Access denied error after restart

system · August 5, 2018, 3:37pm

I installed the white label version of InvoiceNinja last month and have been running it on a Centos7 install since then. I was having some slowness and decided to restart the system, after the restart I can no longer access the Invoice Ninja system. What really doesn’t make any sense is that nothing changes other than the restart.

Environment:

Centos 7
PHP
Nginx
MariaDB

Log’s during access try

==> /var/log/nginx/ininja.access.log <==
192.168.2.127 - - [05/Aug/2018:21:30:27 -0400] “GET /login HTTP/1.1” 403 25 “-” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36”

==> /var/log/nginx/ininja.error.log <==
2018/08/05 21:30:27 [error] 11940#0: *2 FastCGI sent in stderr: “PHP message: PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
Unable to open primary script: /var/www/ninja/public/index.php (Permission denied)” while reading response header from upstream, client: 192.168.2.127, server: 192.168.2.250, request: “GET /login HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php71-fpm-ninja.sock:”, host: “192.168.2.250”
2018/08/05 21:30:27 [error] 11940#0: *2 open() “/var/www/ninja/public/favicon.ico” failed (13: Permission denied), client: 192.168.2.127, server: 192.168.2.250, request: “GET /favicon.ico HTTP/1.1”, host: “192.168.2.250”, referrer: “https://192.168.2.250/login”

system · August 5, 2018, 3:39pm

[root@linux ninja]# pwd
/var/www/ninja
[root@linux ninja]# ls -alh
total 556K
drwxr-xr-x. 13 ninja ninja 4.0K Jul 5 20:34 .
drwxr-xr-x. 3 root root 19 Jul 7 16:07 …
drwxrwxr-x. 18 ninja ninja 278 Jul 5 20:27 app
-rwxrwxr-x. 1 ninja ninja 1.6K Jul 5 20:27 artisan
drwxrwxr-x. 3 ninja ninja 77 Jul 5 20:27 bootstrap
-rw-rw-r–. 1 ninja ninja 1.3K Jul 5 20:27 bower.json
-rw-rw-r–. 1 ninja ninja 646 Jul 5 20:27 codeception.yml
-rw-rw-r–. 1 ninja ninja 5.3K Jul 5 20:27 composer.json
-rw-rw-r–. 1 ninja ninja 466K Jul 5 20:27 composer.lock
drwxrwxr-x. 3 ninja ninja 4.0K Aug 5 20:54 config
-rw-rw-r–. 1 ninja ninja 1.9K Jul 5 20:27 CONTRIBUTING.md
drwxrwxr-x. 5 ninja ninja 89 Jul 5 20:27 database
drwxrwxr-x. 3 ninja ninja 4.0K Jul 5 20:27 docs
-rw-r–r--. 1 ninja ninja 979 Jul 28 10:15 .env
-rw-rw-r–. 1 ninja ninja 1.2K Jul 5 20:27 Gruntfile.js
-rw-rw-r–. 1 ninja ninja 6.6K Jul 5 20:27 gulpfile.js
-rw-rw-r–. 1 ninja ninja 2.5K Jul 5 20:27 LICENSE
-rw-rw-r–. 1 ninja ninja 371 Jul 5 20:27 package.json
-rw-rw-r–. 1 ninja ninja 87 Jul 5 20:27 phpspec.yml
-rw-rw-r–. 1 ninja ninja 777 Jul 5 20:27 phpunit.xml
drwxrwxr-x. 7 ninja ninja 4.0K Jul 5 20:27 public
-rw-rw-r–. 1 ninja ninja 4.2K Jul 5 20:27 README.md
drwxrwxr-x. 5 ninja ninja 61 Jul 5 20:27 resources
drwxrwxr-x. 2 ninja ninja 36 Jul 5 20:27 routes
-rw-rw-r–. 1 ninja ninja 560 Jul 5 20:27 server.php
drwxrwxr-x. 8 ninja ninja 130 Jul 5 20:35 storage
drwxrwxr-x. 8 ninja ninja 246 Jul 5 20:27 tests
drwxrwxr-x. 102 ninja ninja 4.0K Jul 5 20:30 vendor

david · August 5, 2018, 3:51pm

The error here is pretty explicit.

There was insuffient permissions to read the file.

This would mean that the webserver user is not ninja, or is not in the ninja group.

If you are using NGINX then it is a little more complicated, as you would need to look at both the NGINX user and also the php-fpm child process user.

If the webserver user is definitely configured correctly, then the next most likely issue would be SELINUX, AKA the bain of most sys admins existence

system · August 5, 2018, 4:00pm

I would agree but that doesn’t explain the fact that it’s been running for a month without any issues. If I had permissions issues it shouldn’t have started in the first place.

Thanks for the information about the php child process I’ll look st that too.

system · August 6, 2018, 5:17pm

DavidBomba - You were right, SE Linux killed me.

Installation guide says to do the following except that only disables SE Linux for the current session, after a restart it returns to the configuration file setup.

Current Installation guide

Disable SELinux with the following command:

setenforce 0

You won’t need it for Invoice Ninja and this setup.

And finally, start php-fpm and nginx:

Please update Installation guide to show

Disable SELinux with the following command:

setenforce 0

Disable SELinux on startup with

sed -i ‘s/SELINUX=enforcing/SELINUX=permissive/g’ /etc/selinux/config

You won’t need it for Invoice Ninja and this setup.

And finally, start php-fpm and nginx:

david · August 6, 2018, 5:42pm

6Monkey,

Good to hear you got it resolved.

These are third party installation guides so unfortunately we can’t make the required amendments, are you able to submit to the author direct please?