Tags:
create new tag
view all tags

Question

I have followed the installation instructions as given in ttp://twiki.org/cgi-bin/view/Codev/TWikiOnRedHat

While trying to run http://localhost/twiki/bin/configure, I get the error 403 forbidden, you do not have access to twiki/bin/configure on this server.

I have used the TWiki:TWiki.ApacheConfigGenerator to generate the twiki.conf file which is stored in /etc/httpd/conf.d/ directory and I have specified localhost, 127.0.0.1 and my system IP as valid IP address to have access to configure.

My twiki directory is stored in /home/twiki/TWiki-4.2.3 and /var/www/twiki is a soft link to /home/twiki/TWiki-4.2.3 directory.

Environment

TWiki version: TWikiRelease04x02x03
TWiki plugins: DefaultPlugin, EmptyPlugin, InterwikiPlugin
Server OS: RedHat Enterprise Linux 2.6.9-55.ELsmp
Web server: Apache 2.0.52
Perl version: 5.8.5
Client OS: Linux
Web Browser: Mozilla Firefox 1.5.0.10
Categories: Installation

-- TWikiGuest - 15 Dec 2008

Answer

ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Check the permission of the twiki/bin directory and the configure script. Some shared hosting env are pretty picky with permissions, e.g. scripts need to be 755 (a 775 would not work). Also, your Apache config might prohibit symbolic links for security.

-- PeterThoeny - 15 Dec 2008

I have checked the permission of twiki/bin and as well as configure script. They are correct as given below: drwxr-xr-x 3 apache apache 4096 Dec 15 16:33 bin -r-xr-xr-x 1 apache apache 24084 Sep 12 09:12 configure

This is my twiki.conf file: 


<Directory "/var/www/twiki/bin">
    AllowOverride None
    Order Allow,Deny
    Allow from all
    Deny from env=blockAccess

    Options ExecCGI FollowSymLinks
    SetHandler cgi-script

    # Password file for TWiki users
    AuthUserFile /var/www/twiki/data/.htpasswd
    AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
    AuthType Basic

    # File to return on access control error (e.g. wrong password)
    ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 localhost 192.168.51.156
</FilesMatch>

# When using Apache type login the following defines the TWiki scripts
# that makes Apache ask the browser to authenticate. It is correct that
# scripts such as view are not authenticated.
<FilesMatch "(attach|edit|manage|rename|save|upload|mail|logon|rest|.*auth).*">
        require valid-user
</FilesMatch>

# Enable mod_perl for the bin scripts listed
<IfModule mod_perl.c>
    <FilesMatch \"(attach|edit|manage|rename|save|upload|view|rest|.*auth).*\">
        SetHandler perl-script
        PerlResponseHandler ModPerl::Registry
        PerlSendHeader On
        PerlOptions +ParseHeaders
    </FilesMatch>
</IfModule>
</Directory>

In /etc/httpd/conf/httpd.conf file, I do not see any other configuration that prevents symbolic links.

This is how the link looks in /var/www lrwxrwxrwx 1 apache apache 23 Dec 15 16:08 twiki -> /home/twiki/TWiki-4.2.3

Please let me know if any other information is needed to help me resolve this error.

-- TWikiGuest - 17 Dec 2008

Hi,

Please try replacing "configure" file section with following 

<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1 localhost 192.168.51.156
   Satisfy Any
</FilesMatch>

Notice "Satisfy Any" line... If it still does not work.. then just try commenting like below... at least you will know the "configure script works.. if it works - then you call play with "Allow From" section later.. 

<FilesMatch "^(configure)$">
    SetHandler cgi-script
    Order Deny,Allow
   # Deny from all
   #Allow from 127.0.0.1 localhost 192.168.51.156
   Satisfy Any
</FilesMatch>

-- SopanShewale - 18 Dec 2008

I tried the following and none of them seem to have worked. This might indicate that there might be a generic issue. 1) Added Satisfy Any line - same error 2) Commented out Deny from all and Allow from All and added Satisfy Any - Stil same error 3) Commented out even the Order Deny,Allow line there by I have only two lines SetHandler and Satify Any - same access error

-- TWikiGuest - 18 Dec 2008

Please paste the error log lines apache (/var/log/http/error_log)

-- SopanShewale - 18 Dec 2008

[Mon Dec 22 15:00:36 2008] [error] [client 192.168.51.156] (13)Permission denied: access to /twiki/bin/configure denied.

