hetzner permission issue

Z

zamrg

Senior Member
Joined
Oct 19, 2005
Messages
804
Reaction score
11
Location
Cape Town
I have a client's website hosted on a shared Hetzner linux box where the web pages to be served are stored in the public_html/ in /usr/www/users/username and a few modules and include files are stored outside the webroot in /usr/home/username/includes. It seems however that the webserver cannot access any files in my includes directory and throws the error:

Code: 
*Warning*: require_once(/usr/home/username/includes/_config.inc.php)
[function.require-once <http://xxxxxxxxxxxx.co.za/function.require-once>]: failed to open stream:Permission denied in
*/usr/www/users/username/index.php* on line *3*
*Fatal error*: require_once() [function.require
<http://xxxxxxxxxxxx.co.za/function.require>]: Failed opening required
'/usr/home/username/includes/_config.inc.php'
(include_path='.:/usr/share/php:/usr/share/pear') in
*/usr/www/users/username/index.php* on line *3

I have contacted Hetzner e-mail support however I really need to get the site up and their e-mail response is just too slow.

A support agent even tried to change the group of the includes directory to nobody, the group the web server runs under, however this surely wouldn't work right?

The files/folders in my home directory and in my public_html all have permissions 755/644, whilst my /usr/home/username directory has permissions 710 (u=rwx, g=x).

I would really appreciate any help with this as I can't get the assistance I need with hetzner e-mail support; it's like a ping-pong game which never ends.
 
zamrg said:
A support agent even tried to change the group of the includes directory to nobody, the group the web server runs under, however this surely wouldn't work right?
Click to expand...

No. public_html should be owned username:nobody but all directories in public_html should be owned username:username
 
reech said:
What user does the webserver run as?
Click to expand...

this is the output of 'ps aux | grep apache'

Code: 
root      4799  0.0  0.4  30992 17080 ?        Ss   Oct31   0:05 /usr/sbin/apache
nobody   13493  0.0  0.6  41924 26092 ?        S    11:00   0:01 /usr/sbin/apache
nobody   13529  0.0  0.6  42452 26472 ?        S    11:00   0:01 /usr/sbin/apache
nobody   18029  0.0  0.5  39936 24032 ?        S    11:13   0:01 /usr/sbin/apache
nobody   18180  0.0  0.6  41472 25704 ?        S    11:14   0:00 /usr/sbin/apache
nobody   18314  0.0  0.6  41440 25736 ?        S    11:14   0:00 /usr/sbin/apache
nobody   20110  0.0  0.6  42316 26260 ?        S    11:16   0:00 /usr/sbin/apache
nobody   20113  0.2  0.6  42420 26496 ?        S    11:16   0:04 /usr/sbin/apache
nobody   20114  0.1  0.6  43092 27092 ?        S    11:16   0:01 /usr/sbin/apache
nobody   20116  0.0  0.5  39976 23904 ?        S    11:16   0:00 /usr/sbin/apache
nobody   20117  0.0  0.5  39772 23680 ?        S    11:16   0:00 /usr/sbin/apache
nobody   20118  0.1  0.6  43332 27252 ?        S    11:16   0:03 /usr/sbin/apache
nobody   20119  0.0  0.6  42000 26304 ?        S    11:16   0:01 /usr/sbin/apache
nobody   20140  0.1  0.6  43280 27364 ?        S    11:16   0:02 /usr/sbin/apache
nobody   29185  0.1  0.6  41860 25480 ?        S    11:44   0:00 /usr/sbin/apache
nobody   29186  0.0  0.2  30992 11284 ?        S    11:44   0:00 /usr/sbin/apache
nobody   29187  0.0  0.3  33724 15456 ?        S    11:44   0:00 /usr/sbin/apache
 
texo said:
No. public_html should be owned username:nobody but all directories in public_html should be owned username:username
Click to expand...

The public_html/ at /usr/www/users/username is owned by username:nobody and the support agent changed all files/folders in public_html/ to username:nobody as well, even though they should be username:username.

The includes directory which is at /usr/home/username/includes is also owned by username:nobody (since he changed that as well).
 
you need to give inc dir +x for group nobody , and give the include files +r access assuming they're also group nobody
 
reech said:
you need to give inc dir +x for group nobody , and give the include files +r access assuming they're also group nobody
Click to expand...

