QNAP NAS Community Forum

[jdebs]

Hello,
after Firmware update to 3.7.1 Build 20120615 on my TS 219P II i suddenly can not open my web page having arror 403 Forbidden.

1. I am able to access index.php and see Web Server Setup guide.
2. I have read rights for everyone in Web folder assigned
3. I checked index.html is written properly
4. Everything worked properly in 3.5.2_Build1126

I would appriciate any hint to fix it.
Regards,
JD

[schumaku]

Stragne - the config for DirectoryIndex index.html index.htm index.php does evn prioritize the html. However, I would suggest to move the default Web page away, or at least rename index.php. However: This sould not prohibit the access to index.html.

What are the U**x protection mask on index.htm (and index.php)?

Here an example from a NAS without advanced folder permissions:
[/share/Web] # ls -l ind*
-rw-r--r-- 1 admin administ 170 Jun 22 10:56 index.html
-rw-r--r-- 1 admin administ 10828 May 22 2011 index.php

...just in case - what shows:
[/share/Web] # getfacl index.html
...

[jdebs]

Hello,
just for clarity. The folder structure under/Web is following:
/Web
|_ Fotki
| |__ index.html
|_ index.php

I do have problems with Site1. Opening defoult Web Server Setup guide works.

Code: Select all

[/share/Web] #  ls -l ind*
-rwxrwx---    1 admin    administ    10828 Jul 21 23:32 index.php*
[/share/Web] # cd Fotki/
[/share/Web/Fotki] #  ls -l ind*
-rwxrwx---    1 admin    administ    12807 Jun  9 21:39 index.html*
[/share/Web/Fotki] #


Code: Select all

[/share/Web] # getfacl index.php
# file: index.php
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:guest:---
group::---
mask::rwx
other::---


Code: Select all

[/share/Web/Fotki] # getfacl index.html
# file: index.html
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:Jacek:rwx
user:guest:---
group::---
mask::rwx
other::---


Do you suggest to change permission rights or group? I did it under Share Forlders.... What right shall be assigned for internet explorers?

Regards,
Jacek

[schumaku]

Ok. I assume the Fotki directory itself has the same ACL in place:

# getfacl /share/Web/Fotki
...?

The Web server is running on the non-privileged httpdusr. When it comes to the Web Server and the Virtual Host functionality (probably paired with dedicated access rights for virtual foldes), there are some controls missing in the NAS Web UI. Pitty - QNPA is rather slow in adding almost mandatory features. Now it's kind of obvious, we could do sosme very lazy fixes like changing the ownership of files and folders to httpdusr, relax the U**x protection mask to allow any:rwx, , manually adding an ACE (Access Control Entry - a "line" in the ACL) for the httpduser certainly forget the default one and can't be added to the group ... and mouse-clicking for no result...

However, I prefer (almosst) manageable solutions. Lack of rights identifiers (Patrick. does you OpenVMS hear listening here?), we create a group - but we have to do it on the NAS Linux shell, because of httpdusr is not visible is not my thing either:

[~] # echo Apache:x:65533:httpdusr >> /etc/config/group
[~] # cat /etc/config/group
administrators:x:0:admin,testadmin,ks
everyone:x:100:admin
guest:x:65534:guest
...
Apache:x:65533:httpdusr
[~] #

So - now you return to the NAS Access Rights Management >> Share Folders -> [Permissions] ... and add the Apache local group with Read/Write access, and deploy the changes to the folders and susbfolders as required:

[/share/Web] # getfacl /share/MD0_DATA/Web/Fotki
getfacl: Removing leading '/' from absolute path names
# file: share/MD0_DATA/Web/FFotki
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
...
group:Apache:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:admin:rwx
...
default:group:Apache:rwx
default:mask::rwx
default:other::---

Bingo - now the non-privileged httpdusr has full access to the files - and should be able to bring index.html to the world - and you freinds can anjoy the photos (Fotki - right?).

Should some Web apps require or urge the user to limit the access to some foflderas and/or file - ie. configs that should not be chnaged - just grant Apache local group "Read" access for that specific folder or file.

[jdebs]

Adding everyone group to Sub folder/Web/Fotki helped!
I think there must went something wrong with permission rights while FW update because all my mapped Shared folders are not accessible. They are visible but Windows 7 can not open it telling "Windows can not get an access..."
Advanced Folder Permissions are/were ENALBLED in my case.
I will open a new post under a dedicated Subject

Thanks schumaku for your hints. I really appreciate your fast response.
Jacek

[jdebs]

Meantime I see your answer. Shall I still proceed with your suggestions after adding everyone group to the folder? Will it have an impact on the security?
Shall I open a new subject on my Windows access problem?

/Jacek

Code: Select all

[/share] # getfacl /share/Web/Fotki
getfacl: Removing leading '/' from absolute path names
# file: share/Web/Fotki
# owner: admin
# group: administrators
user::rwx
user:admin:rwx
user:Jacek:rwx
user:guest:---
group::rwx
group:everyone:r-x
mask::rwx
other::---
default:user::rwx
default:user:admin:rwx
default:user:Jacek:rwx
default:user:guest:---
default:group::rwx
default:group:everyone:r-x
default:mask::rwx
default:other::---


[schumaku]

Adding everyone group to Sub folder/Web/Fotki helped!

....yes, that's a workaround I don't like - now every authenticated user on the NAS has access to this foldder - that's not really security I'd expect from enabling ACL Good enough for a short term workaround I'd say - proibably we have some more global ACL issues on your machine - we will see.

I think there must went something wrong with permission rights while FW update because all my mapped Shared folders are not accessible. They are visible but Windows 7 can not open it telling "Windows can not get an access..." ...Advanced Folder Permissions are/were ENALBLED in my case. I will open a new post under a dedicated Subject.

Perfect - start with posting the getfacl of the one or some of the share root directories (physical), ie. # getgacl /share/MD0_DATA/[sharename] and pick th related part from /etc/smb.conf, starting from [sharename]. Go for it - post it!

The idea (well, I do similar things on production NAS you can imagine...) is really for shares to be published by the Web Server only - and is not applicable to any acccess rights you mentioning now.

[jdebs]

schumaku,
the funny thing is after deleting everyone group assigned to my Fotki folder, the web page comes up (checked in different web explorers)! I did not restart NAS yet. How can you explain this?
Jacek

Another post created:http://forum.qnap.com/viewtopic.php?f=185&t=61617

[schumaku]

Blush ... need a beer. Na, not really. All these everyone ACE concern me somehow since we received the ACL support... I think these exist primary for QNAP daemon needs.

Just to be on the much better "known side" of your NAS status - would you mind to re-apply the firmware using the simple 1-2-3 part of the process here http://wiki.qnap.com/wiki/Manually_Updating_Firmware please?

[jdebs]

as mentioned above. Everyone group added -> problem solved, site visible -> made reset -> seems to be working OK.
So simple everyone assignment to the folder and removal held. Who can explain it?
BTW I see user 500 instead of everyone group created in this Folder, how this could happen?

I do not feel so strong to update firmware manually unless it is very required....
Will I do not do something wrong wit steps 1-3?

BTW:
How this shall help?
Jacek