This error I am getting with following settings in twiki.conf

SetHandler cgi-script Order Deny,Allow #Deny from all #Allow from 127.0.0.1 localhost 192.168.51.156 Satisfy Any

-- TWikiGuest - 22 Dec 2008

I had an older installation of Twiki which seems to be working fine. Upon further investigation I found that it has something to do with the top level directory i.e. /var/www/twiki --> points to /home/twiki/twiki_old

If I change this to /var/www/twiki --> point to /home/twiki/twiki_new with exact contents and permission between these two directories it does NOT work

This gave me a clue that possible the permission of twiki_new and twiki_old directory both of which resides in /home/twiki directory could be an issue.

Unfortunately both of them have identical permissions.

Please note I am able to run the configure script manually from the Terminal and the output is fine (viewed in web broswer) cd /home/twiki/twiki_new/bin ./configure > /tmp/a.html Viewing a.html in WEB browser is the expected configure output.

So I am back to square on what is special with this directory that is making it work. twiki_old --> works twiki_new --> doesn't work both the directories have exact same content and permission and both these reside in /home/twiki directory

-- TWikiGuest - 22 Dec 2008

Hi

I face a similar problem. In my case the /var/log/httpd/error_log reads

[Mon Jan 12 07:59:02 2009] [error] Can't locate /var/www/twiki/tools/mod_perl_startup.pl in @INC (@INC contains: /usr/lib64/perl5/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/local/lib64/perl5/site_perl/5.10.0/x86_64-linux-thread-multi /usr/local/lib/perl5/site_perl/5.10.0 /usr/lib64/perl5/vendor_perl/5.10.0/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl /usr/local/lib/perl5/site_perl /usr/local/lib64/perl5/site_perl /etc/httpd) at (eval 2) line 1.\n [Mon Jan 12 07:59:02 2009] [error] Can't load Perl file: /var/www/twiki/tools/mod_perl_startup.pl for server 127.0.0.1:0, exiting...

and I get the page load error. My t wiki.conf file reads:

AllowOverride None Order Allow,Deny Allow from all Deny from env=blockAccess

Options ExecCGI FollowSymLinks SetHandler cgi-script

# Password file for TWiki users AuthUserFile /var/www/twiki/data/.htpasswd AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.' AuthType Basic

# File to return on access control error (e.g. wrong password) ErrorDocument 401 /twiki/bin/view/TWiki/TWikiRegistration

# Limit access to configure to specific IP addresses and or users. # Make sure configure is not open to the general public. # It exposes system details that can help attackers. SetHandler cgi-script Order Deny,Allow Deny from all Allow from localhost Require user amitp Satisfy Any

# Enable mod_perl for the bin scripts listed SetHandler perl-script PerlResponseHandler ModPerl::Registry PerlSendHeader On PerlOptions +ParseHeaders

# This sets the options on the pub directory, which contains attachments and # other files like CSS stylesheets and icons. AllowOverride None stops a # user installing a .htaccess file that overrides these options. # Note that files in pub are not protected by TWiki Access Controls, # so if you want to control access to files attached to topics you need to # block access to the specific directories same way as the ApacheConfigGenerator # blocks access to the pub directory of the Trash web Options None AllowOverride None Order Allow,Deny Allow from all Deny from env=blockAccess

# Disable execusion of PHP scripts php_admin_flag engine off

# This line will redefine the mime type for the most common types of scripts AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi # #add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate # reducing the load on the server significantly #IF you can, you should enable this - it will improve your twiki experience, even if you set it to under one day. # you may need to enable expires_module in your main apache config expires_module libexec/httpd/mod_expires.so mod_expires.c # # # ExpiresActive on # ExpiresDefault "access plus 11 days" # # #

# Security note: All other directories should be set so # that they are not visible as URLs, so we set them as deny from all. deny from all

deny from all

deny from all

deny from all

deny from all

deny from all

and so on ..

Can you please help me?

-- AmitPrabhakar - 13 Jan 2009

Sorry, closing this question after more than 30 days of inactivity. Feel free to open a new question if needed.

-- PeterThoeny - 01 Mar 2009

Change status to:
WebForm
SupportStatus AnsweredQuestions
Edit | Attach | Watch | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r11 - 2009-03-01 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.