Help needed to set correct permissions

I'm running a default httpd install from the yum repository (Fedora
12). The user and group that starts the httpd process is "apache"
(default configuration in httpd.conf).

The default page is located in /var/www/html/

I have a few users on this box for whom I need to setup virtual hosts
and their httpd root directory should be in their home directories,
i.e. /home/somebody/www

This is an example configuration for a virtual host


ServerName mydomain.com
ServerAlias www.mydomain.com
DocumentRoot /home/somebody/www/




Options FollowSymLinks
AllowOverride None
Order deny,allow
allow from all




When I try to access any page on the virtual host, it says I do not
have permission. error_logs show the following

[Wed Feb 03 23:55:51 2010] [error] [client 1.2.3.4] (13)Permission
denied: access to /favicon.ico denied

I changed the group of /home/sombody to "apache" by exectuing chgrp -R
apache /home/somebody. What am I missing here?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

> I'm running a default httpd install from the yum repository (Fedora
> 12). The user and group that starts the httpd process is "apache"
> (default configuration in httpd.conf).
>
> The default page is located in /var/www/html/
>
> I have a few users on this box for whom I need to setup virtual hosts
> and their httpd root directory should be in their home directories,
> i.e. /home/somebody/www
>
> This is an example configuration for a virtual host
>
>
> ServerName mydomain.com
> ServerAlias www.mydomain.com
> DocumentRoot /home/somebody/www/
>
>
>
>
> =A0 =A0Options FollowSymLinks
> =A0 =A0AllowOverride None
> =A0 =A0Order deny,allow
> =A0 =A0allow from all
>
>
>
>
> When I try to access any page on the virtual host, it says I do not
> have permission. error_logs show the following
>
> [Wed Feb 03 23:55:51 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /favicon.ico denied
>
> I changed the group of /home/sombody to "apache" by exectuing chgrp -R
> apache /home/somebody. What am I missing here?

What are the permissions on /home/somebody?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

--------------------------------------------------
From: "Perl Whore"
Sent: 04 February, 2010 12:38
To:
Subject: [users@httpd] Help needed to set correct permissions

> I'm running a default httpd install from the yum repository (Fedora
> 12). The user and group that starts the httpd process is "apache"
> (default configuration in httpd.conf).
>
> The default page is located in /var/www/html/
>
> I have a few users on this box for whom I need to setup virtual hosts
> and their httpd root directory should be in their home directories,
> i.e. /home/somebody/www
>
> This is an example configuration for a virtual host
>
>
> ServerName mydomain.com
> ServerAlias www.mydomain.com
> DocumentRoot /home/somebody/www/
>
>
>
>
> Options FollowSymLinks
> AllowOverride None
> Order deny,allow
> allow from all
>
>
>
>
> When I try to access any page on the virtual host, it says I do not
> have permission. error_logs show the following
>
> [Wed Feb 03 23:55:51 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /favicon.ico denied
>
> I changed the group of /home/sombody to "apache" by exectuing chgrp -R
> apache /home/somebody. What am I missing here?
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

Leave off the trailing / and that should fix your issue. The server is looking
for /home/user/www// and its not finding it.

Thanks,
Dan


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

drwx------ 4 somebody apache 4096 2010-02-03 12:34 somebody

On 02/04/2010 07:04 PM, Daniel Reinhardt wrote:
>
> --------------------------------------------------
> From: "Perl Whore"
> Sent: 04 February, 2010 12:38
> To:
> Subject: [users@httpd] Help needed to set correct permissions
>
>> I'm running a default httpd install from the yum repository (Fedora
>> 12). The user and group that starts the httpd process is "apache"
>> (default configuration in httpd.conf).
>>
>> The default page is located in /var/www/html/
>>
>> I have a few users on this box for whom I need to setup virtual hosts
>> and their httpd root directory should be in their home directories,
>> i.e. /home/somebody/www
>>
>> This is an example configuration for a virtual host
>>
>>
>> ServerName mydomain.com
>> ServerAlias www.mydomain.com
>> DocumentRoot /home/somebody/www/
>>
>>
>>
>>
>> Options FollowSymLinks
>> AllowOverride None
>> Order deny,allow
>> allow from all
>>
>>
>>
>>
>> When I try to access any page on the virtual host, it says I do not
>> have permission. error_logs show the following
>>
>> [Wed Feb 03 23:55:51 2010] [error] [client 1.2.3.4] (13)Permission
>> denied: access to /favicon.ico denied
>>
>> I changed the group of /home/sombody to "apache" by exectuing chgrp -R
>> apache /home/somebody. What am I missing here?
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> Leave off the trailing / and that should fix your issue. The server is looking for /home/user/www// and its not finding it.
>
> Thanks,
> Dan
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

Tried that and it did not work. It's a permission error, not missing
file. It worked fine on my other server when I was running apache as
root.

