Apache denies access after a fresh install

Try an apache2ctl -S and see if your Aegir URL is being referenced by some other vhost.... ensure the DocumentRoot is correct, etc

I've never run that command before! Nice! Here is what I get (I changed the IP addresses and passwords, etc since this is a public post but they were all correct and match each other):

VirtualHost configuration:
99.99.99.99:80       is a NameVirtualHost
         default server default (/etc/apache2/conf.d/aegir.conf:5)
         port 80 namevhost default (/etc/apache2/conf.d/aegir.conf:5)
         port 80 namevhost sites.example.com (/var/aegir/config/server_master/apache/vhost.d/sites.trialtoaster.net:1)
wildcard NameVirtualHosts and _default_ servers:
*:80                   is a NameVirtualHost
         default server localhost (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost localhost (/etc/apache2/sites-enabled/000-default:1)
Syntax OK

Which looks OK to me. An interesting observation when chasing down the config is that I DO have it set up where there is a symbolic link to a symbolic link to a conf file:

root # ll /etc/apache2/conf.d/aegir.conf
lrwxrwxrwx 1 root root 29 Aug 17 12:40 /etc/apache2/conf.d/aegir.conf -> /var/aegir/config/apache.conf
root # ll /var/aegir/config/apache.conf
lrwxrwxrwx 1 aegir aegir 43 Aug 28 13:13 /var/aegir/config/apache.conf -> /var/aegir/config/server_master/apache.conf

Interesting, but I think it works. So then a peek at /var/aegir/config/server_master/apache.conf looks right to me:

# Aegir web server configuration file

  NameVirtualHost 99.99.99.99:80

<VirtualHost 99.99.99.99:80>
  ServerName default
  Redirect 404 /
</VirtualHost>


<IfModule !env_module>
  LoadModule env_module modules/mod_env.so
</IfModule>

<IfModule !rewrite_module>
  LoadModule rewrite_module modules/mod_rewrite.so
</IfModule>

# virtual hosts
Include /var/aegir/config/server_master/apache/vhost.d
# platforms
Include /var/aegir/config/server_master/apache/platform.d
# other configuration, not touched by aegir
Include /var/aegir/config/server_master/apache/conf.d

# Extra configuration from modules:

So that leaves the /var/aegir/config/server_master/apache/vhost.d/ directory you mentioned which only has the one config file for aegir:

<VirtualHost 99.99.99.99:80>

  DocumentRoot /var/aegir/hostmaster-0.4-alpha12 
    
  ServerName sites.example.com
  SetEnv db_type  mysqli
  SetEnv db_name  sitesexample
  SetEnv db_user  sitesexample
  SetEnv db_passwd  PASSWORD
  SetEnv db_host  sites
  SetEnv db_port  3306

# Extra configuration from modules:

    # Error handler for Drupal > 4.6.7
    <Directory "/var/aegir/hostmaster-0.4-alpha12/sites/sites.example.com/files">
      SetHandler This_is_a_Drupal_security_line_do_not_remove
    </Directory>

</VirtualHost>

It looks to me that everything is OK with all this and that the the DocumentRoot is correct, but I would love you to take a peek which is why I post it all - in any case this seems like a great practice to chase it all down and this was a great suggestion.

In the meantime, unless you see something I don't, I still don't know where to go next. I am unsure what should get what permissions and ownerships and I don't want to open it up without making sure it is secure.

Suggestions?

I get the same result in the browser. I have the "Access denied" on the browser screen, but none of the formatting is there - I assume because the guesses I made for group ownership don't include the css for the administration theme.

When Drupal starts, I get:

Starting web server: apache2[Mon Aug 30 07:39:42 2010] [warn] NameVirtualHost *:80 has no VirtualHosts.

which I kind of expect since the only site that exists after the install is the main aegir site.

