3
  • Apache HTTP Server 2.2.21 with VirtualHosts under SuExec
  • PHP 5.3.8 via fcgid
  • Arch Linux 2011.08.19

I am getting 403 Access Denied errors from Apache any time I try to access a PHP file. HTML files and text files work fine. I've played with every conceivable permissions combination on the PHP files I can think of, from 644 to 777. Doesn't change anything.

I also played with the permissions on the FCGI wrapper and parent folder. With o+x (777, 775, 773, 771), I get this in the browser:

Access forbidden!

You don't have permission to access the requested object. It is either read-protected or not readable by the server.

…and this in the vhost error log:

client denied by server configuration: /srv/www/hostname/fcgid-bin/php-fcgid-wrapper

With o-x (776, 774, 772, 770, or below), I get this in the browser:

Forbidden

You don't have permission to access /fcgid-bin/php-fcgid-wrapper/index.php on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

…and this in the log:

(13)Permission denied: access to /fcgid-bin/php-fcgid-wrapper/index.php denied

This is really boggling my mind seeing as my setup was working fine until I started getting this and I don't know what I possibly could have done to change that. /usr/bin/php-cgi and the wrapper both work fine with the exact same input files when called directly.

Here's my vhost config:

<VirtualHost *:80>
    ServerAdmin admin@hostname.com
    DocumentRoot "/srv/www/hostname/public/"
    ServerName hostname.com
    ServerAlias www.hostname.com
    SuexecUserGroup hostname hostname
    ErrorLog "/srv/www/hostname/logs/error.log"
    LogLevel debug
    CustomLog "/srv/www/hostname/logs/access.log" combined

    <Directory /srv/www/hostname/public>
        Order allow,deny
        Allow from all
    </Directory>

    # http://www.linode.com/forums/viewtopic.php?t=2982
    <IfModule !mod_php5.c>
    <IfModule !mod_php5_filter.c>
    <IfModule !mod_php5_hooks.c>
    <IfModule mod_actions.c>
    <IfModule mod_alias.c>
    <IfModule mod_mime.c>
    <IfModule mod_fcgid.c>
        AddHandler php-fcgi .php
        Action php-fcgi /fcgid-bin/php-fcgid-wrapper
        Alias /fcgid-bin/ /srv/www/hostname/fcgid-bin/

        <Location /fcgid-bin/>
            SetHandler fcgid-script
            Options +ExecCGI
        </Location>

        ReWriteEngine On
        ReWriteRule ^/fcgid-bin/[^/]*$ / [PT]
    </IfModule>
    </IfModule>
    </IfModule>
    </IfModule>
    </IfModule>
    </IfModule>
    </IfModule>
</VirtualHost>
Hugh Guiney
  • 245
  • 1
  • 8
  • 20
  • Check the ownership of the files you are trying to access (i.e. index.php) - suexec verifies that the files have the correct ownership (i.e. are owned by 'hostname') before executing them - running php directly would still execute the files (as long as they are readable, regardless of ownership), and offhand, I don't think text/html files are run through suexec. Unlikely, perhaps, but it seems to fit the symptoms. – cyberx86 Oct 29 '11 at 03:21
  • Did you take a look at the error log? – quanta Oct 29 '11 at 03:41

2 Answers2

4
<Directory /srv/www/hostname/public>
    Order allow,deny
    Allow from all
</Directory>

That doesn't include /srv/www/hostname/fcgid-bin/; assuming there's no Allow applying to it elsewhere in your config, this is the problem. You'll need to Allow access to this location.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
0

I had a similar error, except mine was due to missing the

Options ExecCGI

line from the directory where my scripts were (in a virtual server subfolder), that's why html files loaded fine, but php files gave 403s.

Rick
  • 101
  • 1