: /cb.xxx.xx/public_html/

it appears that RDocumentChRoot chroot's the request before Apache checks the Directory permissions. Thus, the path given to <Directory> should be the path inside the chroot, or

<Directory "/cb.xxx.xx/public_html/"> Require all granted RMode config RUidGid cb cb </Directory>
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.