Now I'm getting the permission error when I run it as a user.



On 02/04/2010 07:04 PM, Daniel Reinhardt wrote:
>
> --------------------------------------------------
> From: "Perl Whore"
> Sent: 04 February, 2010 12:38
> To:
> Subject: [users@httpd] Help needed to set correct permissions
>
>> I'm running a default httpd install from the yum repository (Fedora
>> 12). The user and group that starts the httpd process is "apache"
>> (default configuration in httpd.conf).
>>
>> The default page is located in /var/www/html/
>>
>> I have a few users on this box for whom I need to setup virtual hosts
>> and their httpd root directory should be in their home directories,
>> i.e. /home/somebody/www
>>
>> This is an example configuration for a virtual host
>>
>>
>> ServerName mydomain.com
>> ServerAlias www.mydomain.com
>> DocumentRoot /home/somebody/www/
>>
>>
>>
>>
>> Options FollowSymLinks
>> AllowOverride None
>> Order deny,allow
>> allow from all
>>
>>
>>
>>
>> When I try to access any page on the virtual host, it says I do not
>> have permission. error_logs show the following
>>
>> [Wed Feb 03 23:55:51 2010] [error] [client 1.2.3.4] (13)Permission
>> denied: access to /favicon.ico denied
>>
>> I changed the group of /home/sombody to "apache" by exectuing chgrp -R
>> apache /home/somebody. What am I missing here?
>>
>> ------------------------------------------------------------ ---------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> Leave off the trailing / and that should fix your issue. The server is looking for /home/user/www// and its not finding it.
>
> Thanks,
> Dan
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

First of all, you're top posting. Google that to see why that's a bad
thing if you don't know what it means.

You need to set your /home/somebody/www directory to readable and
executable by the 'apache' user:-

chmod g+rx /home/somebody/www

and then the files in that directory should be readable:-

find /home/somebody/www -type f | xargs chmod 644

But you should look at mod_userdir:-

http://httpd.apache.org/docs/2.2/mod/mod_userdir.html

which might help with what you're trying to accomplish.

Cheers,
Phil.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

Thanks, mod_userdir looks interesting. I'll use that.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

I'm still getting the permission error.

[Thu Feb 04 06:47:11 2010] [error] [client 1.2.3.4] (13)Permission
denied: access to / denied
[Thu Feb 04 07:29:05 2010] [error] [client 1.2.3.4] (13)Permission
denied: access to /test.htm denied
[Thu Feb 04 07:29:08 2010] [error] [client 1.2.3.4] (13)Permission
denied: access to /favicon.ico denied


Also, I took a look at mod_userdir and it says the URLs will be like
http://example.com/~user/ which is not what I'm looking to do. My
users have their own domains.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

On 4 February 2010 14:34, Perl Whore wrote:
> I'm still getting the permission error.
>
> [Thu Feb 04 06:47:11 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to / denied
> [Thu Feb 04 07:29:05 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /test.htm denied
> [Thu Feb 04 07:29:08 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /favicon.ico denied

The following should work:-

chmod +x /home/somebody
chmod g+rx /home/somebody/www
find /home/somebody/www -type f | xargs chmod 644

I didn't set /home/somebody as executable earlier so maybe that was it.

> Also, I took a look at mod_userdir and it says the URLs will be like
> http://example.com/~user/ which is not what I'm looking to do. My
> users have their own domains.

Fair enough. You could look at mod_vhost alias if you have a lot of
users to set up.

Cheers,
Phil.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

On 02/04/2010 09:34 AM, Perl Whore wrote:
> I'm still getting the permission error.
>
> [Thu Feb 04 06:47:11 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to / denied
> [Thu Feb 04 07:29:05 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /test.htm denied
> [Thu Feb 04 07:29:08 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /favicon.ico denied
>
>
> Also, I took a look at mod_userdir and it says the URLs will be like
> http://example.com/~user/ which is not what I'm looking to do. My
> users have their own domains.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

See the output from namei -m /path/to/your/file/from/the/filesystem/root

The fix will be obvious.

Also check selinux / apparmor.

