Environment: - CentOS 5.1, - Apache 2.2.3 - php 5.1.6 - phpMyAdmin 2.11.6 - MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin (FWIIW, using 'cp -pr'), and voilà, problem vanished. (I cannot explain why I even tried that.)
My first idea was that maybe the copy somehow resolved some issue at the directory level, but when I output an 'ls -laR' of the two directories to two files, 'diff' shows both files to be identical (apart from the timestamps on . and .. directories). The pma and phpMyAdmin directories reside in the same documentroot, have the same ownership, and the same permissions.
This must be about the weirdest experience in my professional career. If anyone can shed a light on this, it'd be most welcome. I still have the original (malfunctioning) directory on the system to bounce ideas off if anyone has any inspiration (system will go live this weekend).
Kind regards,
Herta
On Wed, 18 Jun 2008 at 7:32pm, Herta Van den Eynde wrote
Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin (FWIIW, using 'cp -pr'), and voilà, problem vanished. (I cannot explain why I even tried that.)
My first idea was that maybe the copy somehow resolved some issue at the directory level, but when I output an 'ls -laR' of the two directories to two files, 'diff' shows both files to be identical (apart from the timestamps on . and .. directories). The pma and phpMyAdmin directories reside in the same documentroot, have the same ownership, and the same permissions.
This must be about the weirdest experience in my professional career. If anyone can shed a light on this, it'd be most welcome. I still have the original (malfunctioning) directory on the system to bounce ideas off if anyone has any inspiration (system will go live this weekend).
2 things spring to mind:
1) httpd config with directory based allow/deny
2) selinux
Thanks for the suggestions, Joshua.
I'm using the standard apache config, which rules out suggestion 1.
SELinux is enabled, but I'm new to it. How could that cause this effect?
Kind regards,
Herta
2008/6/18 Joshua Baker-LePain jlb17@duke.edu:
On Wed, 18 Jun 2008 at 7:32pm, Herta Van den Eynde wrote
Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin (FWIIW, using 'cp -pr'), and voilà, problem vanished. (I cannot explain why I even tried that.)
My first idea was that maybe the copy somehow resolved some issue at the directory level, but when I output an 'ls -laR' of the two directories to two files, 'diff' shows both files to be identical (apart from the timestamps on . and .. directories). The pma and phpMyAdmin directories reside in the same documentroot, have the same ownership, and the same permissions.
This must be about the weirdest experience in my professional career. If anyone can shed a light on this, it'd be most welcome. I still have the original (malfunctioning) directory on the system to bounce ideas off if anyone has any inspiration (system will go live this weekend).
2 things spring to mind:
httpd config with directory based allow/deny
selinux
-- Joshua Baker-LePain QB3 Shared Cluster Sysadmin UCSF _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
--- On Wed, 6/18/08, Herta Van den Eynde herta.vandeneynde@gmail.com wrote:
From: Herta Van den Eynde herta.vandeneynde@gmail.com Subject: [CentOS] Forbidden: You don't have permission to access /phpMyAdmin/ on this server. To: centos@centos.org Date: Wednesday, June 18, 2008, 10:32 AM Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin
Make the small Config file below. Notice that the folder is now above your web root (/var/www/html/)
http://localhost/pma -- will navigate to the new install
------------ /etc/httpd/conf.d/phpMyAdmin.conf -----------
Alias /pma "/var/www/phpMyAdmin"
<directory /var/www/phpMyAdmin> Order allow,deny Allow from all Options all Options +includes </directory> ---------------- end snip -------------
2008/6/18 Mark Pryor tlviewer@yahoo.com:
--- On Wed, 6/18/08, Herta Van den Eynde herta.vandeneynde@gmail.com wrote:
From: Herta Van den Eynde herta.vandeneynde@gmail.com Subject: [CentOS] Forbidden: You don't have permission to access /phpMyAdmin/ on this server. To: centos@centos.org Date: Wednesday, June 18, 2008, 10:32 AM Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin
Make the small Config file below. Notice that the folder is now above your web root (/var/www/html/)
http://localhost/pma -- will navigate to the new install
------------ /etc/httpd/conf.d/phpMyAdmin.conf -----------
Alias /pma "/var/www/phpMyAdmin"
<directory /var/www/phpMyAdmin> Order allow,deny Allow from all Options all Options +includes
</directory> ---------------- end snip -------------
-- Mark http://www.tlviewer.org/centos/ (my repo with rt3 included)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It's one of the things I tried when I still believed I messed up on the config. (I didn't have the "Options +includes", but then I had no includes.)
