EACCES that should not happen

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite
1












I have a situation on a Linux machine that I can't really explain.



Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.



After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:



[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)


I check the permissions on the file:



% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port


So, anyone should be able to read that, right?



I check who the apache process runs as:



% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd


So the apache process runs as the owner of the file. That should work too, right?



Finally, I do:



% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200


So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?



I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.



Restarting processes also does nothing to change the behavior.



The machine is a RHEL 6 box.










share|improve this question



















  • 2




    ls -lZ to check SELinux? ls -ld /tmp/somedir?
    – Mikel
    Oct 17 '13 at 6:47










  • @Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
    – Mattias Nilsson
    Oct 17 '13 at 7:37






  • 1




    @MattiasNilsson also see stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
    – peterph
    Oct 17 '13 at 7:49










  • @peterph That would be a good guess but it's contradicted by stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
    – Gilles
    Oct 17 '13 at 21:34














up vote
2
down vote

favorite
1












I have a situation on a Linux machine that I can't really explain.



Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.



After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:



[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)


I check the permissions on the file:



% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port


So, anyone should be able to read that, right?



I check who the apache process runs as:



% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd


So the apache process runs as the owner of the file. That should work too, right?



Finally, I do:



% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200


So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?



I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.



Restarting processes also does nothing to change the behavior.



The machine is a RHEL 6 box.










share|improve this question



















  • 2




    ls -lZ to check SELinux? ls -ld /tmp/somedir?
    – Mikel
    Oct 17 '13 at 6:47










  • @Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
    – Mattias Nilsson
    Oct 17 '13 at 7:37






  • 1




    @MattiasNilsson also see stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
    – peterph
    Oct 17 '13 at 7:49










  • @peterph That would be a good guess but it's contradicted by stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
    – Gilles
    Oct 17 '13 at 21:34












up vote
2
down vote

favorite
1









up vote
2
down vote

favorite
1






1





I have a situation on a Linux machine that I can't really explain.



Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.



After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:



[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)


I check the permissions on the file:



% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port


So, anyone should be able to read that, right?



I check who the apache process runs as:



% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd


So the apache process runs as the owner of the file. That should work too, right?



Finally, I do:



% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200


So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?



I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.



Restarting processes also does nothing to change the behavior.



The machine is a RHEL 6 box.










share|improve this question















I have a situation on a Linux machine that I can't really explain.



Some background: We're running apache with a c/c++ module that forwards requests to our application. It does so by reading a .port file which specifies a local port to send the requests to.



After installation, it is not possible to connect using the web interface. After a bit of troubleshooting I bring out strace and see that the apache processes fail to read the .port file:



[pid 8105] stat("/tmp/somedir/application.port", 0x7ffff9694470) = -1 EACCES (Permission denied)


I check the permissions on the file:



% ls -l /tmp/somedir/application.port
-rw-r--r--. 1 appuser staff 5 Oct 16 14:10 application.port


So, anyone should be able to read that, right?



I check who the apache process runs as:



% ps -ef | grep 8105
appuser 8105 3357 0 15:14 ? 00:00:00 /usr/sbin/httpd


So the apache process runs as the owner of the file. That should work too, right?



Finally, I do:



% su - appuser
% stat /tmp/somedir/application.port
File: `/tmp/somedir/application.port'
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: 11h/17d Inode: 1400293 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1001/ appuser) Gid: ( 1001/ staff)
Access: 2013-10-16 14:10:03.357679902 +0200
Modify: 2013-10-16 14:10:03.357679902 +0200
Change: 2013-10-16 14:10:03.357679902 +0200


So, the "appuser" owns the file, runs the web server, but don't have the permission to do stat() on it from within the web server process?
Does anyone have an idea about what could be going on here?



I should also mention that this is not the first installation we've done, and the others work as expected. There might have been some manual fiddling during the installation of this particular machine, but I still don't see how we can end up like this.



Restarting processes also does nothing to change the behavior.