Perhaps I should do a fresh, fresh install (crank up a fresh guest under the vm) and see if the presence of a pre-configured apache forces the install script to make assumptions that are not correct? If I get proper user:group ownerships being set with that, then we have a "re-install issue" and not an install issue. (grin)

Before creating a completely new guest, I cleaned everything out of the /var/aegir directory and did an "apt-get install --reinstall apache2", deleted the aegir_root user and databases from mysql, changed both my root and aegir user's umask back to the system default of 022 in .bashrc and then rebooted the guest to start clean.

Then I made a small change in the install script - I changed the hashbang line to /bin/sh from /bin/bash:

#! /bin/sh

# This script should be run as the aegir user - it snags the scripts and runs them.

# Install the hosting platform:
#  Backend - Drush and Provision
#  Frontend - hosting, hostmaster, eldir and drupal core

#  !!!!  Make sure to change this to the current versions at the time you run this script !!!!
#  The provision script downloads and installs the correct versions of other components.

export AEGIR_VERSION=0.4-alpha12

## Make sure we have the selected version of Provision installed
cd /var/aegir
wget http://files.aegirproject.org/provision-$AEGIR_VERSION.tgz
gunzip -c provision-$AEGIR_VERSION.tgz | tar -xf -
rm provision-$AEGIR_VERSION.tgz

## Run the provision install script
chmod 700 /var/aegir/provision/install.sh.txt
/var/aegir/provision/install.sh.txt sites.example.com --client_email=myemail@myemail.com

I logged in as root rather than aegir (since the installs all use that example) and all of that pretty well encompassed everything I could think of that could be the source of the problem. I really, really don't think that some of this made any difference at all, but I did it anyway.

Then I ran the install script above as root with the basic format of the command in the INSTALL.TXT:

root # su -s /bin/sh aegir -c "sh /var/aegir/bin/install_aegir"
--2010-08-30 09:43:43--  http://files.aegirproject.org/provision-0.4-alpha12.tgz
Resolving files.aegirproject.org... 209.44.112.115
Connecting to files.aegirproject.org|209.44.112.115|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 92694 (91K) [application/x-gzip]
Saving to: `provision-0.4-alpha12.tgz'

100%[========================================================================================================================>] 92,694       344K/s   in 0.3s

2010-08-30 09:43:43 (344 KB/s) - `provision-0.4-alpha12.tgz' saved [92694/92694]

==> Aegir automated install script
==> MySQL is listening on 99.99.99.99.
==> This script makes the following assumptions:
 * you have read INSTALL.txt and prepared the platform accordingly
 * you are running as your "aegir" user
Do you want to proceed with the install? [Y/n] y
==> Aegir will now generate a mysql super user password for you:
  Username : aegir_root
  Password : PASSWORD
  Hostname : sites (99.99.99.99)

You will be asked to enter your mysql root user password now :
Enter password:
==> Installing drush in /var/aegir
--2010-08-30 09:44:04--  http://ftp.drupal.org/files/projects/drush-6.x-3.3.tar.gz
Resolving ftp.drupal.org... 64.50.233.100, 64.50.236.52
Connecting to ftp.drupal.org|64.50.233.100|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 174892 (171K) [application/x-gzip]
Saving to: `drush-6.x-3.3.tar.gz'

100%[========================================================================================================================>] 174,892      491K/s   in 0.3s

2010-08-30 09:44:04 (491 KB/s) - `drush-6.x-3.3.tar.gz' saved [174892/174892]

