EACCES that should not happen
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I have a situation on a Linux machine that I can't really explain.
Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.
After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:
[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)
I check the permissions on the file:
% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port
So, anyone should be able to read that, right?
I check who the apache process runs as:
% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd
So the apache process runs as the owner of the file. That should work too, right?
Finally, I do:
% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200
So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?
I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.
Restarting processes also does nothing to change the behavior.
The machine is a RHEL 6 box.
permissions rhel apache-httpd
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
add a comment |
up vote
2
down vote
favorite
I have a situation on a Linux machine that I can't really explain.
Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.
After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:
[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)
I check the permissions on the file:
% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port
So, anyone should be able to read that, right?
I check who the apache process runs as:
% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd
So the apache process runs as the owner of the file. That should work too, right?
Finally, I do:
% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200
So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?
I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.
Restarting processes also does nothing to change the behavior.
The machine is a RHEL 6 box.
permissions rhel apache-httpd
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
2
ls -lZto check SELinux?ls -ld /tmp/somedir?
– Mikel
Oct 17 '13 at 6:47
@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37
1
@MattiasNilsson also seestat(2)man page:EACCESSearch permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
– peterph
Oct 17 '13 at 7:49
@peterph That would be a good guess but it's contradicted bystat /tmp/somedir/application.portworking. Sincestatcan access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
– Gilles
Oct 17 '13 at 21:34
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I have a situation on a Linux machine that I can't really explain.
Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.
After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:
[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)
I check the permissions on the file:
% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port
So, anyone should be able to read that, right?
I check who the apache process runs as:
% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd
So the apache process runs as the owner of the file. That should work too, right?
Finally, I do:
% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200
So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?
I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.
Restarting processes also does nothing to change the behavior.
The machine is a RHEL 6 box.
permissions rhel apache-httpd
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
I have a situation on a Linux machine that I can't really explain.
Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.
After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:
[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)
I check the permissions on the file:
% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port
So, anyone should be able to read that, right?
I check who the apache process runs as:
% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd
So the apache process runs as the owner of the file. That should work too, right?
Finally, I do:
% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200
So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?
I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.
Restarting processes also does nothing to change the behavior.
The machine is a RHEL 6 box.
permissions rhel apache-httpd
permissions rhel apache-httpd
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
edited Aug 17 '16 at 11:22
Jeff Schaller
38k1053123
38k1053123
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
asked Oct 17 '13 at 6:38
Mattias Nilsson
1315
1315
2
ls -lZto check SELinux?ls -ld /tmp/somedir?
– Mikel
Oct 17 '13 at 6:47
@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37
1
@MattiasNilsson also seestat(2)man page:EACCESSearch permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
– peterph
Oct 17 '13 at 7:49
@peterph That would be a good guess but it's contradicted bystat /tmp/somedir/application.portworking. Sincestatcan access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
– Gilles
Oct 17 '13 at 21:34
add a comment |
2
ls -lZto check SELinux?ls -ld /tmp/somedir?
– Mikel
Oct 17 '13 at 6:47
@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37
1
@MattiasNilsson also seestat(2)man page:EACCESSearch permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
– peterph
Oct 17 '13 at 7:49
@peterph That would be a good guess but it's contradicted bystat /tmp/somedir/application.portworking. Sincestatcan access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
– Gilles
Oct 17 '13 at 21:34
2
2
ls -lZ to check SELinux? ls -ld /tmp/somedir?– Mikel
Oct 17 '13 at 6:47
ls -lZ to check SELinux? ls -ld /tmp/somedir?– Mikel
Oct 17 '13 at 6:47
@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37
@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37
1
1
@MattiasNilsson also see
stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)– peterph
Oct 17 '13 at 7:49
@MattiasNilsson also see
stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)– peterph
Oct 17 '13 at 7:49
@peterph That would be a good guess but it's contradicted by
stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).– Gilles
Oct 17 '13 at 21:34
@peterph That would be a good guess but it's contradicted by
stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).– Gilles
Oct 17 '13 at 21:34
add a comment |
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
In the end, it turned out that the problem was indeed SELinux-related.
For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
1
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't knowls -Z??? ;) )
– msw
Oct 23 '13 at 14:13
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f96439%2feacces-that-should-not-happen%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
In the end, it turned out that the problem was indeed SELinux-related.
For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
1
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't knowls -Z??? ;) )
– msw
Oct 23 '13 at 14:13
add a comment |
up vote
2
down vote
accepted
In the end, it turned out that the problem was indeed SELinux-related.
For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
1
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't knowls -Z??? ;) )
– msw
Oct 23 '13 at 14:13
add a comment |
up vote
2
down vote
accepted
up vote
2
down vote
accepted
In the end, it turned out that the problem was indeed SELinux-related.
For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
In the end, it turned out that the problem was indeed SELinux-related.
For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
edited Dec 7 at 23:53
Rui F Ribeiro
38.7k1479128
38.7k1479128
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
answered Oct 23 '13 at 7:45
Mattias Nilsson
1315
1315
1
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't knowls -Z??? ;) )
– msw
Oct 23 '13 at 14:13
add a comment |
1
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't knowls -Z??? ;) )
– msw
Oct 23 '13 at 14:13
1
1
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know
ls -Z??? ;) )– msw
Oct 23 '13 at 14:13
+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know
ls -Z??? ;) )– msw
Oct 23 '13 at 14:13
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f96439%2feacces-that-should-not-happen%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
ls -lZto check SELinux?ls -ld /tmp/somedir?– Mikel
Oct 17 '13 at 6:47
@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37
1
@MattiasNilsson also see
stat(2)man page:EACCESSearch permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)– peterph
Oct 17 '13 at 7:49
@peterph That would be a good guess but it's contradicted by
stat /tmp/somedir/application.portworking. Sincestatcan access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).– Gilles
Oct 17 '13 at 21:34