[SOLVED] Apache returns 403 Forbidden error message (Debian Squeeze)

gacanepa · 02-01-2013, 10:37 AM

Hi everyone,
I just added a symlink inside /var/www that points to a folder inside my home.

Code:

 php -> /home/gacanepa/Proyectos/PHP/

Then I set recursive 750 permissions to /home/gacanepa/Proyectos/PHP/ so that myself and everyone in my group would be able to read its contents.
Next step, I added user www-data (which supposedly is the user that runs apache2) to my group, and made sure it was added correctly.
That being said, I cannot open any file inside /home/gacanepa/Proyectos/PHP/ using a web browser because it returns a 403 Forbidden message.
Then I changed the permissions to 755 and it worked like a charm.
What I do not understand is why the 750 permissions would not work if www-data was added to my group, and why I had to give r+x permissions to others in order for it to work.
Any ideas will be more than welcome. Thanks in advance.

jpollard · 02-01-2013, 10:58 AM

So what group is Apache in?

If it is not the same group, then Apache cannot read it, and must use "other" which you have blocked.

gacanepa · 02-01-2013, 11:29 AM

Quote:

Originally Posted by jpollard

So what group is Apache in?

If it is not the same group, then Apache cannot read it, and must use "other" which you have blocked.

Here's the output of id -nG where it shows that user www-data has been added to the suplementary group gacanepa:

Code:

root@debian:/var/www# id -nG www-data
www-data gacanepa ossec

And here's the result of ls -l that shows the folder's permissions (I chmoded recursively from /home):

Code:

root@debian:/home/gacanepa# cd Proyectos
root@debian:/home/gacanepa/Proyectos# ls -l
total 4
drwxr-x--- 2 gacanepa gacanepa 4096 Feb  1 13:04 PHP

jpollard · 02-01-2013, 12:44 PM

So what group is the apache web server running under?

The server itself does not handle multi-groups - it only has one entry.

gacanepa · 02-01-2013, 12:50 PM

Quote:

Originally Posted by jpollard

So what group is the apache web server running under?

The server itself does not handle multi-groups - it only has one entry.

I assume, since this is Debian, that apache is running under the www-data group, with user www-data, but I may be wrong though - or probably I have a misunderstanding of how apache actually serves web pages.

Code:

gacanepa@debian:~$ ps aux | grep apache
root       523  0.0  4.0  39852 10212 ?        Ss   13:07   0:01 /usr/sbin/apache2 -k start
www-data   531  0.0  2.7  40332  7064 ?        S    13:07   0:00 /usr/sbin/apache2 -k start
www-data   532  0.0  2.7  40340  7068 ?        S    13:07   0:00 /usr/sbin/apache2 -k start
www-data   533  0.0  2.7  40332  7056 ?        S    13:07   0:00 /usr/sbin/apache2 -k start
www-data   534  0.0  2.7  40332  7096 ?        S    13:07   0:00 /usr/sbin/apache2 -k start
www-data   536  0.0  2.5  39852  6392 ?        S    13:07   0:00 /usr/sbin/apache2 -k start
www-data   561  0.0  2.5  39852  6396 ?        S    13:08   0:00 /usr/sbin/apache2 -k start
gacanepa  6052  0.0  0.2   3300   752 pts/0    S+   15:49   0:00 grep apache

jpollard · 02-01-2013, 02:01 PM

No. It is fine if apache is running with group www-data...

Now every file you want apache to access must also be group www-data. And any intervening directory (such as /home/gacanepa/Proyecto), must also allow access - either through group, or other. That would mean that /home (usually is rx-rx-rx, which allows other, but it might not be) /home /gacanepa and /home/gacanepa/Proyecto must also be group www-data, or allow other rx,

gacanepa · 02-01-2013, 03:50 PM

Quote:

Originally Posted by jpollard

No. It is fine if apache is running with group www-data...

Now every file you want apache to access must also be group www-data. And any intervening directory (such as /home/gacanepa/Proyecto), must also allow access - either through group, or other. That would mean that /home (usually is rx-rx-rx, which allows other, but it might not be) /home /gacanepa and /home/gacanepa/Proyecto must also be group www-data, or allow other rx,

That is why I was so confused in the first place. The following directories have permissions set to 750 (rwx for me, rx for my group, nothing for others):

Code:

/home/gacanepa
/home/gacanepa/Proyectos
/home/gacanepa/Proyectos/PHP

And finally,

Code:

/home/gacanepa/Proyectos/PHP/file.html

As I mentioned, under these circumstances, user www-data (whose primary group is www-data) was added to my group, and still I couldn't access file.html due to Error 403.
It wasn't until I chmoded the above directories to 755 that I was finally able to read file.html. Weird, huh?

jpollard · 02-01-2013, 05:49 PM

Not weird at all.

Those directories are not group www-data. Therefore the server could not traverse those directories.

And just because you are a member of the group www-data, doesn't mean the files are.

gacanepa · 02-06-2013, 02:52 PM

Quote:

Originally Posted by jpollard

Not weird at all.

Those directories are not group www-data. Therefore the server could not traverse those directories.

Thanks! that did the trick. I changed the group of those directories and it worked like a charm. Just like I thought, it was a misunderstanding of how apache was working.
Thanks you for taking the time to teach me. I'll add to your reputation right now and mark this thread as solved

.