==> Drush seems to be functionning properly
==> Provision already seems to be installed
==> Installing the frontend
Provision configuration path /var/aegir/config/server_master does not exist.                                                                           [warning]
Backup path /var/aegir/backups does not exist.                                                                                                         [warning]
Provision PHP configuration path /var/aegir/config/includes does not exist.                                                                            [warning]
Webserver custom configuration path /var/aegir/config/server_master/apache/conf.d does not exist.                                                      [warning]
Webserver platform configuration path /var/aegir/config/server_master/apache/platform.d does not exist.                                                [warning]
Webserver virtual host configuration path /var/aegir/config/server_master/apache/vhost.d does not exist.                                               [warning]
Project information for drupal retrieved.                                                                                                              [ok]
drupal downloaded from http://ftp.drupal.org/files/projects/drupal-6.19.tar.gz.                                                                        [ok]
hostmaster downloaded from http://files.aegirproject.org/hostmaster-0.4-alpha11.tgz.                                                                   [ok]
Found makefile: hostmaster.make                                                                                                                        [ok]
Project information for admin_menu retrieved.                                                                                                          [ok]
Project information for install_profile_api retrieved.                                                                                                 [ok]
Project information for jquery_ui retrieved.                                                                                                           [ok]
Project information for modalframe retrieved.                                                                                                          [ok]
admin_menu downloaded from http://ftp.drupal.org/files/projects/admin_menu-6.x-1.5.tar.gz.                                                             [ok]
install_profile_api downloaded from http://ftp.drupal.org/files/projects/install_profile_api-6.x-2.1.tar.gz.                                           [ok]
jquery_ui downloaded from http://ftp.drupal.org/files/projects/jquery_ui-6.x-1.3.tar.gz.                                                               [ok]
modalframe downloaded from http://ftp.drupal.org/files/projects/modalframe-6.x-1.6.tar.gz.                                                             [ok]
jquery_ui downloaded from http://jquery-ui.googlecode.com/files/jquery.ui-1.6.zip.                                                                     [ok]
Created sitesexamplecom database                                                                                                                      [success]
Initializing the hosting system
Dispatch command was run successfully                                                                                                                  [success]
Your existing cron entry will be replaced.                                                                                                             [warning]
This command will replace your crontab for this user. continue? (y/n): y
/var/aegir/drush/drush.php '@hostmaster' hosting-dispatch
Aegir is now installed. You can visit it at http://sites.example.com/user/reset/1/temporarypassowrd
root #

And when I looked at the user:group ownership and permissions, EVERYTHING was still aegir:aegir so I expected another epic fail - but I got the welcome email and when I clicked on the link, the site came up PERFECTLY and it works quite well, thank you very much.

So, something in the mix above made all the difference.

The first time I logged in as the aegir user (which has a bash shell with umask 027) and ran the install script with the hashbang set to /bin/bash - mysql was cleaned out identically both times but the apache config shortcuts and directory structures were in place the first time (even though the config files in them were deleted) and the second time I had deleted everything and started with an apache reinstall.

Anybody want me to try anything in particular to see which change made the difference?

I personally think the umask during the install made the difference. I use a 027 umask so that others can not see or execute anything for any user unless that user specifically gives them permission through a group reference. I suspect that aegir is allowing apache to execute using the permissions for other rather than explicit permissions as group www-data.

If it turns out that this is true, should I convert this to a critical bug, report it as a security issue or ignore it and call myself overly paranoid? It would not be the first time I have been considered overly paranoid.

OK - there is more information now.

It appears that when I had my hardening umask on (007) the install completes and reports success, but I can not get into aegir because the group www-data is not set on any files or directories - apache is allowed access to the drupal and aegir files not as user or group, but only as other - and other is denied permission. Immediately I considered this a bug as I expected apache to only access the files that it was given specific permission to access using group membership.

To prove it I wiped the system and installed again with the umask set to 022. Now it installed and reported success and still it looked like everything was set to aegir:aegir again and nothing to aegir:www-data so I expected the same result, but everything worked.

I have now had an opportunity to dig more deeply.

It appears that this access via other is by design. On files that need to be excluded, group and more fine grained access controls do indeed exist. For instance, now my settings.php file has -r--r----- permissions and aegir:www-data ownership limiting access to this file to aegir and apache2 only and then read-only in both cases.

I am not certain, but I think these actions happened during the verify that kicks off - which did not appear to have run in the first attempt.

I do not know if this is a bug, a security issue or just me being overly paranoid and using a umask that is too limiting. I will let you guys decide and mark this thread accordingly.

For those that skip to the end, if this happens to you, check your umask and make sure that it is 022 and then install again - it should work now.