From helge at monsternett.no Tue Jan 10 11:27:03 2012 From: helge at monsternett.no (Helge Milde) Date: Tue, 10 Jan 2012 11:27:03 +0100 Subject: [mpm-itk] Weird problem with permissions Message-ID: <20120110102702.GE30021@monsternett.no> We've been experiencing some problems after upgrading apache2-mpm-itk on our server running Debian 6.0 on 2011.10.06. We tried upgrading again yesterday (2.2.16-6+squeeze4) to no avail. The problem is that we started getting the following error message: >[crit] [client 1.2.3.4] (13)Permission denied: /home/a/ab/abc/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable When it first happens, it usually happens 2-5 times within the first 10 seconds (on the same site) before going silent for 4-20 minutes. It seems to happen on completely random sites (except more often on the most active ones, of course.) There really shouldn't be a legitimate permission problem as the site has a correct AssignUserId entry, and there's no changes in the permissons of the actual directories between these errors. I've tried messing with nscd and LDAP (where our users lies), as there could be an issue with them giving out invalid uid/gid numbers all of a sudden, but it doesn't seem very likely that there's any issue with this. I don't know the apache2 architecture very well, but it looks to me that apache2 lets children take requests for sites with incompatible permissions (e.g. an instance for site A suddenly taking a request for site B.) Since everything in /home/ has 750 permissions, each site *has* to have the correct permissions, or else they'll get that exact error message. If you could give us any pointers on how to debug this further, that would be very helpful. stracing random instances in the hopes that it will be the one failing would be quite inefficient :-) This is a server in production, so running apache2 under GDB or something like that is not possible. Below is an excerpt of our error.log file: [Tue Jan 10 09:36:44 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/k/kl/klatringfriluftsliv/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:36:46 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/n/ne/nettbriller/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:36:48 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/b/ba/baptistene/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:36:53 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/j/je/jec/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:36:56 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/t/tr/trialavisa/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:36:58 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/b/ba/bav/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:00 2012] [crit] [client 143.97.2.35] (13)Permission denied: /home/b/br/bryneck/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:08 2012] [crit] [client 143.97.2.35] (13)Permission denied: /home/b/br/bryneck/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:11 2012] [crit] [client 143.97.2.35] (13)Permission denied: /home/b/br/bryneck/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:52 2012] [crit] [client 192.153.194.205] (13)Permission denied: /home/t/tr/translogic/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:53 2012] [crit] [client 192.153.194.205] (13)Permission denied: /home/j/je/jec/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:53 2012] [crit] [client 192.153.194.205] (13)Permission denied: /home/t/tr/translogic/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:48:53 2012] [crit] [client 192.153.194.205] (13)Permission denied: /home/t/tr/translogic/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:54:27 2012] [crit] [client 81.167.54.18] (13)Permission denied: /home/l/la/larvikski/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:54:29 2012] [crit] [client 81.167.54.18] (13)Permission denied: /home/l/la/larvikski/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:54:32 2012] [crit] [client 81.167.54.18] (13)Permission denied: /home/l/la/larvikski/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:55:26 2012] [crit] [client 143.97.2.35] (13)Permission denied: /home/m/mo/moldepanorama/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:57:26 2012] [crit] [client 34.253.131.20] (13)Permission denied: /home/b/bu/burton/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:57:26 2012] [crit] [client 34.253.131.20] (13)Permission denied: /home/b/bu/burton/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:57:29 2012] [crit] [client 34.253.131.20] (13)Permission denied: /home/b/bu/burton/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:57:31 2012] [crit] [client 34.253.131.20] (13)Permission denied: /home/b/bu/burton/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 09:57:35 2012] [crit] [client 34.253.131.20] (13)Permission denied: /home/b/bu/burton/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable [Tue Jan 10 10:01:53 2012] [crit] [client 77.88.43.27] (13)Permission denied: /home/e/er/erato/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable PS. I see that we hit our MaxClient limit often too; thought it might be relevant if this is indeed a bug. Changing it now to see if it helps. -- Helge Milde, 69701808 www.monsternett.no From sgunderson at bigfoot.com Tue Jan 10 12:25:39 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 10 Jan 2012 12:25:39 +0100 Subject: [mpm-itk] Weird problem with permissions In-Reply-To: <20120110102702.GE30021@monsternett.no> References: <20120110102702.GE30021@monsternett.no> Message-ID: <20120110112539.GA12802@uio.no> On Tue, Jan 10, 2012 at 11:27:03AM +0100, Helge Milde wrote: > We've been experiencing some problems after upgrading apache2-mpm-itk on > our server running Debian 6.0 on 2011.10.06. We tried upgrading again > yesterday (2.2.16-6+squeeze4) to no avail. Hi, This bug was introduced in 2.2.11-01 (with the support for AssignUserID on directory/location level) and fixed in mpm-itk 2.2.17-01, which is newer than what is in squeeze. See the changelog: * Fix an issue where users can sometimes get spurious 403s on persistent connections, if the .htaccess files are not world readable. /* Steinar */ -- Homepage: http://www.sesse.net/ From sgunderson at bigfoot.com Tue Jan 10 12:25:39 2012 From: sgunderson at bigfoot.com (Steinar H. Gunderson) Date: Tue, 10 Jan 2012 12:25:39 +0100 Subject: [mpm-itk] Weird problem with permissions In-Reply-To: <20120110102702.GE30021@monsternett.no> References: <20120110102702.GE30021@monsternett.no> Message-ID: <20120110112539.GA12802@uio.no> On Tue, Jan 10, 2012 at 11:27:03AM +0100, Helge Milde wrote: > We've been experiencing some problems after upgrading apache2-mpm-itk on > our server running Debian 6.0 on 2011.10.06. We tried upgrading again > yesterday (2.2.16-6+squeeze4) to no avail. Hi, This bug was introduced in 2.2.11-01 (with the support for AssignUserID on directory/location level) and fixed in mpm-itk 2.2.17-01, which is newer than what is in squeeze. See the changelog: * Fix an issue where users can sometimes get spurious 403s on persistent connections, if the .htaccess files are not world readable. /* Steinar */ -- Homepage: http://www.sesse.net/