hello,
I'm running apache 2.2.24 and php 5.2.17. The web site that it's service turns into a 403 Forbidden error every 5 minutes literally. I've found that doing a chmod -Rv 775 on the web root restores the site. However this is a band-aid and no real solution.
I've combed through all the cron jobs in /var/spool/cron both on this machine and the one it was recently transferred from. And I can find absolutely NO evidence of any rsync jobs or chowns or anything similar that could be affecting that directory.
What I need to do is to figure out how to determine what exactly is changing the permissions on that directory's files so that I can put an end to it. Right now I have a chown -Rv 775 running on the directory every 5 minutes. But that is just going to contribute to load and can't be a permanent solution.
The directory in question is on an NFS share. However I am unsure of that being the cause.
I'm afraid that I am at a loss for troubleshooting steps here. Can someone please help me find some ways to track this down and put an end to this?
Thanks Tim
<snip>
What I need to do is to figure out how to determine what exactly is changing the permissions on that directory's files so that I can put an end to it. Right now I have a chown -Rv 775 running on the directory every 5 minutes. But that is just going to contribute to load and can't be a permanent solution.
The directory in question is on an NFS share. However I am unsure of that being the cause.
I'm afraid that I am at a loss for troubleshooting steps here. Can someone please help me find some ways to track this down and put an end to this?
I believe auditctl could help:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sec-Defining_Audit_Rules_and_Controls.html http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a-file.html
Barry
I believe auditctl could help: < https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
< http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Thanks Barry.. I'll five this a try
On Wed, May 28, 2014 at 10:39 PM, Barry Brimer lists@brimer.org wrote:
<snip> > What I need to do is to figure out how to determine what exactly is > changing the permissions on that directory's files so that I can put an end > to it. Right now I have a chown -Rv 775 running on the directory every 5 > minutes. But that is just going to contribute to load and can't be a > permanent solution. > > The directory in question is on an NFS share. However I am unsure of that > being the cause. > > I'm afraid that I am at a loss for troubleshooting steps here. Can someone > please help me find some ways to track this down and put an end to this?
I believe auditctl could help:
< https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
< http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Barry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
HI Barry,
Ok well the permissions change happened again! And this time I was able to capture some output thanks to your helpful tip on how to handle the situation.
However I'm not sure how to interpret the output I got and was wondering if I could have some help with that.
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.684:68621): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.684:68621): cwd="/"
type=SYSCALL msg=audit(1401332383.684:68621): arch=c000003e syscall=2 success=yes exit=20 a0=10172470 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.685:68622): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/home/navart/draw6.swf" inode=391665 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.685:68622): cwd="/"
type=SYSCALL msg=audit(1401332383.685:68622): arch=c000003e syscall=2 success=yes exit=20 a0=10172088 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14141 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.686:68623): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.686:68623): cwd="/"
type=SYSCALL msg=audit(1401332383.686:68623): arch=c000003e syscall=2 success=yes exit=20 a0=10169430 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.687:68624): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/home/navart/draw5.swf" inode=391664 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.687:68624): cwd="/"
type=SYSCALL msg=audit(1401332383.687:68624): arch=c000003e syscall=2 success=yes exit=20 a0=10169048 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14110 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.701:68625): item=0 name="/var/www/ design.mywebsite.com/htdocs/.htaccess" inode=87073 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.701:68625): cwd="/"
type=SYSCALL msg=audit(1401332383.701:68625): arch=c000003e syscall=2 success=yes exit=20 a0=101764f0 a1=0 a2=1b6 a3=6f6474682f6d6f63 items=1 ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
----
time->Wed May 28 22:59:43 2014
type=PATH msg=audit(1401332383.703:68626): item=0 name="/var/www/ design.mywebsite.com/htdocs/_swf/wrapper/module_theDish.swf" inode=472086 dev=00:1a mode=0100775 ouid=48 ogid=8020 rdev=00:00 obj=system_u:object_r:nfs_t:s0
type=CWD msg=audit(1401332383.703:68626): cwd="/"
type=SYSCALL msg=audit(1401332383.703:68626): arch=c000003e syscall=2 success=yes exit=20 a0=10176100 a1=0 a2=0 a3=f items=1 ppid=14096 pid=14114 auid=8018 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=7457 comm="httpd" exe="/opt/apache2/bin/httpd" subj=user_u:system_r:unconfined_t:s0 key="shadow-file"
Thanks
Tim
On Wed, May 28, 2014 at 10:47 PM, Tim Dunphy bluethundr@gmail.com wrote:
I believe auditctl could help:
< https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
< http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Thanks Barry.. I'll five this a try
On Wed, May 28, 2014 at 10:39 PM, Barry Brimer lists@brimer.org wrote:
<snip> > What I need to do is to figure out how to determine what exactly is > changing the permissions on that directory's files so that I can put an end > to it. Right now I have a chown -Rv 775 running on the directory every 5 > minutes. But that is just going to contribute to load and can't be a > permanent solution. > > The directory in question is on an NFS share. However I am unsure of that > being the cause. > > I'm afraid that I am at a loss for troubleshooting steps here. Can someone > please help me find some ways to track this down and put an end to this?
I believe auditctl could help:
< https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
< http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Barry _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
On 05/28/14 23:03, Tim Dunphy wrote:
Ok well the permissions change happened again! And this time I was able to capture some output thanks to your helpful tip on how to handle the situation.
However I'm not sure how to interpret the output I got and was wondering if I could have some help with that.
So you have setroubleshoot installed?
mark, afraid of more selinux crap....
On Wed, 2014-05-28 at 21:39 -0500, Barry Brimer wrote:
I believe auditctl could help:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/... http://www.cyberciti.biz/tips/linux-audit-files-to-see-who-made-changes-to-a...
Thanks. Very useful. I learned something new today :-)
-
Always Learning -
Barry Brimer -
mark -
Tim Dunphy