403 Forbidden Error on Mac OS X Localhost

22

11

I set up Web Sharing in System Preferences on Mac OS X 10.6 and clicked the link it gave me there. Unfortuantely, Apache gave me this 403 error:

Forbidden

You don't have permission to access /~myusername/index.html on this server.

Access log displays: 10.0.1.2 - - [30/Jun/2010:16:25:15 -0700] "GET /~myusername/ HTTP/1.1" 403 210

Error log displays: [Wed Jun 30 16:26:09 2010] [error] [client 10.0.1.2] client denied by server configuration: /Users/myusername/Sites/

Curiously enough, accessing http://localhost works fine. It's just with two of the user folders that I've having trouble with, the other user folder, which is newer than my system upgrade, is working fine.

I've had this working on my machine in Leopard before, so I chmodded everything in ~/Sites to 755, which didn't do any good. Any suggestions? I presume I've done something to my machine that's caused this, since I can't imagine Apple messing up on something like this.

I did set up PEAR with these instructions, but I have no idea if that could be the cause of it.

waiwai933

Posted 2010-06-30T23:05:15.227

Reputation: 2 293

Sorry if this is a dumb question, but exactly what URL are you going to? I ask because the URL "/~myusername/index.html" is an odd one -- it should either be "~myusername/index.html", or it should be "http://localhost/~myusername/index.html", or something similar. Simply starting from / and then adding ~myusername smells funny.

In addition to (or instead of) answering that, you can go into Console.app (/Applications/Utilities/Console.app) and find the apache2 access_log and error_log. Pull that up, perhaps clear the display, and then re-try your URL to see what the error log tells you.

– Michael H. – 2010-06-30T23:19:42.743

@khedron: The URL is http://localhost/~myusername/index.html, but the error displays the /~myusername/index.html part

– waiwai933 – 2010-06-30T23:26:26.673

OK, just checking. What does the apache log say in the console (console.app)? – Michael H. – 2010-07-01T01:04:26.993

@khedron: I posted the access and error log up in the question. Is there another one? – waiwai933 – 2010-07-01T01:09:52.550

Sorry, I didn't see that. OK -- that clearly shows the URL is understood correctly, but is denied. In that case.. hmm, can't format this properly in a comment, see answer down below. – Michael H. – 2010-07-01T02:36:32.870

1I have the same problem as you, and I just do : chmod 777 /Applications/XAMPP/htdocs/myusername , it work's for me – Wassim Sboui – 2012-10-19T20:28:22.147

Answers

22

Apple has a support document for this problem. Fixing the issue involves creating a file /etc/apache2/users/yourusername.conf (yourusername being the account short name, e.g. danielbeck – it's usually the name of your home folder in /Users) with the following contents:

<Directory "/Users/yourusername/Sites/">
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>

Afterwards, run sudo chown root:wheel /etc/apache2/users/yourusername.conf and restart Apache.

Daniel Beck

Posted 2010-06-30T23:05:15.227

Reputation: 98 421

and too restart your apache, just execute sudo apachectl restart in your terminal. – nil – 2013-08-09T03:48:28.887

15

For Apache to see the file, the user that Apache runs as (probably www or _www) must have access to these users' Sites directories. Having read/execute access to the contents of ~/Sites is not enough, because it has to be allowed to traverse from / down the path to ~/Sites. So make sure /, /Users, /Users/myusername, and /Users/myusername/Sites all have at least a+x permission (the eXecute bit on directories allows that user class to traverse the directory, even if Read access is not allowed).

ls -lde / /Users/ /Users/myusername/ /Users/myusername/Sites

If any of those directories doesn't show the last x set (the one for "others"), then use something like chmod a+x ... to set it for that directory.

If the ACL for any of those directories shows that user www has been specifically denied access, then use the appropriate arguments to chmod to fix the ACLs.

Spiff

Posted 2010-06-30T23:05:15.227

Reputation: 84 656

The execute bit is set for all of those directories, but I don't know how to check if a specific user has been denied access. – waiwai933 – 2010-07-01T23:00:28.657

That's what the "e" in "ls -lde" is for. It lists the ACLs (if any) for each of the files. – Spiff – 2010-07-01T23:49:47.510

2Changing permissions on /Users/myusername to chmod 755 fixed the issue for me. – Mark – 2011-05-12T14:24:12.283

Doesn't this command give the _www user permission to access your root directory, as well as the /Users directory, etc? That can't possibly be right, is it? All of those security holes to share a page in one folder? Is this behavior documented somewhere? – Tom Lianza – 2012-07-09T03:21:43.030

Replying to my own comment, I found this answer ( http://serverfault.com/a/293063/14970 ) which does provide a link to reliable documentation on this behavior: http://wiki.apache.org/httpd/13PermissionDenied

– Tom Lianza – 2012-07-09T04:03:23.057

For the record: Adding +x doesn't give read or write permission to anything, it just allows the user to navigate down to a directory where they do have read access (in this case, the Sites directory). – octern – 2012-11-07T00:37:19.497

I had this issue and found a simple single file symlink worked but sym linking to a directory did not. Turned out the directories I was linking to had a sticky bit set like this drwxr-xr-x@. Doing a chmod 755 dirName to remove the sticky bit fixed the issue, as Mark R pointed out above. – nickdos – 2013-01-24T22:43:34.160

5

For reference, I just dealt with this, and none of the answers here worked in my specific case. I was configuring virtual hosts, but more importantly, I needed my htaccess files to actually work.

