How to identify files that apache "cannot open for reading" in the error log

Question

How to identify files that apache "cannot open for reading" in the error log

My apache error log is full

Error opening file for reading: Permission denied Error opening file for reading: Permission denied Error opening file for reading: Permission denied

and etc.

How to identify the file or folder of files causing this permission error? There is no direct connection between the appearance of errors and access_log requests.

Google suggests using strace , but when I do

 strace apache2

or

 strace -etrace:open apache2

The answer is quite detailed, and since I still haven't used this tool before, I'm not sure what to look for. Here that which appears is traced.

 ..... open("/lib/x86_64-linux-gnu/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/lib/x86_64-linux-gnu/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3 open("/etc/passwd", O_RDONLY|O_CLOEXEC) = 3 apache2: bad user name ${APACHE_RUN_USER}

The last line is the only one, which, apparently, may be the reason, but my web server processes images and all kinds of files on the disk, which would be a problem if the user apache were not enough.

Thanks.

+7

logging apache permissions

David lowry Sep 13 '12 at 13:55

source share

2 answers

Chris brown · Answer 1 · 2012-10-08T20:29:55+0000

I am not very good at strace, but I think you will need to do a few more things for Apache to work as you want.

If you just run the apache2 binary, your program will stop (as you noticed) with the wrong username, because usually the apache username / group is set as part of the configuration (in / etc / apache2 / envvars on my Ubuntu 12.04).

It was easiest for me to find the apachectl script on my machine and find "start". You will find a line that looks like this:

$HTTPD ${APACHE_ARGUMENTS} -k $ARGV

here you can add your strace so that it looks like this:

strace -etrace:open -f $HTTPD ${APACHE_ARGUMENETS} -k $ARGV

You need to include the -f option, since apache will spawn a number of processes, and you want to most likely track them, at least this is what worked for me :)

init_js · Answer 2 · 2017-01-31T11:15:54+0000

You need to look for open() calls that return -1, errno == EACCES.

I had to configure the following strace command line on ubuntu (in / usr / sbin / apachectl):

 strace -o /tmp/strace.log -e trace=open -f $HTTPD ${APACHE_ARGUMENTS} -k $ARGV

-o stores the output in a file. Use the appropriate destination directory if you are worried about leaking file names in a public domain.

I am pursuing a similar error myself with a python program running in apache mod wsgi. I find these ...

 3556 open("/proc/self/auxv", O_RDONLY) = -1 EACCES (Permission denied)

I think my mistake is because the wsgi workflow reduces the privilege from root to the normal user who starts the application, but after the /proc/self/auxv , it still remains unreadable for regular processes. -- may be.

How to identify files that apache "cannot open for reading" in the error log

More articles: