# Apache access permissions again

## Seth

Hi,

I've emerged apache 1.3.27_r1 and want to set it up so it serves me local web pages, especially php pages. Php works fine, but I'm having a lot of difficulty getting apache to serve pages outside DocumentRoot and nothing I do with <directory></directory> permissions seems to change that.

For example, I've experimentally set up what looks to me like completely unrestricted access to the document root directory (home/httpd/htdocs):

```

<Directory />

    Options -Indexes FollowSymLinks

    Order allow,deny

    Allow from all

</Directory>

```

and copied that to a symlink in the /home/httpd/htdocs called Jones.

```

<Directory /Jones>

  Options -Indexes FollowSymLinks

  Order allow,deny

  Allow from all

</Directory>

```

The symlink Jones points to /home/scsi/WWW/Jones and I've set permissions there to world-wide ability read, write, and execute. I know it's not safe, and I won't keep it that way, but I want to figure out what's happening.

At any rate, unrestricted permissions do not matter. When I try to access the files as 

```

http://localhost/Jones/index.html

```

I get a 403. 

The access log records the request and the 403 error messge. The error log doesn't contain any record.

What's going on? What am I missing?

Thanks,

Seth

----------

## rac

<Directory> uses absolute paths, not relative to DocumentRoot.

----------

## Seth

 *rac wrote:*   

> <Directory> uses absolute paths, not relative to DocumentRoot.

 

That maybe, but when I use absolute paths  I get the same results:

 *Quote:*   

> 
> 
> Forbidden
> 
> You don't have permission to access /test/index.html on this server
> ...

 

Thanks,

Seth

----------

## rac

Did you edit the restrictive <Directory /> in commonapache.conf, or try to override it somewhere else?  Might it be a case of dueling directives?

----------

## Seth

 *rac wrote:*   

> Did you edit the restrictive <Directory /> in commonapache.conf, or try to override it somewhere else?  Might it be a case of dueling directives?

 

That was a good thought so I double-checked and found a second directory setting for DocumentRoot down at the bottom of commonapache.conf. So I commented out the one I had done earlier and restarted apache.

No luck. I couldn't get apache to serve me a web page out of the tree. What's even more puzzling is that the symlink to the manual, which is also out of the DocumentRoot tree works perfectly. I can't figure it out.

Thanks again,

Seth

----------

## rac

Does the apache user have read and execute permissions on all directories leading down to the target file?  In cases where Apache is actively denying something, it usually remarks "client denied by server configuration" in the error log.  The fact that this is not happening leads me to believe that maybe apache itself is being forbidden from accessing the file somehow.

----------

## Seth

 *rac wrote:*   

> Does the apache user have read and execute permissions on all directories leading down to the target file? 

 

Hmm. I could be messing up here. I changed permissions on all directory and files so that they belonged to sethr (me) and are in the apache group. Obviously, that isn't doing the trick. How would I make sure that the apache user has read and execute permissions on all relevant directories and files?

Seth

----------

## rac

 *Seth wrote:*   

> How would I make sure that the apache user has read and execute permissions on all relevant directories and files?

 I guess one way would be to change the apache user's shell to an actual shell, su to root, su from root to apache, and then cd / and cd to each of the directories underneath, and then try to cat the file.

----------

## Seth

 *rac wrote:*   

> I guess one way would be to change the apache user's shell to an actual shell, su to root, su from root to apache, and then cd / and cd to each of the directories underneath, and then try to cat the file.

 

Did that and discovered that as user apache I don't have permission to even enter the directory with the files I want served.

O.k. I've had similar setups with apache in the past, but never had these problems. Clearly I'm missing something basic, but what? 

Thanks,

Seth

----------

## Xafloc

I had a similar problem, due to the permissions of a users home directory.

By default, it seems a users directory is chmod'd to 700.  I had to change that to 755 to get it to work.  Not very good security, but might fix your problem.

