-1

I have installed Apache 2.4.6 on my server and have the following virtual host config:

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName foobar1.com
    DocumentRoot /home/john/foobar1/foobar1.com
    <Directory /home/john/foobar1/foobar1.com>
        Options -Indexes +FollowSymLinks +MultiViews
        Require local
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
    ErrorLog /home/john/foobar1/logfiles/error.log
    LogLevel warn
    CustomLog /home/john/foobar1/logfiles/access.log combined
</VirtualHost>

Whenever I try and view http://foobar1.com (I have added 127.0.0.1 foobar1.com to my hosts file) I get the following error: [core:error] [pid 23238] (13)Permission denied: [client 127.0.0.1:49853] AH00035: access to / denied (filesystem path '/home/john/foobar1/foobar1.com') because search permissions are missing on a component of the path

The file belong to user "john" and are in the group "john" too. The permissions I used are: chmod -R go-rwx (for the document root) chmod -R g+rw (for the document root) chmod -R o+r (for the document root)

I can only view my site when I set the file permissions to 777... something I know is a major security weakness. Why can I only view my site with the 777 setting?

John Crawford
  • 101
  • 1
  • 3
  • 5
    This question appears to be off-topic because it is about server configurations. – Adi Sep 01 '13 at 10:41
  • actually it has got nothing to do with server configurations. It however has everything to do with file permissions... something I believe is directly linked to secuirty – John Crawford Sep 01 '13 at 10:43
  • While file permissions are linked to security, questions about helping you setup certain permissions on your server is outside the scope of this site. I apologize for my friend down there who posted the answer, therefore confusing you into thinking that your question is on-topic. – Adi Sep 01 '13 at 10:52

1 Answers1

1

This is because the Apache daemon is not running as user john. The Apache daemon, at least on RHEL/Fedora systems are running as the user apache.

To actually read files in your DocumentRoot directory, the directory permissions of DocumentRoot needs to be drwxr-xr-x..

Also, be warned that if your server has Selinux enabled, your DocumentRoot directory most likely has the wrong Selinux context which will block Apache's access to the directory. It is good practice to keep all your DocumentRoot directories under /var/www (for RHEL based distros, other distros might have different web roots). An alternative will be to change the Selinux context of the DocumentRoot directory with chcon -R -t httpd_sys_content_t /home/john/foobar1/foobar1.com.

  • Sorry I should have included this too. I added the user `john` to the apache group (www-root on my Ubuntu set-up). So if I run the command "groups www-data" I get the output: "www-data : www-data john". I also added this the other way around so if I run the command "groups john" I get "john : john sudo www-data plugdev lpadmin sambashare" I thought that with Apache being part of John's group it could do all the things "john" could do. – John Crawford Sep 01 '13 at 10:19
  • 1
    @JohnCrawford Firstly, that's a horrible idea. You should never add any old user accounts to the apache group. Secondly, you have a completely wrong idea about how permissions and groups work. `john` will have all permissions `www-data` has, not the other way around.... –  Sep 01 '13 at 10:27