Kind regards,
Herta
Maybe this has already been suggested, but is the output identical for the old and new directories using the following command:
ls -ldZ /var/www/html/{phpMyAdmin,pma}
The Z will show the SELinux security attributes.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Herta Van den Eynde Sent: Wednesday, June 18, 2008 15:45 To: CentOS mailing list Subject: Re: [CentOS] Forbidden: You don't have permission to access/phpMyAdmin/ on this server.
2008/6/18 Mark Pryor tlviewer@yahoo.com:
--- On Wed, 6/18/08, Herta Van den Eynde herta.vandeneynde@gmail.com
wrote:
From: Herta Van den Eynde herta.vandeneynde@gmail.com Subject: [CentOS] Forbidden: You don't have permission to access
/phpMyAdmin/ on this server.
To: centos@centos.org Date: Wednesday, June 18, 2008, 10:32 AM Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin
Make the small Config file below. Notice that the folder is now above your web root (/var/www/html/)
http://localhost/pma -- will navigate to the new install
------------ /etc/httpd/conf.d/phpMyAdmin.conf -----------
Alias /pma "/var/www/phpMyAdmin"
<directory /var/www/phpMyAdmin> Order allow,deny Allow from all Options all Options +includes
</directory> ---------------- end snip -------------
-- Mark http://www.tlviewer.org/centos/ (my repo with rt3 included)
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It's one of the things I tried when I still believed I messed up on the config. (I didn't have the "Options +includes", but then I had no includes.)
Kind regards,
Herta
2008/6/18 Mike Hanby mhanby@uab.edu:
Maybe this has already been suggested, but is the output identical for the old and new directories using the following command:
ls -ldZ /var/www/html/{phpMyAdmin,pma}
The Z will show the SELinux security attributes.
You found it, Mike! Joshua previously suggested SELinux might have something to do with it, but being new to it, I didn't know what to do with that info.
# ls -ldZ /var/www/html/{phpMyAdmin,pma} drwxr-xr-x phpmy apache user_u:object_r:httpd_sys_content_t /var/www/html/phpMyAdmin drwxr-xr-x phpmy apache user_u:object_r:user_home_t /var/www/html/pma
I'll need to read up on what this means exactly. I originally untarred the phpMyAdmin in my non-priv'ed home directory - which must be the "user_home_t" reference - and then moved it over to its current location.
I meanwhile switched to permissive mode. If SELinux is this tricky, I'll have to find time to study it before enabling it again.
Thanks to all for thinking along.
Kind regards,
Herta
On Wed, Jun 18, 2008 at 5:45 PM, Herta Van den Eynde herta.vandeneynde@gmail.com wrote:
Joshua previously suggested SELinux might have something to do with it, but being new to it, I didn't know what to do with that info.
I'll need to read up on what this means exactly. I originally untarred the phpMyAdmin in my non-priv'ed home directory - which must be the "user_home_t" reference - and then moved it over to its current location.
I meanwhile switched to permissive mode. If SELinux is this tricky, I'll have to find time to study it before enabling it again.
Why don't you install it from an RPM?
Dag/rpmforge has an RPM for 2.11.5: http://dag.wieers.com/rpm/packages/phpmyadmin/
RPMs will usually set SELinux permissions the right way for you, so you usually don't have to bother doing that. They also have the advantage that it's usually easier to do upgrades to newer versions once they're out.
You should try to keep your SELinux in enforcing mode, since that will harden your system's security (and once it's off, it's hard to get it on again).
With web tools that connect to databases, you will probably set some booleans to allow them to connect to the databases. You can control that with "setsebool", you will probably need to "setsebool -P httpd_can_network_connect 1" or most probably "setsebool -P httpd_can_network_connect_db 1", but try first without setting them to see if it works, if it doesn't, try setting them and seeing if it fixes the problem. See "man httpd_selinux" and "man setsebool" for some of the details.
