CUNY Academic Commons

Many thanks for starting this ticket, Boone, and thanks in advance for your thoughts and your work, André.

Ok, no problem.

1. Added new local UNIX user:

[root@commons ~]# useradd cbox
[root@commons ~]# 
[root@commons ~]# passwd cbox
Changing password for user cbox.
Enter new UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.

2. Added remote login permission for new account:

account sufficient      pam_succeed_if.so user = cbox

...more soon.

3. Copied ssh authorized keys from commons user to new user, to allow Boone to login passwordless.

[root@commons ~]# cp -R /home/commons/.ssh/ /home/cbox/

...more soon.

Thanks so much, André!

Hi André,

Just wanted to touch base on this one. Had a chance to set up the new DB and mysql user for me yet? Once I've got that, and you've redirected the vhost, I think I'll be golden :)

4. Generated new mySQL user and database named cbox.

Please let me know if there are any other ssh keys to be authorized for this account and let me know how it goes!

Try now!

Same:

Forbidden

You don't have permission to access /index.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Apache/2.2.15 (Red Hat) Server at commonsinabox.net Port 80

From comment 8:

[root@commons ~]# chown -R cbox:cbox /home/cbox/

Shouldn't that directory be owned by the apache user?

Try now!

Shouldn't that directory be owned by the apache user?

I believe just being readable is enough...

Try now!

Same 403 :(

Hmm... I'm seeing an odd modsecurity warning:

[Tue Oct 02 13:44:11 2012] [error] [client 146.96.33.245] ModSecurity: Warning. Operator GE matched 5 at TX:outbound_anomaly_score. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_60_correlation.conf"] [line "38"] [msg "Outbound Anomaly Score Exceeded (score 15): The application is not available"] [hostname "commonsinabox.org"] [uri "/index.php"] [unique_id "UGsn65JggMgAAD4O-l0AAAD2"]

..let me see what I can dig up on that.

I still haven't been able to figure out what exactly modsecurity doesn't like about this, but I went ahead and exempted the whole vhost not to hold development back.

Ah, please let me know what files/folders should be writable by Apache.

Hi André -

Getting close!

1) I was able to install WP. I then set up the installation as a Git checkout and attempted to push to Github. Linux threw an error about permissions on my .ssh directory:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for '/home/cbox/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/cbox/.ssh/id_rsa

Could you sudo chmod that directory to 600? I'm pretty sure that's right.

2) Apache needs write permissions to:
- /home/cbox/www/wp-content/uploads
- /home/cbox/www/wp-content/blogs.dir

I'm thinking that the following setup will make it so that Apache can write there, and the cbox user will also be able to muck about as necessary in those directories:

chmod -R g+w /home/cbox/www/wp-content/uploads
chmod -R g+w /home/cbox/www/wp-content/blogs.dir
chgrp -R cbox /home/cbox/www/wp-content/uploads
chgrp -R cbox /home/cbox/www/wp-content/blogs.dir
chown -R apache /home/cbox/www/wp-content/uploads
chown -R apache /home/cbox/www/wp-content/blogs.dir

But you're the expert :)

Linux threw an error about permissions on my .ssh directory:

Ah ok, fixed it now.

I'm thinking that the following setup [...]

Ok, went with that : )

Hm, now I can't SSH in using my public key - I'm getting prompted for the cbox password, rather than for my public key password. Maybe 600 was not right?

Hi Boone,

The http://commonsinabox.org/ URL is live and it's a URL that is already circulating. is there anyway you can migrate our previous install (which I'm assuming is still available on the commons) there until we have thing set up as a real cbox install?

I'll have the setup in place as soon as I can.

Maybe 600 was not right?

I'm pretty sure the permissions are ok, as I just copied what's there for commons where it presumably works ok.

Just to double-check, is this your public key?

AAAAB3NzaC1yc2EAAAABIwAAAQEAvNzSpxfdnnCNh4FQKtcncoOVxFOASaSpxG4sFEutRIafujMfI4cfosw6fmUTgZvqHp1jfDc8R0OwiNSXHbCLK87UxfY8yf9I0s6Qbjyud0xmb90ix/VCzkrjt/0/UUjNSVSL71cHmhCdFkODGgyMRb8fmwdY7l3tgmBjIvm5zyq3ecxZD83jxB2PhJQe88RL/mAiE9elIc8vOh0CcPTBII0s/Gv2JmQEECnEp8FHMsedzyCG0yctNLGZvMxoJXecR7pHYi8row75FOe/cGvY/h96S7cIBW22L4WmFtJgUSEqeIhqoGvGsL7DsINFI6ZL4v4zmrtR/PEuTOCIt3aIx

Please try it with the -v flag and send me the output. Perhaps we can connect live via voice or chat and sort this out?

