Apache - "403 forbidden" message on any DIR below DocumentRoot

stevod333 · 06-09-2006, 08:39 PM

Updated: below is my original problem situation - I have now discovered that it is not just subdirectories that receive the "403 forbidden" message - attempting to access any file within the DocumentRoot, other than index.html, will produce this message.
**********************************

I'm attempting to setup Apache 2.2 on Fedora 5.

I have moved the DocumentRoot to a different directory /webdev and have one other directory below there /webdev/phonebills.

The main page works fine, and my small index.html file loads and displays my link to /phonebills/index.html, but when trying to access that directory, I get the "403 Forbidden message":

****************************************************************

You don't have permission to access /phonebills/index.html on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

****************************************************************

Below is a portion of my httpd.conf file...

Quote:

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/webdev"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#

<Directory "/webdev">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all

</Directory>

<Directory "/webdev/phonebills"> #have also tried "/phonebills"
Options Indexes FollowSymLinks
AllowOverride None

Order allow,deny
Allow from all

</Directory>

I've been at this for days and just about at my wits end. I've searched stacks of webpages and previous posts here. I don't believe it is a permisions problem since /webdev and the subdir have the same owner and permissions.

Any suggestions as to what might be wrong here?

Snowbat · 06-10-2006, 10:17 PM

What about the permissions of the files in /webdev and /webdev/phonebills/ ?

For comparison, here are some example file and directory permissions from DocumentRoot and a subdirectory on my old Mandrake 9.1 server:

DocumentRoot /var/www/html

Code:

drwxr-xr-x root root /var/www/html/
-rw-r--r-- root root /var/www/html/index.shtml
drwxr-xr-x root root /var/www/html/mrtg/
-rw-r--r-- root root /var/www/html/mrtg/index.html

natm · 06-11-2006, 12:30 AM

yeah, I would think it'd be the permissions, I have a script set up to change the ownership and permissions of the files to what apache wants, and I would give you my exact script, but my computer is dead right now: http://www.linuxquestions.org/questi...d.php?t=453620

basically, just set the ownership to the user apache I think, I'm a bit rusty on this as it's been a while since I set up my own server. I think you should just set the permissions and ownership the same as you have you're index.html file set.

stevod333 · 06-11-2006, 02:37 AM

I think the permisions are ok - below is a list of the permisions for all related directories and files:

/
...
....
drwxrwxr-x 3 apache apache 4096 Jun 10 10:16 webdev

/webdev/
-rw-rw-r-- 1 apache apache 120 Jun 10 10:05 index.html
drwxrwxr-x 2 apache apache 4096 Jun 10 10:30 phonebills

/webdev/phonebills/
-rw-rw-r-- 1 apache apache 423 Jun 6 20:42 index.html
-rw-rw-r-- 1 apache apache 114 Jun 6 20:30 PBmain.php

As you can see, permissions for /webdev and /webdev/phonebills are the same, as are all the files in each directory.

I just don't get it

stevod333 · 06-11-2006, 03:56 AM

I really needed to start getting some actual work done, so I thought that until I resolved this problem, I would simply move my project files into /webdev - and I still recieve the same message when trying to access any files apart from index.html - so it's not just subdirectories that cant be accessed -- nothing can be accessed!!!

This situation has just gone from bad to horrifying

I'm posting a new thread with the updated problem situation as the title.

Thanks to all who have replied so far.

stevod333 · 06-11-2006, 04:31 AM

I'm attempting to setup Apache 2.2 on Fedora 5.

To start with, I have moved the DocumentRoot to a different directory /webdev and have one other directory below there /webdev/phonebills.

The server is up and running, and my small index.html file loads and displays my links to other files and directories, but when trying to access anything other that {DocumentRoot}/index.html file, I get the "403 Forbidden message":

****************************************************************

You don't have permission to access {selected path and file} on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

****************************************************************

Below is a portion of my httpd.conf file...

Quote:

# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/webdev"

#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#

<Directory "/webdev">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all

</Directory>

#<Directory "/webdev/phonebills"> #have also tried "/phonebills"
#Options Indexes FollowSymLinks
#AllowOverride None

#Order allow,deny
#Allow from all

#</Directory>

I've been at this for days and just about at my wits end.
I posted a previous thread while I thought the problem was simply trying to access subdirectories below DocumentRoot, but have now discovered that no files/directories can be accessed other than index.html.
I've searched stacks of webpages and previous posts here. I don't believe it is a permisions problem since all the files in DocumentRoot have the same owner and permissions.

