106

I know this question is asked a lot, but the solutions I saw didn't work for me.

I only have one virtual host enabled, and I'm trying to enable access to a folder that's not under the document root

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

Alias /movies /home/username/Videos/Movies

<Directory /home/username/Videos/Movies/>
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

I set /etc/apache2/envvars as follows

export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=public

I made sure that /home/username/Videos/ and its sub folders are owned by username:public, set the permissions to 777 (after 775 didn't work) and made sure that user www-data belongs to group public.

Now, when I browse to http://localhost/movies I get

[Mon Apr 21 11:28:14.971844 2014] [core:error] [pid 1385:tid 140067725104896] (13)Permission denied: [client 127.0.0.1:46603] AH00035: access to /movies/ denied (filesystem path '/home/username/Videos') because search permissions are missing on a component of the path

But when I set /etc/apache2/envvars to run Apache under username (my own username) everything works fine. The problem is permission related, but I don't see how in my case; especially when I set the permissions to 777. Any ideas?

P.S. Ubuntu version is 14.04, Apache is 2.4.7 and I didn't edit other configuration files.

Yotam
  • 1,339

6 Answers6

145

Do a chmod +x on your user dir, and restart apache. 755 permissions should work. I've had problems with 644.

* Note that as of Ubuntu 22.04 the user dir has 750 permissions by default rather than 755.

Cyrille
  • 111
  • 3
Peter
  • 1,638
  • 9
    Indeed, and to double check file and directory permissions, if available, you can use namei -m /home/youruser/public_html/yourfile.ext or try http://people.apache.org/~igalic/hacks/parsepath – Junior Mayhé Jun 27 '15 at 19:06
  • 4
    to clarify, any directory you want Apache to read, must be readable for Apache user. Most likely your user home folder is not owned by you user and group, therefor you have to set 755 permissions to /home/username to access it with apace. – ruuter Sep 01 '15 at 10:06
  • 2
    I had this problem on OSX Mac OS High Sierra and this solution worked for me. Didn't even have to restart Apache. – gone Mar 01 '18 at 11:36
  • 1
    After hours of searching it turns out that the permissions should be correct for the parent directories of the DocumentRoot too. Thank you very much . BTW this does not need to restart Apache – Accountant م Jul 11 '18 at 05:28
  • This worked for me. – Ahesanali Suthar Dec 09 '19 at 10:32
  • @Accountantم thanks for the tip. I was setting the permission on the nested directories and forgot about the parent. – PowerAktar Aug 01 '21 at 16:27
  • Saved my day :) – profimedica Apr 25 '22 at 12:14
42

If in the case of SELinux being the issue, rather than just disable it, this page, this page, and this page give the command to grant access:

Allows httpd read access chcon -R -t httpd_sys_content_t ~/public_html/

Allows httpd write access chcon -R -t httpd_sys_rw_content_t ~/public_html/

Allows httpd remote calls sudo setsebool -P httpd_can_network_connect 1

The 3rd one allows file_get_contents/curl outbound calls that are disabled by SElinux by edfault.

Abdul Rehman
  • 506
  • 1
  • 6
  • 20
jozxyqk
  • 1,111
  • 2
    I Was sure it was my issue. Damn CentOS ! Thx for the command, works perfectly. – Balmipour Mar 22 '17 at 12:28
  • 2
    thanks, just had to replace the ~/public_html/ part with the root directory of the content I was trying to serve. – trpt4him Oct 17 '17 at 17:26
  • chcon -R -t httpd_sys_content_t /var/www/html/phpmyadmin/ (in my situation) – cssyphus Feb 28 '18 at 19:42
  • Discovered selinux can't handle simple homedirs, and only one of those features was required while the other was optional. Thanks for the reminder as to the fix -- after the mandatory re-test period with each new release, and disappointment, I usually just hack that out in the kickstart. Now for systemd. – user2066657 Mar 13 '19 at 15:00
  • This is not the best long-term way of solving this problem. chcon is only for temporary changes. Better is to set up a security policy using semanage i.e. semanage fcontext -a -t httpd_sys_content_t "/path/to/whatever(/.*)?" which will make the change persist, say in the face of a restorecon command, or anything that resets SELinux file contexts. – cazort Aug 02 '21 at 21:02
  • Thanks. Helped. It's strange that that step is not described in documentation – Juljan Nov 21 '21 at 00:51
27

I encountered the same problem, after hours of trying, I found a solution exactly solves the problem:

https://wiki.apache.org/httpd/13PermissionDenied

Basically, the Apache server does not only require read permissions of all files it serves, but the execution permission of all directories in the path of your virtual host.

The utility namei can be used to help find permissions problems by listing the permissions along each component of the path:

namei --modes /usr/local/apache2/htdocs/foo/bar.html

In my case, a directory in my path has the permission 700, it causes the problem. After changing it to 701, the problem was solved.

Elijah Lynn
  • 3,828
Lu Sun
  • 371
19

You might have selinux enabled. Try

getenforce

If it shows "Enforcing", try

setenforce 0

and try if this fixes your issue.

Jens Erat
  • 5,051
  • 7
  • 31
  • 37
Soprano
  • 215
  • 4
    Don't just disable SELinux as a fix. Fix the SELinux problems by reassigning ports or setting booleans. – siride Mar 13 '18 at 15:45
  • 2
    This answer helps to identify that the issue is related to SELinux. But disabling it is not recommended. – Rk.. Apr 23 '19 at 07:21
  • Just want to point out that, Setting SELinux to Permissive and Setting it to Disabled are not the same thing. In case of first, it will still warn you.

    Its a good step during development to first set SELinux to permissive, to isolate the issue first, then make necessary changes to SELinux settings once everything else works fine.

    – Ahmad Bilal Sep 04 '23 at 03:33
13

Instead of granting access of the home directories ~ and ~/public_html (e.g. by chmod 755 ...) to all users, an alternative is to add the apache2 user (usually www-data for Ubuntu) to the personal group of the current user (the group with the same name as the user name):

sudo adduser www-data $(whoami)
sudo service apache2 reload

(assuming ~/public_html belongs to the default user group.)

This matters when there are multiple users and it's important that the users are not allowed to access each others home folders.

tinlyx
  • 3,230
  • before this I tried even chown -R www-data:www-data to home but that did not work. however as you suggested adding user to www-data group work. :| – owais May 14 '22 at 17:52
  • This works for me, when I created a virtualhost file for a test domain on Ubuntu 22.04 with DocumentRoot /home/abc/web/test/, then with these two commands, I can access http://test. – Bằng Rikimaru May 31 '23 at 08:19
  • instead of whoami .. using the name of the owner is safer way in the first command listed above, because the person might be signed in as a different user, instead of the owner of the file. – Ahmad Bilal Sep 04 '23 at 03:35
1

I was experiencing this issue when I was trying to run apache in a docker container on an Ubuntu 16.04 host that was using the 4.4 kernel instead of 4.10.

Once I ran this command on the host and re-deployed, I was fine:

sudo apt-get install --install-recommends linux-generic-hwe-16.04 
Programster
  • 5,871
  • I have bumped into this problem, but with the strange effect that I can chmod or chown inside the container, and it suppresses the Apache 403 errors for a while, only to revert some time later. There is no intervening container restart or other substantive change that could be the cause of this, as far as I can tell. Since I am indeed running 16.04, I tried installing this binary, and my 403s are held at bay for now. I will keep a beady eye on it, and thanks! – halfer Sep 02 '18 at 10:39