thank you - learned another lesson! Am 22.07.2013 20:37, schrieb William A. Rowe Jr.: > If it was 770 apache:apache, then root had no access, and root (before > processing the User directive) was 'unable' > to verify the existence of the child directory without violating the apparent > access control (not traditional > access control, of course). > > On Mon, Jul 22, 2013 at 1:08 PM, Reindl Harald <h.rei...@thelounge.net > <mailto:h.rei...@thelounge.net>> wrote: > Am 22.07.2013 17:01, schrieb William A. Rowe Jr.: > > On Sun, 21 Jul 2013 00:15:45 +0200 > > Reindl Harald <h.rei...@thelounge.net <mailto:h.rei...@thelounge.net>> > wrote: > >> > >> but why does httpd need CAP_DAC_OVERRIDE while starting initially as > >> root? > >> > >> CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID > >> CAP_SETUID Jul 21 00:04:01 srv-rhsoft httpd[8813]: AH00112: Warning: > >> DocumentRoot [/mnt/data/www/www] does not exist Jul 21 00:04:01 > >> srv-rhsoft httpd[8813]: AH00112: Warning: DocumentRoot > >> [/mnt/data/www/private] does not exist > > > > Could one of the parents /mnt .../data .../www offer no other-traverse > > (x) access? If so, these need to be both root and switch-to-user > > traversable and perhaps readable > > *bingo* > > not that way - some had 770 while owner/group apache:apache > so at least questionable why the warning happens anyways > but after change to 775 it is gone
signature.asc
Description: OpenPGP digital signature