Please let us know how your experiences go, and what you needed to set up for it to work.
HTH, Filipe
2008/6/19 Filipe Brandenburger filbranden@gmail.com:
On Wed, Jun 18, 2008 at 5:45 PM, Herta Van den Eynde herta.vandeneynde@gmail.com wrote:
Joshua previously suggested SELinux might have something to do with it, but being new to it, I didn't know what to do with that info.
I'll need to read up on what this means exactly. I originally untarred the phpMyAdmin in my non-priv'ed home directory - which must be the "user_home_t" reference - and then moved it over to its current location.
I meanwhile switched to permissive mode. If SELinux is this tricky, I'll have to find time to study it before enabling it again.
Why don't you install it from an RPM?
Dag/rpmforge has an RPM for 2.11.5: http://dag.wieers.com/rpm/packages/phpmyadmin/
RPMs will usually set SELinux permissions the right way for you, so you usually don't have to bother doing that. They also have the advantage that it's usually easier to do upgrades to newer versions once they're out.
You should try to keep your SELinux in enforcing mode, since that will harden your system's security (and once it's off, it's hard to get it on again).
With web tools that connect to databases, you will probably set some booleans to allow them to connect to the databases. You can control that with "setsebool", you will probably need to "setsebool -P httpd_can_network_connect 1" or most probably "setsebool -P httpd_can_network_connect_db 1", but try first without setting them to see if it works, if it doesn't, try setting them and seeing if it fixes the problem. See "man httpd_selinux" and "man setsebool" for some of the details.
Please let us know how your experiences go, and what you needed to set up for it to work.
HTH, Filipe
That sounded like good advice, Filipe, so I gave it a try (even though it's going to be hell to get the security team to open yet another hole in their firewall). It installs fine, and an initial test displays the phpmyadmin page, which - understandably - complains about the blowfish_secret. So I edit config.inc.php to define it, and am back to the wonderful "403 Forbidden". Only this time, even "setenforce 0" doesn't get me out of the woods.
I'll go back to my initial install, as I really cannot afford to lose more time over this. (Two other projects need to be finished by tomorrow evening.) SELinux is on my list of to-be-learned.
Kind regards,
Herta
on 6-18-2008 10:32 AM Herta Van den Eynde spake the following:
Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin (FWIIW, using 'cp -pr'), and voil�, problem vanished. (I cannot explain why I even tried that.)
My first idea was that maybe the copy somehow resolved some issue at the directory level, but when I output an 'ls -laR' of the two directories to two files, 'diff' shows both files to be identical (apart from the timestamps on . and .. directories). The pma and phpMyAdmin directories reside in the same documentroot, have the same ownership, and the same permissions.
This must be about the weirdest experience in my professional career. If anyone can shed a light on this, it'd be most welcome. I still have the original (malfunctioning) directory on the system to bounce ideas off if anyone has any inspiration (system will go live this weekend).
Kind regards,
Herta
Just a side note, but "pma" is one of the directories the script kiddies hammer on my servers regularly. You had better hide it better than that, or make sure it isn't accessible from the "world".
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
what does your /etc/httpd/conf.d/phpmyadmin.conf look like? By default, it has a Allow 127.0.0.1 in it.