Frank

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Help needed to set correct permissions

Just a stylistic note, I'm a great believer in the "find" command, but
in this case I believe it is more readable to do something like this:

# First, make sure the home directory is traversable by all users
chmod a+x /home/somebody

# Then, make sure NO files are executable under /home/somebody/www
[equivalent to chmod -R 644 /home/somebody/www]
# *** side effect--this temporarily makes all directories
non-traversable, we'll fix that in a moment
chmod -R u=3Drw,go=3Dr /home/somebody/www

# finally, re-enable directory traversal in /home/somebody/www and below
chmod -R a+X /home/somebody/www

For those not familiar, the symbolic "X" argument to chmod has the
following semantics: it will always make directories traversable. It
will make files executable if and only if at least one executable bit
was already set in the file's permissions.

--Pete
-----Original Message-----
From: Philip Wigg [mailto:phil@philipwigg.co.uk]=20
Sent: Thursday, February 04, 2010 9:48 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] Help needed to set correct permissions

On 4 February 2010 14:34, Perl Whore wrote:
> I'm still getting the permission error.
>
> [Thu Feb 04 06:47:11 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to / denied
> [Thu Feb 04 07:29:05 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /test.htm denied
> [Thu Feb 04 07:29:08 2010] [error] [client 1.2.3.4] (13)Permission
> denied: access to /favicon.ico denied

The following should work:-

chmod +x /home/somebody
chmod g+rx /home/somebody/www
find /home/somebody/www -type f | xargs chmod 644

I didn't set /home/somebody as executable earlier so maybe that was it.

> Also, I took a look at mod_userdir and it says the URLs will be like=20
> http://example.com/~user/ which is not what I'm looking to do. My=20
> users have their own domains.

Fair enough. You could look at mod_vhost alias if you have a lot of
users to set up.

Cheers,
Phil.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server
Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Help needed to set correct permissions

On 02/04/2010 08:30 PM, Thomas, Peter wrote:
> Just a stylistic note, I'm a great believer in the "find" command, but
> in this case I believe it is more readable to do something like this:
>
> # First, make sure the home directory is traversable by all users
> chmod a+x /home/somebody
>
> # Then, make sure NO files are executable under /home/somebody/www
> [equivalent to chmod -R 644 /home/somebody/www]
> # *** side effect--this temporarily makes all directories
> non-traversable, we'll fix that in a moment
> chmod -R u=rw,go=r /home/somebody/www
>
> # finally, re-enable directory traversal in /home/somebody/www and below
> chmod -R a+X /home/somebody/www
>
> For those not familiar, the symbolic "X" argument to chmod has the
> following semantics: it will always make directories traversable. It
> will make files executable if and only if at least one executable bit
> was already set in the file's permissions.
>
> --Pete
> -----Original Message-----
> From: Philip Wigg [mailto:phil@philipwigg.co.uk]
> Sent: Thursday, February 04, 2010 9:48 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Help needed to set correct permissions
>
> On 4 February 2010 14:34, Perl Whore wrote:
>> I'm still getting the permission error.
>>
>> [Thu Feb 04 06:47:11 2010] [error] [client 1.2.3.4] (13)Permission
>> denied: access to / denied
>> [Thu Feb 04 07:29:05 2010] [error] [client 1.2.3.4] (13)Permission
>> denied: access to /test.htm denied
>> [Thu Feb 04 07:29:08 2010] [error] [client 1.2.3.4] (13)Permission
>> denied: access to /favicon.ico denied
>
> The following should work:-
>
> chmod +x /home/somebody
> chmod g+rx /home/somebody/www
> find /home/somebody/www -type f | xargs chmod 644
>
> I didn't set /home/somebody as executable earlier so maybe that was it.
>
>> Also, I took a look at mod_userdir and it says the URLs will be like
>> http://example.com/~user/ which is not what I'm looking to do. My
>> users have their own domains.
>
> Fair enough. You could look at mod_vhost alias if you have a lot of
> users to set up.
>
> Cheers,
> Phil.
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>


Thanks, this worked. But is this the best way to do it, though? Is it
possible to make the www folder traversible only by the apache
user/group and not *all* users? The users on my box are trusted so
it's not a big deal but I'm just trying to understand best practices
used for security.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: Help needed to set correct permissions

>Thanks, this worked. But is this the best way to do it, though? Is it
possible to make the www folder traversible only by the apache
user/group and not *all* users? The users on my box are trusted so >it's
not a big deal but I'm just trying to understand best practices used for
security.

Run:

ps -ef | grep httpd=20

to find the user and group that your server runs as.

What's mandatory is that the files under www be readable by the group
that the web server is running as and the directory be both readable and
executable (traversable).

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org