106

I know this question is asked a lot, but the solutions I saw didn't work for me.

I only have one virtual host enabled, and I'm trying to enable access to a folder that's not under the document root

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

Alias /movies /home/username/Videos/Movies

<Directory /home/username/Videos/Movies/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

I set /etc/apache2/envvars as follows

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=public

I made sure that /home/username/Videos/ and its sub folders are owned by username:public, set the permissions to 777 (after 775 didn't work) and made sure that user www-data belongs to group public.

Now, when I browse to http://localhost/movies I get

[Mon Apr 21 11:28:14.971844 2014] [core:error] [pid 1385:tid 140067725104896] (13)Permission denied: [client 127.0.0.1:46603] AH00035: access to /movies/ denied (filesystem path '/home/username/Videos') because search permissions are missing on a component of the path

But when I set /etc/apache2/envvars to run Apache under username (my own username) everything works fine. The problem is permission related, but I don't see how in my case; especially when I set the permissions to 777. Any ideas?

P.S. Ubuntu version is 14.04, Apache is 2.4.7 and I didn't edit other configuration files.

Improve this question
5
  • 1
    possible duplicate of How do I give www-data user to a folder in my home folder?
    – NGRhodes
    Apr 21, 2014 at 9:08
  • I did everything they suggested over there, as I wrote, and it does not help
    – Yotam
    Apr 21, 2014 at 9:41
  • Any chance you have mounted your /home with ACL enabled? (there is a "+" sign at the end of the permission bits if it's the case (check with ls -l))
    – Polosson
    Apr 22, 2014 at 8:06
  • No, I didn't do it. Right now I'm running Apache under my user, so it's working, but I'd like to run it under another user for security reasons.
    – Yotam
    Apr 23, 2014 at 13:33
  • I'm using Linux for the first time. I downloaded Ubuntu 14.04 LTE version. I'm facing the same problem. Can anyone help please?
    – Imdad
    Jun 24, 2014 at 13:26

6 Answers 6

Reset to default
145

Do a chmod +x on your user dir, and restart apache. 755 permissions should work. I've had problems with 644.

* Note that as of Ubuntu 22.04 the user dir has 750 permissions by default rather than 755.

Improve this answer
7
  • 9
    Indeed, and to double check file and directory permissions, if available, you can use namei -m /home/youruser/public_html/yourfile.ext or try people.apache.org/~igalic/hacks/parsepath
    – Junior Mayhé
    Jun 27, 2015 at 19:06
  • 4
    to clarify, any directory you want Apache to read, must be readable for Apache user. Most likely your user home folder is not owned by you user and group, therefor you have to set 755 permissions to /home/username to access it with apace.
    – ruuter
    Sep 1, 2015 at 10:06
  • 2
    I had this problem on OSX Mac OS High Sierra and this solution worked for me. Didn't even have to restart Apache.
    – gone
    Mar 1, 2018 at 11:36
  • 1
    After hours of searching it turns out that the permissions should be correct for the parent directories of the DocumentRoot too. Thank you very much . BTW this does not need to restart Apache
    – Accountant م
    Jul 11, 2018 at 5:28
  • This worked for me.
    – Ahesanali Suthar
    Dec 9, 2019 at 10:32
42

If in the case of SELinux being the issue, rather than just disable it, this page, this page, and this page give the command to grant access:

Allows httpd read access chcon -R -t httpd_sys_content_t ~/public_html/

Allows httpd write access chcon -R -t httpd_sys_rw_content_t ~/public_html/

Allows httpd remote calls sudo setsebool -P httpd_can_network_connect 1

The 3rd one allows file_get_contents/curl outbound calls that are disabled by SElinux by edfault.

