Change Apache2 DocumentRoot to "/home/pierrick/www" in Tumbleweed

English Install/Boot/Login
1

Hi all,
I’m new to OpenSuse (coming from a Debian background) and I have found a stumbling block.
I’ve installed a LAMP stack following the OpenSuse Wiki instructions. (https://en.opensuse.org/SDB:LAMP_setup)
Everything works as it should.
I now wish to change the Apache DocumentRoot to “/home/pierrick/www” instead of its default “/srv/www/htdocs”

I have found lots of instructions, including absurd ones, but my server is still responding with an access denied message.

All I have changed in the Apache conf files are the 2 lines in the default-server.conf that contained the default “/srv/www/htdocs”
Nothing else.

Any help would really be appreciated.
Many thanks.
Pierrick

2

Hello and welcome to the openSUE forums.

Please always SHOW! How can we find out if you didn’t e.g. make a typo, or used the wrong file, or …?

And a access denied message could point to the fact that /home/pierrick/www and/or the files inside there is/are not readable for the user (possibly wwwrun) that runs the apache processes. Remind that user’s files are protected against unwanted access by other users in Unix/Linux as a basic concept.

3

@hcvv
Thank you for the reply and apologies for the lack of supporting data.
Unfortunately, being a new user to this forum I cam only insert one image per message. So please have a look at the next 5 messages…

Here are the mods I made:
The httpd.conf:

httpd_conf
httpd_conf586×154 12.3 KB

4

The default-server.conf:

default-server_conf
default-server_conf551×470 31.2 KB

5

Here are the permissions for the “/home/pierrick/www” structure:
/home

Home permissions
Home permissions694×651 56.9 KB

6

/home/pierrick

Pierrick permissions
Pierrick permissions650×641 56.2 KB

7

Terminal output or configs a best pasted here in preformatted text tags </>

8

/home/pierrick/www

www permissions
www permissions656×642 65.3 KB

9

As I see it the entire structure allows other groups and other users to read data, which is all the apache group/user should be able to do.
Note: granting a 777 permission level to “www” didn’t solve the “Access forbidden!” message.

Access_forbidden
Access_forbidden892×272 16.5 KB

Still confused here.
Thanks.

10

Hello,

I see two possible problems:

  1. apache root directory needs to be owned by wwwrun:www
    so use
    sudo chown -R wwwrun:www /home/pierrick/www

  2. Is SELinux active? Control it via command sestatus ==> here the ouput on my system

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      35

If SELinux is active and in enforcing mode you should need to set it in permissive mode
Regards
Philippe

11

@phil524
Merci Philippe! (Assuming you speak French…)

Of your two suggestions, selinux was the solution.
I immediately enabled permissive:

sudo setenforce 0

I then edited the selinux config to permanently enable permissive mode.
I restarted apache for good measure, and my development home page came to life.
On to more tests now…

As for the ownership suggestion, please correct me if I’m wrong but as long as other groups and users are granted read permissions surely that must be enough for apache to serve pages.
Where the websites I’m developing need to save documents via a PHP script (log files, sessions, custom documents, etc.) this is allowed by setting permissions to 777 to specific directories only under the given website file structure.

Again many thanks.

12

After disabling SELinux, why worry about security now? 777 for everyone!

13

SELinux will prevent web server access to user home directories.

I’s suggest re-enabling SELinux and run setsebool -P httpd_read_user_content 1

14

Hi.
This is a development machine, only one user (myself), no public access to the websites, data, etc.
So yes disabling SELinux isn’t the most secure way to go about solving the problem but in this case it a risk I’m willing to take.
Setting 777 for all folders would not help in development as I need to know whether the web apps are saving data in the appropriate places.
Thank you for the feedback.

15

@pierrick what about the rest of the system? Unless it’s air-gaped? But it’s your machine, you get to do what you want with it :wink:

It’s also information for any other user facing the same issue and comes across this thread…

16

Hi.
Thank you for the suggestion.
So I restored SELinux config to the original settings.
I rebooted and then ran your setsebool command, followed by an apache restart.
The “Access forbidden!” message came back.
Looking up what setsebool does I noticed that there are other httpd booleans that may be useful. Maybe worth spending some time to learn about this.
I’ll disable SELinux again so I can work.
Thanks again.

1 Like
17

@pierrick when you have time, have a perusal here https://en.opensuse.org/Portal:SELinux it could also be worth a bug report.

Edit, Also worth perusing https://documentation.suse.com/sles/15-SP7/html/SLES-all/cha-selinux.html and https://forums.opensuse.org/t/apache2-and-selinux/189791

18

@malcolmlewis
From the little I have gathered on SELinux, it seems to be part of the kernel. In other words Debian distros will have SELinux at the core somewhere.
And yet after all these years working with Debian, this is the first time I run into a problem with apache DocumentRoot and SELinux. So how do the Debian people go around the problem? Have they disabled SELinux? Is there a httpd boolean that will do the trick?
I don’t intend to ignore the problem I have just created, I need to get on with work. I will have a deeper look very soon and work something out.
Thank you for the reminder though. Appreciated.

19

Changing DocumentRoot can cause many problems; you have proven this. As an alternative, I use Alias:

erlangen:~ # cat /etc/apache2/conf.d/Albums.conf 

# location of local albums
Alias "/Albums" "/home/Albums/jAlbums/"
erlangen:~ #

Virtually all software uses Alias:

erlangen:~ # grep -r Alias /etc/apache2/conf.d/
/etc/apache2/conf.d/Albums.conf:Alias "/Albums" "/home/Albums/jAlbums/"
/etc/apache2/conf.d/gitweb.conf:Alias /git "/usr/share/gitweb/"
/etc/apache2/conf.d/nextcloud.conf:Alias /nextcloud "/srv/www/htdocs/nextcloud/"
erlangen:~ #
20

Hello,

With SELinux in enforcing mode I think that you need also to define the file context of your directory something as

semanage fcontext -a -t httpd_sys_rw_content_t '/home/pierrick/www(/.*)'
restorecon -R -v '/home/pierrick/www'

In my opinion, the proposal from

is the best solution.

Regards
Philippe