8

I have created a directory

/xyz/www

With the following permissions:

-rw-r--r--. 1 myuser developers

I edited my http.conf:

DocumentRoot "/xyz/www/"
<Directory "/xyz/www/">
    Options Indexes FollowSymLinks
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

I get 403 error: You don't have permission to access / on this server.

Looking in the logs:

(13)Permission denied: Can't open directory for index: /xyz/www/

I've tried recursively adding 777 permissions but still have the same issue.

DD.
  • 3,024
  • 10
  • 34
  • 50

6 Answers6

17

What you have to do is copy the same security context /var/www/html has. To do this:

# ls -la --context /var/www/html
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t .
drwxr-xr-x root root system_u:object_r:httpd_sys_content_t ..
-rw-r--r-- root root user_u:object_r:httpd_sys_content_t index.html

Then you have to set it to your desire DocumentRoot as follows:

# chcon -R system_u:object_r:httpd_sys_content_t /xyz/www
boris quiroz
  • 1,140
  • 1
  • 7
  • 18
3

Is your target directory NTFS or ext3 ? Please check SELinux context of target directory using

ls -a --context /target/directory

If the context of target directory is alike

system_u:object_r:fusefs_t:s0

using

setsebool -P httpd_use_fusefs on

might work for you as it could be just a boolean issue for the filesystem. Please do confirm the security aspects of Booleans as I'm unaware of them.

SELinux Booleans

Akash Kumar Sharma
  • 131
  • 4
2

Directories normally require the x permission for processes to access files within them. With the permissions you currently have, you would be able to ls the directory but not cd into it. Since the directory is owned by you, Apache will be running with the permissions of the third column.

Try chmod +x /xyz/www.

If you still have problems, check the permissions on /xyz/ as well.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
  • even with 777 permissions on all files/directories I still get the same error. – DD. Jun 06 '12 at 12:22
  • 1
    The next place I generally look after that is SELinux or Apparmor but it looks like someone already suggested that. – Ladadadada Jun 06 '12 at 13:19
2

I had the same problem - the chcon command fixed it.

I was creating an install server and wanted my images under /export/install/<image> with a symlink in the doc root. I was certain my httpd.conf settings were correct.

The directories & files were 755 & 644 respectively, and the apache user could traverse the tree so what was it?

I used a similar command to the one above but used the reference option:

% chcon -R --reference=/var/www/html /export

Could have just shut off selinux but I want to learn how to live with it.

slm
  • 7,355
  • 16
  • 54
  • 72
KarlV
  • 21
  • 1
1

You should also add <Directory /xyz/www> section to apache config with something like

Order allow,deny
Allow from all
gelraen
  • 2,311
  • 20
  • 19
  • Did that already...amended post to add more clarity – DD. Jun 06 '12 at 11:41
  • And reloaded httpd ? – gelraen Jun 06 '12 at 11:42
  • This is a good point. The default security model of the Apache2 HTTPD server does not allow access to the root filesystem outside of /usr/share and /var/www. Check `apache2.conf` for this statement: ` Options FollowSymLinks AllowOverride None Require all denied ` – Davor Josipovic Jan 05 '18 at 19:12
1

http://wiki.centos.org/HowTos/SELinux

The 'chcon' command may be used to change SELinux security context of a file or files/directories in a similar way to how 'chown' or 'chmod' may be used to change the ownership or standard file permissions of a file.

chcon -Rv --type=httpd_sys_content_t /xyz/www

DD.
  • 3,024
  • 10
  • 34
  • 50