Any suggestions as to what might be wrong here?

Snowbat · 06-11-2006, 04:41 AM

It may not make any difference but I notice the DocumentRoot line in my httpd.conf is not enclosed in quotes.

prozac · 06-11-2006, 04:46 AM

maybe apache does not have the permission to access the files (most probably /webdev/phonebills) its been crying foul about. locate the file/directories yourself within the filesystem and change their permissions so that apache or the user for whom apache is running can atleast read.

peterb · 06-11-2006, 09:39 AM

Have a look at
/var/log/httpd/access_log
/var/log/httpd/error_log
/var/log/messages
for some clues.

Are you using vhost.conf?

stevod333 · 06-11-2006, 07:34 PM

Permissions for all the files and subdiretories are the same - here they are...

/webdev

Quote:

drwxrwxr-x 4 apache apache 4096 Jun 11 18:42 webdev

/webdev/*

Quote:

-rw-rw-r-- 1 apache apache 127 Jun 11 18:41 index.html
-rw-rw-r-- 1 apache apache 423 Jun 6 20:42 PBlogin.html
-rw-rw-r-- 1 apache apache 114 Jun 6 20:30 PBmain.php
drwxrwxr-x 2 apache apache 4096 Jun 11 18:31 phonebills

Originally, I had the PB* files in /webdev/phonebills/, but I moved them back to /webdev/ thinking that it was jus a problem accessing the subdirectory ../phonebills/.
The only file listed above that can be accessed is index.html - any of the other files give the 403 forbidden message.

Here are the last few access attempts recorded in the log files:

access.log

Quote:

192.168.0.1 - - [12/Jun/2006:10:27:29 +1000] "GET /index.html HTTP/1.1" 304 - "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.2) Gecko/20060419 Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text"
192.168.0.1 - - [12/Jun/2006:10:27:31 +1000] "GET /PBlogin.html HTTP/1.1" 403 409 "http://192.168.0.1/index.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.2) Gecko/20060419 Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text"
192.168.0.1 - - [12/Jun/2006:10:29:08 +1000] "GET /PBmain.php HTTP/1.1" 403 407 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.2) Gecko/20060419 Fedora/1.5.0.2-1.2.fc5 Firefox/1.5.0.2 pango-text"

error.log

Quote:

[Mon Jun 12 10:27:31 2006] [error] [client 192.168.0.1] (13)Permission denied: access to /PBlogin.html denied, referer: http://192.168.0.1/index.html
[Mon Jun 12 10:29:08 2006] [error] [client 192.168.0.1] (13)Permission denied: access to /PBmain.php denied

Nothing very useful as far as I can see.
Any other suggestions?

stevod333 · 06-11-2006, 07:40 PM

Also here are the last few entries in /var/messages

Quote:

Jun 12 10:27:31 steve kernel: audit(1150072051.095:79): avc: denied { getattr } for pid=6994 comm="httpd" name="PBlogin.html" dev=dm-0 ino=267525 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u

bject_r:user_home_t:s0 tclass=file
Jun 12 10:29:08 steve kernel: audit(1150072148.978:80): avc: denied { getattr } for pid=6995 comm="httpd" name="PBmain.php" dev=dm-0 ino=4391586 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u

bject_r:user_home_t:s0 tclass=file
Jun 12 10:29:08 steve kernel: audit(1150072148.978:81): avc: denied { getattr } for pid=6995 comm="httpd" name="PBmain.php" dev=dm-0 ino=4391586 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u

bject_r:user_home_t:s0 tclass=file

Does this give us any clues?

stevod333 · 06-12-2006, 02:36 AM

Fixed it.

The problem was with SElinux. Running the command system-config-securitylevel and ticking all the checkboxes for HTTPD has solved the problem.

Thank you to everyone who has tried to help with this.

spooon · 06-12-2006, 04:58 AM

The problem is that if you move stuff from other places into that directory, it will not have the right "context" for Apache to be allowed to access it. You can run "restorecon -R /webdev" to set the correct context. Turning off security is not the right solution.