The includes/ directory and all other directories/files under /usr/home/username are already set to 755/644

Would it be a problem that my /usr/home/username is owned by username:mail and set with permissions 710 (u=rwx, g=x)
 
Last edited:
zamrg said:
The includes/ directory and all other directories/files under /usr/home/username are already set to 755/644

Would it be a problem that my /usr/home/username is owned by username:mail and set with permissions 710 (u=rwx, g=x)
Click to expand...

That's the problem - you'd need the includes directory and it's contents to either be owned by nobody, or have group nobody with read access for the files and execute for the directory.
 
reech said:
That's the problem - you'd need the includes directory and it's contents to either be owned by nobody, or have group nobody with read access for the files and execute for the directory.
Click to expand...

thanks for the assistance reech, but the includes/ directory is already owned by username:nobody and already has permissions 755/644 (folders/files) recursively.
 
zamrg said:
thanks for the assistance reech, but the includes/ directory is already owned by username:nobody and already has permissions 755/644 (folders/files) recursively.
Click to expand...

sheesh - at a loss then!?
 
/usr/home/username is owned by username:mail and set with permissions 710 (u=rwx, g=x)

Doesn't this mean that the web server cannot enter my /usr/home/username directory (and also /usr/home/username/includes) since it cannot read or execute on my home dir?
 
reech said:
aha! can you 711 it?
Click to expand...

yes :) it's able to include the config file from my includes/ directory but I've now run into a whole other batch of problems.

The site cannot write to my custom mysql.log and php.log in my home directory since the file is owned by username:username and not username:nobody, and I don't have permission to chgrp nobody. By the looks of things, Hetzner doesn't have the best setup to allow a user to store libraries, configs and classes outside of the webroot.

Is it also not quite insecure to have my home directory as 711 and all folders/files within as 755/644?
 
zamrg said:
yes :) it's able to include the config file from my includes/ directory but I've now run into a whole other batch of problems.

The site cannot write to my custom mysql.log and php.log in my home directory since the file is owned by username:username and not username:nobody, and I don't have permission to chgrp nobody. By the looks of things, Hetzner doesn't have the best setup to allow a user to store libraries, configs and classes outside of the webroot.

Is it also not quite insecure to have my home directory as 711 and all folders/files within as 755/644?
Click to expand...

Removing the o perms on the relevant files in your home dir could help somewhat...
 
I use similar files in my coding, have also done exactly that on a Hetzner site and it worked fine...
 
froot said:
I use similar files in my coding, have also done exactly that on a Hetzner site and it worked fine...
Click to expand...

on this particular server, the home dir at /usr/home/username is owned by username:mail with default permissions of u=rwx, g=x, o= and the public_html is in /usr/www/users/username owned by username:nobody.

The web server therefore doesn't have access to read any files in my home directory.

If you don't mind me asking, how have you structured your files? ie: do you separate your web pages from your application code, classes, configs, etc and keep them in different locations?
 
Well I keep my files in the main directory followed by include, config, etc files in the include directory. This has always worked fine.
 
froot said:
Well I keep my files in the main directory followed by include, config, etc files in the include directory. This has always worked fine.
Click to expand...

by main directory, are you refering to your public_html directory? If so, I can't risk placing certain configs and files there as this would them accessible by anyone. I'm using a htaccess file to block certain files from being served by the webserver and being interpreted and outputed by the php engine but if either fail, all the sites credentials and encryption keys will be public knowledge.
 
zamrg said:
by main directory, are you refering to your public_html directory? If so, I can't risk placing certain configs and files there as this would them accessible by anyone. I'm using a htaccess file to block certain files from being served by the webserver and being interpreted and outputed by the php engine but if either fail, all the sites credentials and encryption keys will be public knowledge.
Click to expand...

Yes. The trick is to yes, use htaccess, and to in commonly used folders such as images/ and includes/, etc, to use a blank index.php redirect file.
 
froot said:
Well I keep my files in the main directory followed by include, config, etc files in the include directory. This has always worked fine.
Click to expand...

It'll work... but it's not best pratice, despite htaccess etc.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X