Scott Silva wrote: | on 6-18-2008 10:32 AM Herta Van den Eynde spake the following: |> Environment: |> - CentOS 5.1, |> - Apache 2.2.3 |> - php 5.1.6 |> - phpMyAdmin 2.11.6 |> - MySQL 5.0.22 |> |> Brand new system, brand new installation of all the above products. |> All looks well, but when I try to connect to phpMyAdmin, I get an |> error: "Forbidden: You don't have permission to access /phpMyAdmin/ |> on this server". |> |> I'll forgo all the paths I followed trying to get this to work and cut |> to the "solution": I renamed the phpMyAdmin directory to pma, copied |> all files in the pma directory to a new phpMyAdmin (FWIIW, using 'cp |> -pr'), and voil?, problem vanished. (I cannot explain why I even |> tried that.) |> |> My first idea was that maybe the copy somehow resolved some issue at |> the directory level, but when I output an 'ls -laR' of the two |> directories to two files, 'diff' shows both files to be identical |> (apart from the timestamps on . and .. directories). The pma and |> phpMyAdmin directories reside in the same documentroot, have the same |> ownership, and the same permissions. |> |> This must be about the weirdest experience in my professional career. |> If anyone can shed a light on this, it'd be most welcome. I still |> have the original (malfunctioning) directory on the system to bounce |> ideas off if anyone has any inspiration (system will go live this |> weekend). |> |> Kind regards, |> |> Herta | Just a side note, but "pma" is one of the directories the script kiddies | hammer on my servers regularly. You had better hide it better than that, | or make sure it isn't accessible from the "world". | | | - ------------------------------------------------------------------------ | | _______________________________________________ | CentOS mailing list | CentOS@centos.org | http://lists.centos.org/mailman/listinfo/centos
- -- Milton Calnek BSc, A/Slt(Ret.) milton@calnek.com 306-717-8737
on 6-18-2008 12:22 PM Milton Calnek spake the following:
what does your /etc/httpd/conf.d/phpmyadmin.conf look like? By default, it has a Allow 127.0.0.1 in it.
I'm not using it, I just see the attempts. There must be some vulnerability, at least in older versions, or there wouldn't be a script out there to exploit it.
2008/6/18 Scott Silva ssilva@sgvwater.com:
on 6-18-2008 12:22 PM Milton Calnek spake the following:
what does your /etc/httpd/conf.d/phpmyadmin.conf look like? By default, it has a Allow 127.0.0.1 in it.
I'm not using it, I just see the attempts. There must be some vulnerability, at least in older versions, or there wouldn't be a script out there to exploit it. -- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I don't see how it could be config related.
Like I said, I originally had a directory called phpMyAdmin, which didn't work. I renamed it to pma (to make sure the uppercase characters weren't causing problems). It still didn't work.
I then copied it to a new directory named phpMyAdmin, just like the original directory (cp -pr pma phpMyAdmin). The new phpMyAdmin directory works fine. No config changes in between.
For good measure, I copied it again to yet another directory (cp -pr pma tst). That other directory works just fine as well. Again without changing anything in the configs.
Kind regards,
Herta
2008/6/18 Scott Silva ssilva@sgvwater.com:
on 6-18-2008 10:32 AM Herta Van den Eynde spake the following:
Environment:
- CentOS 5.1,
- Apache 2.2.3
- php 5.1.6
- phpMyAdmin 2.11.6
- MySQL 5.0.22
Brand new system, brand new installation of all the above products. All looks well, but when I try to connect to phpMyAdmin, I get an error: "Forbidden: You don't have permission to access /phpMyAdmin/ on this server".
I'll forgo all the paths I followed trying to get this to work and cut to the "solution": I renamed the phpMyAdmin directory to pma, copied all files in the pma directory to a new phpMyAdmin (FWIIW, using 'cp -pr'), and voil�, problem vanished. (I cannot explain why I even tried that.)
My first idea was that maybe the copy somehow resolved some issue at the directory level, but when I output an 'ls -laR' of the two directories to two files, 'diff' shows both files to be identical (apart from the timestamps on . and .. directories). The pma and phpMyAdmin directories reside in the same documentroot, have the same ownership, and the same permissions.
This must be about the weirdest experience in my professional career. If anyone can shed a light on this, it'd be most welcome. I still have the original (malfunctioning) directory on the system to bounce ideas off if anyone has any inspiration (system will go live this weekend).
Kind regards,
Herta
Just a side note, but "pma" is one of the directories the script kiddies hammer on my servers regularly. You had better hide it better than that, or make sure it isn't accessible from the "world".
-- MailScanner is like deodorant... You hope everybody uses it, and you notice quickly if they don't!!!!
Thanks for the tip, Scott. I'll rename it again.
Kind regards,
Herta
-
Filipe Brandenburger -
Herta Van den Eynde -
Joshua Baker-LePain -
Mark Pryor -
Mike Hanby -
Milton Calnek -
Scott Silva