Improve this answer
6
  • 2
    I Was sure it was my issue. Damn CentOS ! Thx for the command, works perfectly.
    – Balmipour
    Mar 22, 2017 at 12:28
  • 2
    thanks, just had to replace the ~/public_html/ part with the root directory of the content I was trying to serve.
    – trpt4him
    Oct 17, 2017 at 17:26
  • chcon -R -t httpd_sys_content_t /var/www/html/phpmyadmin/ (in my situation)
    – cssyphus
    Feb 28, 2018 at 19:42
  • Discovered selinux can't handle simple homedirs, and only one of those features was required while the other was optional. Thanks for the reminder as to the fix -- after the mandatory re-test period with each new release, and disappointment, I usually just hack that out in the kickstart. Now for systemd.
    – user2066657
    Mar 13, 2019 at 15:00
  • This is not the best long-term way of solving this problem. chcon is only for temporary changes. Better is to set up a security policy using semanage i.e. semanage fcontext -a -t httpd_sys_content_t "/path/to/whatever(/.*)?" which will make the change persist, say in the face of a restorecon command, or anything that resets SELinux file contexts.
    – cazort
    Aug 2, 2021 at 21:02
27

I encountered the same problem, after hours of trying, I found a solution exactly solves the problem:

https://wiki.apache.org/httpd/13PermissionDenied

Basically, the Apache server does not only require read permissions of all files it serves, but the execution permission of all directories in the path of your virtual host.

The utility namei can be used to help find permissions problems by listing the permissions along each component of the path:

namei --modes /usr/local/apache2/htdocs/foo/bar.html

In my case, a directory in my path has the permission 700, it causes the problem. After changing it to 701, the problem was solved.

Improve this answer
3
  • 3
    The link here is helpful because it explains the problem: One of the nodes in the directory path is missing search permissions. Use the "namei" command to find this and then "chmod" to 755.
    – user3751385
    Dec 29, 2017 at 1:50
  • 2
    It explain the real reason as well as solution. thanks
    – Emdadul Sawon
    Dec 26, 2018 at 6:32
  • I suggest namei --long instead.
    – Lyubomir
    Jul 30, 2021 at 7:00
19

You might have selinux enabled. Try

getenforce

If it shows "Enforcing", try

setenforce 0

and try if this fixes your issue.

Improve this answer
3
  • 4
    Don't just disable SELinux as a fix. Fix the SELinux problems by reassigning ports or setting booleans.
    – siride
    Mar 13, 2018 at 15:45
  • 2
    This answer helps to identify that the issue is related to SELinux. But disabling it is not recommended.
    – Rk..
    Apr 23, 2019 at 7:21
  • Just want to point out that, Setting SELinux to Permissive and Setting it to Disabled are not the same thing. In case of first, it will still warn you. Its a good step during development to first set SELinux to permissive, to isolate the issue first, then make necessary changes to SELinux settings once everything else works fine.
    – Ahmad Bilal
    Sep 4, 2023 at 3:33
13

Instead of granting access of the home directories ~ and ~/public_html (e.g. by chmod 755 ...) to all users, an alternative is to add the apache2 user (usually www-data for Ubuntu) to the personal group of the current user (the group with the same name as the user name):

sudo adduser www-data $(whoami)
sudo service apache2 reload

(assuming ~/public_html belongs to the default user group.)

This matters when there are multiple users and it's important that the users are not allowed to access each others home folders.

Improve this answer
3
  • before this I tried even chown -R www-data:www-data to home but that did not work. however as you suggested adding user to www-data group work. :|
    – owais
    May 14, 2022 at 17:52
  • This works for me, when I created a virtualhost file for a test domain on Ubuntu 22.04 with DocumentRoot /home/abc/web/test/, then with these two commands, I can access http://test.
    – Bằng Rikimaru
    May 31, 2023 at 8:19
  • instead of whoami .. using the name of the owner is safer way in the first command listed above, because the person might be signed in as a different user, instead of the owner of the file.
    – Ahmad Bilal
    Sep 4, 2023 at 3:35
1

I was experiencing this issue when I was trying to run apache in a docker container on an Ubuntu 16.04 host that was using the 4.4 kernel instead of 4.10.

Once I ran this command on the host and re-deployed, I was fine:

sudo apt-get install --install-recommends linux-generic-hwe-16.04
Improve this answer
1
  • I have bumped into this problem, but with the strange effect that I can chmod or chown inside the container, and it suppresses the Apache 403 errors for a while, only to revert some time later. There is no intervening container restart or other substantive change that could be the cause of this, as far as I can tell. Since I am indeed running 16.04, I tried installing this binary, and my 403s are held at bay for now. I will keep a beady eye on it, and thanks!
    – halfer
    Sep 2, 2018 at 10:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .