[H-GEN] Apache: 403 Forbidden in /~userdir

Ben Carlyle benc at foxboro.com.au
Mon Jan 17 20:47:35 EST 2000 

[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

Daniel Quinlan wrote:

> > >    everything is just fine except now Apache is giving 403 Forbidden on
> > >    any users public_html.  I haven't changed anything else.....

... snip ...

> daniel at mage:~$ ls -ld /home
> drwxrwsr-x    7 root     staff        4096 Jan 13 14:13 /home/
> daniel at mage:~$ ls -l /home
> total 36
> drwxr-s---   51 daniel   daniel       4096 Jan 18 10:50 daniel/

There are three basic permission bits for each user set under
unix; read, write, and execute.
On a file these permission bits are fairly self-explainatory
and I'll assume you already understand them.  On a directory
the write bit is self explainatory, but the read and execute
bits have complimentary roles.  The read bit specifies whether
a user can list the contents of a directory, and the execute
bit specifies whether a user can "enter" the directory to
access files or subdirectories.

Consider these combinations:

Directory rx:
The specified user group can list the contents of the directory,
and freely negotiate into subdirectories.

Directory x:
The specified user group can freely negotiate into subdirectories,
but cannot read the directory list.  The user must know the precise
filename or directory name he or she is after and cannot infer it
from the directory contents, eg
less /home/.profile   and
ls /home/public_html  will work if /home is +x, but
ls /home              will return nothing.

Directory r:
The specified user group can read the contents of a directory, but
cannot negotiate it.  The user can find out what is in the specified
directory, but cannot read files contained within, change into
subdirectories, or even stat the files within to determine permissions
or file sizes.
echo /home/*          will work if /home is +r, but
ls /home/*            will return stat errors, and
ls /home/public_html  will not work.

The answer to your problem is therefore, that your home directory
does not have execute permission set for the everybody group, of
which the www "nobody" user is a part.  Since your directory does
not have +x, no matter what permissions are granted on public_html
the directory cannot be accessed.  It is usually considered sensible
to set +x without +r, on your home directory.  Subdirectories and
files should have their permissions carefully monitored to ensure
no illegal access takes place, and you should be aware as to whether
it is sensible to grant access to your user group.


Benjamin.

--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list