Hi André -

$ ssh -v cbox@commonsinabox.org
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to commonsinabox.org [146.96.128.200] port 22.
debug1: Connection established.
debug1: identity file /home/bgorges/.ssh/id_rsa type 1
debug1: identity file /home/bgorges/.ssh/id_rsa-cert type -1
debug1: identity file /home/bgorges/.ssh/id_dsa type -1
debug1: identity file /home/bgorges/.ssh/id_dsa-cert type -1
debug1: identity file /home/bgorges/.ssh/id_ecdsa type -1
debug1: identity file /home/bgorges/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 63:02:8f:4d:56:19:e0:5e:4e:f8:c8:79:d0:65:cb:7e
debug1: Host 'commonsinabox.org' is known and matches the RSA host key.
debug1: Found key in /home/bgorges/.ssh/known_hosts:67
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/bgorges/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/bgorges/.ssh/id_dsa
debug1: Trying private key: /home/bgorges/.ssh/id_ecdsa
debug1: Next authentication method: password
cbox@commonsinabox.org's password: 

Perhaps we can connect live via voice or chat and sort this out?

I can maybe connect up sometime in the mid-afternoon. I'll let you know. Thanks for your help so far :)

Ok, but please give it one last try now if you have a moment. Thanks.

I think the problem was that /home/cbox needed to be non-world-readable as well...

Ok, but please give it one last try now if you have a moment. Thanks.

Sure - still the same problem.

Sure - still the same problem.

Hmm... in order to run the website from /home/cbox/www, apache needs to be able to read /home/cbox, but it seems that ssh doesn't want anybody to be able to read it other than the owner. So I moved the website to /var/www/cbox instead, then reset the permissions on /home/cbox. Another try?

Hm, still not working:

$ ssh cbox@commonsinabox.org -v
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to commonsinabox.org [146.96.128.200] port 22.
debug1: Connection established.
debug1: identity file /home/bgorges/.ssh/id_rsa type 1
debug1: identity file /home/bgorges/.ssh/id_rsa-cert type -1
debug1: identity file /home/bgorges/.ssh/id_dsa type -1
debug1: identity file /home/bgorges/.ssh/id_dsa-cert type -1
debug1: identity file /home/bgorges/.ssh/id_ecdsa type -1
debug1: identity file /home/bgorges/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 63:02:8f:4d:56:19:e0:5e:4e:f8:c8:79:d0:65:cb:7e
debug1: Host 'commonsinabox.org' is known and matches the RSA host key.
debug1: Found key in /home/bgorges/.ssh/known_hosts:67
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/bgorges/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /home/bgorges/.ssh/id_dsa
debug1: Trying private key: /home/bgorges/.ssh/id_ecdsa
debug1: Next authentication method: password
cbox@commonsinabox.org's password: 

So sorry, Boone. I did 600 instead of of 700 on /home/cbox/.ssh. To avoid any further hassle on this I added my own key to authorized_keys and verified it finally, definitely works. Go for it.

Awesome, I am in! The 600 may have been my fault, I think I suggested it above :-/

Thanks :)

Hi André - I've just set up the site, and I think we're just about done. The last thing is that we need to change permissions on certain directories that need to be Apache-writable. They are:

/home/cbox/www/wp-content/blogs.dir/
/home/cbox/www/wp-content/uploads/

I think the schema we've used in the past is: chown these dirs to apache, and make sure they're group-writable (and that the cbox user is a member of the group).

Thanks again for your patience and persistence with this one!

hey Boone, no "problemo" and I thank you too : )

re: apache writability, I believe this is already set. Did it fail on testing?

bash-4.2# ssh commons
Last login: Fri Oct  5 20:09:50 2012 from cpe-72-229-162-211.nyc.res.rr.com
  _                      
 / `_  _ _  _ _  _  _   _
/_,/_// / // / //_// /_\ 

[root@commons ~]# ll /home/cbox/www/wp-content/
total 20
drwxrwxr-x.  2 apache cbox   4096 Oct  3 14:33 blogs.dir
-rwxr-xr-x.  1 cbox   apache   28 Oct  2 13:34 index.php
drwxr-xr-x. 12 cbox   apache 4096 Oct  8 11:55 plugins
drwxr-xr-x.  7 cbox   apache 4096 Oct  8 11:49 themes
drwxrwxr-x.  4 apache cbox   4096 Oct  8 11:56 uploads
[root@commons ~]# ll -d /home/cbox/www/wp-content/blogs.dir/
drwxrwxr-x. 2 apache cbox 4096 Oct  3 14:33 /home/cbox/www/wp-content/blogs.dir/

You're very kind. Appreciated.

It seems like there's some redirect issue with this:

[Fri Oct 12 10:33:36 2012] [error] [client 146.96.33.245] Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.

I have an .htaccess file in the webroot that should do the work, but the permissions on it are a bit off. Maybe that's the problem?

I don't see anything wrong with the permission there...

[root@commons ~]# ll /home/cbox/www/.htaccess 
-rwxrwxr-x. 1 cbox cbox 236 Oct  8 11:49 /home/cbox/www/.htaccess