[Httpd Wiki] Update of "13PermissionDenied" by slive

[Apache Wiki <wi...@apache.org>]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.

The following page has been changed by slive:
http://wiki.apache.org/httpd/13PermissionDenied

The comment on the change is:
Make this a unified document rather than a series of semi-related points.

------------------------------------------------------------------------------
  ## page was renamed from Errors/13PermissionDenied
  = (13) Permission Denied =
- '''Error 13 indicates a filesystem permissions problem. That is, Apache was denied access to a file or directory due to incorrect permissions. '''
+ '''Error 13 indicates a filesystem permissions problem. That is, Apache was denied access to a file or directory due to incorrect permissions. It does not, in general, imply a problem in the Apache configuration files.'''
  
- On *nix systems, use {{{ls -l}}} to see the current permissions, and see {{{man chmod}}} for details on fixing these.
+ In order to serve files, Apache must have the proper permission granted by the operating system to access those files. In particular, the {{{User}}} or {{{Group}}} specified in {{{httpd.conf}}} must be able to read all files that will be served and search the directory containing those files, along with all parent directories up to the root of the filesystem.
  
- GNU based systems often have a {{{namei}}} program that helps in viewing the permissions of a complete path.
+ Typical permissions on a unix-like system for resources not owned by the {{{User}}} or {{{Group}}} specified in {{{httpd.conf}}} would be 644 {{{-rw-r--r--}}} for ordinary files and 755 {{{drwxr-x-r-x}}} for directories or CGI scripts. You may also need to check extended permissions (such as SELinux permissions) on operating systems that support them.
  
+ === An Example ===
- Note that the permissions used below for examples assumes that the Apache user is not
- the owner or group owner of any of the resources. It is also assumed that you, the user/admin, knows and understands the unix permissions/ownership scheme.
  
- Make sure that the file to which permission was denied is at least readable by the Apache user (eg {{{-r--r--r--}}} or 444 as a minimum. {{{-rw-r--r--}}} or 644 is more usual). 
+ Lets say that you received the {{{Permission Denied}}} error when accessing the file {{{/usr/local/apache2/htdocs/foo/bar.html}}} on a unix-like system.
  
- The '''!DocumentRoot''' directory and its subdirectories need to have the 'read' and 'executable' bits set ({{{drwxr-x-r-x}}} or 755 is most common).
+ First check the existing permissions on the file:
+ {{{ cd /usr/local/apache2/htdocs/foo
+ ls -l bar.html
+ }}}
  
- Parent directories up to the '''!DocumentRoot''' directory need at least the 'executable' bit set ({{{drwx--x--x}}} or 711 for example).
+ Fix them if necessary:
+ {{{ 
+ chmod 644 bar.html }}}
  
- These above also pertain to '''Userdir''' (a.k.a. '''public_html''') where you can think of a user's '''public_html''' directory as the '''!DocumentRoot''' for that user.
+ Then do the same for the directory and each parent directory ({{{/usr/local/apache2/htdocs/foo}}}, {{{/usr/local/apache2/htdocs}}}, {{{/usr/local/apache2}}}, {{{/usr/local}}}, {{{/usr}}}):
+ {{{
+ ls -la
+ chmod +x .
+ cd ..
+ # repeat up to the root
+ }}}
  
- Scripts to be executed need to be 'readable' and 'executable' ({{{drwxr-xr-x}}} or 755 being most common).
+ On some systems, the utility {{{namei}}} can be used to help find permissions problems by listing the permissions along each component of the path:
+ {{{
+ namei -m /usr/local/apache2/htdocs/foo/bar.html
+ }}}
  
+ If all the standard permissions are correct and you still get a {{{Permission Denied}}} error, you should check for extended-permissions. For example you can use the command {{{setenforce 0}}} to turn off SELinux and check to see if the problem goes away. If so, {{{ls -alZ}}} can be used to view SELinux permission and {{{chcon}}} to fix them.
- 
- On Linux, you can use the {{{namei}}} command to return permissions of everything in the path to the target file or directory.
- 
- {{{
- namei -m /usr/local/apache/httpd/dir1/dir2/index.html
- }}}
  
  '''DO NOT''' set files or directories to mode 777, even "just to test", even if "it's just a test server". The purpose of a test server is to get things right in a safe environment, not to get away with doing it wrong.
  
- {{{setenforce 0}}} can be used to test if this is caused by a SELinux issue - in that case, use {{{chcon}}} to fix permissions. Use {{{ls -alZ}}} to view current permissions on such systems.
-