Darren

----------

## Nitro

 *Seth wrote:*   

> Did that and discovered that as user apache I don't have permission to even enter the directory with the files I want served.
> 
> O.k. I've had similar setups with apache in the past, but never had these problems. Clearly I'm missing something basic, but what? 

 

The best solution to this other the chmoding your homedir to 755 (which allows everyone to ls it), my suggestion is to make your user their own group.  So, user nitro belongs to group nitro (+ others maybe).  Now, add the user apache to the nitro group.  Chmod your homedir to 750, and restart apache so it re-reads /etc/groups.  Example output from ID:

```
$ id nitro

uid=503(nitro) gid=507(nitro) groups=507(nitro), ...

$ id apache

uid=81(apache) gid=81(apache) groups=81(apache),507(nitro), ...

$ ls -ld /home/nitro

drwxr-x---   32 nitro    nitro        2048 Dec 28 20:24 /home/nitro/
```

In my scenario, apache accesses your home directory through the group privs, not the world privs (which include every other user on your system).  Of course this won't protect you from stuff that runs as user apache (php(only if not in safe_mode) and CGI (only if CGI isn't running in suEXEC)).  

Ideally, we would want apache to fork its child and run as the same userid as the files other then the master apache process, but we don't have this luxury.

Let me know what you think.

----------

## Seth

 *Nitro wrote:*   

> 
> 
> The best solution to this other the chmoding your homedir to 755 (which allows everyone to ls it), my suggestion is to make your user their own group.  So, user nitro belongs to group nitro (+ others maybe).  Now, add the user apache to the nitro group.  Chmod your homedir to 750, and restart apache so it re-reads /etc/groups.

 

....

 *Nitro wrote:*   

> Let me know what you think.

 

Nitro, that's an elegant solution and way better than the one I was going to try, which was to change the user apache ran as to my regular user. I figured that would be o.k. as I was running apache privately. Nonetheless, I like your plan better. Besides, it works.

Many thanks and a happy new year.

Seth

----------

## btg308

And found this https://forums.gentoo.org/viewtopic.php?t=22603 solution: Set the user's homedir to something like 701 or 751 - apache only needs x access, not r. IMHO even more elegant than Nitro's: If you have lots of users, it's a pain to add apache to all those groups (I thought it was easier to find another solution than to figure out a way to automate the process). :-)

----------

## Nitro

 *btg308 wrote:*   

> And found this https://forums.gentoo.org/viewtopic.php?t=22603 solution: Set the user's homedir to something like 701 or 751 - apache only needs x access, not r. IMHO even more elegant than Nitro's: If you have lots of users, it's a pain to add apache to all those groups (I thought it was easier to find another solution than to figure out a way to automate the process). 

 

You made a good point, but perms with 701 still allow me (as a "world/other" user) to cd to that user's dir.  And, if the files in it are 644 (based on default umask), I can then read those files.  I would have to know the name of the file thought since I can't ls (no read bit).  But, if there is another directory, lets say phpMyAdmin and that dir is default perms of 755, I can now cd to there, and read config.inc.php(is there an "inc" in it? not sure, it isn't significant anyway..) which stores the mysql connection info.  Suprise, I now own that user's db.

So ultimately, the best solution is my method but instead set the user's home dir to mode 710.  This is better yet, because it makes it a little harder for someone to do something harsh with php (not running in safe_mode) and cgi scripts (not running on suEXEC), since those scripts run as apache's uid.

----------

## btg308

 *Nitro wrote:*   

> perms with 701 still allow me (as a "world/other" user) to cd to that user's dir.
> 
> 

 

Point. Hm... How about this?

```
cd /home

chown :apache *

chmod 710 *

```

That gives just apache cd access, no one else. The only concern would be if this breaks any other programs, but IIRC giving the user's own group access to $home is optional, even having that group for the users is a Red Hat thing. Anything else that may barf?

----------