The machine is a RHEL 6 box.







permissions rhel apache-httpd






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Aug 17 '16 at 11:22









Jeff Schaller

38k1053123




38k1053123










asked Oct 17 '13 at 6:38









Mattias Nilsson

1315




1315







  • 2




    ls -lZ to check SELinux? ls -ld /tmp/somedir?
    – Mikel
    Oct 17 '13 at 6:47










  • @Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
    – Mattias Nilsson
    Oct 17 '13 at 7:37






  • 1




    @MattiasNilsson also see stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
    – peterph
    Oct 17 '13 at 7:49










  • @peterph That would be a good guess but it's contradicted by stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
    – Gilles
    Oct 17 '13 at 21:34












  • 2




    ls -lZ to check SELinux? ls -ld /tmp/somedir?
    – Mikel
    Oct 17 '13 at 6:47










  • @Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
    – Mattias Nilsson
    Oct 17 '13 at 7:37






  • 1




    @MattiasNilsson also see stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
    – peterph
    Oct 17 '13 at 7:49










  • @peterph That would be a good guess but it's contradicted by stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
    – Gilles
    Oct 17 '13 at 21:34







2




2




ls -lZ to check SELinux? ls -ld /tmp/somedir?
– Mikel
Oct 17 '13 at 6:47




ls -lZ to check SELinux? ls -ld /tmp/somedir?
– Mikel
Oct 17 '13 at 6:47












@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37




@Mikel SELinux is a good suggestion. Is is a bit of an unknown area to me, but I'll look in to that, thanks.
– Mattias Nilsson
Oct 17 '13 at 7:37




1




1




@MattiasNilsson also see stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
– peterph
Oct 17 '13 at 7:49




@MattiasNilsson also see stat(2) man page: EACCES Search permission is denied for one of the directories in the path prefix of path. (See also path_resolution(7).)
– peterph
Oct 17 '13 at 7:49












@peterph That would be a good guess but it's contradicted by stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
– Gilles
Oct 17 '13 at 21:34




@peterph That would be a good guess but it's contradicted by stat /tmp/somedir/application.port working. Since stat can access the file but not Apache, there's some security framework at play (SELinux presumably since this is RHEL).
– Gilles
Oct 17 '13 at 21:34










1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted










In the end, it turned out that the problem was indeed SELinux-related.



For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.






share|improve this answer


















  • 1




    +1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
    – msw
    Oct 23 '13 at 14:13










Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f96439%2feacces-that-should-not-happen%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted










In the end, it turned out that the problem was indeed SELinux-related.



For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.






share|improve this answer


















  • 1




    +1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
    – msw
    Oct 23 '13 at 14:13














up vote
2
down vote



accepted










In the end, it turned out that the problem was indeed SELinux-related.



For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.






share|improve this answer


















  • 1




    +1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
    – msw
    Oct 23 '13 at 14:13












up vote
2
down vote



accepted







up vote
2
down vote



accepted






In the end, it turned out that the problem was indeed SELinux-related.



For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.






share|improve this answer














In the end, it turned out that the problem was indeed SELinux-related.



For anyone else who might need to get a quick understanding of what SELinux is and some useful commands, I recommend the SELinux for mere mortals youtube video. It's a great introduction to get started with troubleshooting.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 7 at 23:53









Rui F Ribeiro

38.7k1479128




38.7k1479128










answered Oct 23 '13 at 7:45









Mattias Nilsson

1315




1315







  • 1




    +1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
    – msw
    Oct 23 '13 at 14:13












  • 1




    +1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
    – msw
    Oct 23 '13 at 14:13







1




1




+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
– msw
Oct 23 '13 at 14:13




+1 self-answers are good for StackExchange. I'm glad you found the fix (and my one complaint about SELinux is that it hides itself unless you know to ask about it (what do you mean you don't know ls -Z??? ;) )
– msw
Oct 23 '13 at 14:13

















draft saved

draft discarded
















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f96439%2feacces-that-should-not-happen%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown






Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?