I changed on "AllowOverride None" to "AllowOverride All" in my /etc/apache2/users/USERNAME.conf file, and all of my sites started to be forbidden.

I changed it back and and then changed it only for one site in my httpd-vhosts.conf file, and only that site was forbidden.

After looking at the logs and seeing the problem was with url rewriting and the lack of FollowSymLinks, I went back to the USERNAME.conf file. I switch "AllowOverride None" to "AllowOverride All" and added "Options +FollowSymLinks" on the next line.

Things started working. I came from using xampp on windows and it had a lot of these settings already set server-wide for dummies like me.

Jake

Posted 2010-06-30T23:05:15.227

Reputation: 151

1thanks so much, spent quite some time figuring out what's going on, didn't have to tinkle with Apache / PHP for some time now – Misha Reyzlin – 2012-03-06T23:59:10.757

1Yep, Options +FollowSymLinks worked like a charm. – agarie – 2013-07-06T03:44:24.430

2

I had the same problem: My (old) account wasn't accessible, but another user's account which were created after upgrading to Lion worked just fine.

After making sure your /etc/apache2/users/USERNAME.conf looks like this:

<Directory "/Users/USERNAME/Sites/">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

do a sudo chown root:wheel /etc/apache2/users/USERNAME.conf

it appears that this permission setting isn't set during the OS upgrade, and the Apache user can't read the config file, and throws an error.

At least this solved it for me.

Arve Nygård

Posted 2010-06-30T23:05:15.227

Reputation: 21

1And maybe run sudo apachectl restart after that. – Arjan – 2013-08-08T22:40:42.497

This working for me running 10.7.5. The Directory path wasn't pointing to my local web root, once I updated and restarted apache everything worked. What is strange is that the path has been incorrect for over a year and was working the whole time. I just got the error today out of the blue. – supajb – 2013-11-03T23:22:21.817

2

update for Lion in 10/2011 I had to also add

UserDir enabled so my /etc/apache2/extra/httpd-userdir.conf is like this :

UserDir enabled 
UserDir Sites

#
# Users might not be in /Users/*/Sites, so use user-specific config files.
#
Include /private/etc/apache2/users/*.conf

<IfModule bonjour_module>
   RegisterUserSite customized-users
</IfModule>

nunya

Posted 2010-06-30T23:05:15.227

Reputation: 21

1

Continuing conversation from initial question comments -- Check out your /etc/apache2/httpd.conf file. On my machine, I have this:

# User home directories
Include /private/etc/apache2/extra/httpd-userdir.conf

I suspect yours is commented out. I vaguely recall changing this by hand when moving from 10.5 to 10.6 and the default changed.

This is probably obvious, but you'll have to use sudo to edit the file because it will be owned by root.

Michael H.

Posted 2010-06-30T23:05:15.227

Reputation: 341

1Nope, mine looks exactly like yours. – waiwai933 – 2010-07-01T22:59:35.803

1

My case is XAMPP + Mac OS X 10.7 + Directory in Dropbox Folder ( cross-referencing my another question in Stack Overflow )

403 Access Forbidden is reported by Apache, therefore, I followed the above comment to change User in the /XAMPP/xamppfiles/etc/httpd.conf , from User nobody to User my_user_name. Restart Apache & it works fine.

Raptor

Posted 2010-06-30T23:05:15.227

Reputation: 956

0

You probably don't have Indexes turned on. If you don't you will need to either create an index file (index.html or index.php) or specify the file explicitly, i.e. http://localhost/~me/mypage.html.

Josh K

Posted 2010-06-30T23:05:15.227

Reputation: 11 754

Sorry, just to double check, I should be visiting http://localhost/~myusername/index.html and have a file called index.html in my Sites folder, right? If so, then the 403 is still happening.

– waiwai933 – 2010-07-01T00:47:06.333

You shouldn't be visiting ~myusername at all I believe. http://localhost/ should point to /Users/youruser/Sites/. – Josh K – 2010-07-01T02:23:21.333

Asked: 2010-06-30T23:05:15.227

Viewed: 86 032 times

Active: 2014-07-09T00:32:41.893