Solving Linux/Apache Permission Problems
Permission problems in Linux are easy to fix once the basic concepts are understood. Take a concrete example. Suppose you want to give user Buck Fnibbic a directory so he can post his cat pictures on the Internet. Ignoring for the moment the question of whether this really is a good thing to do, it's a good example because it demonstrates most of the permission problems you might run into.
First we need to add
Options FollowSymLinks in httpd.conf and restart
Apache. Fnibbic has already created a directory to put the picture in:
Then we create a symlink in the htdocs directory:
ln -s /home/fnibbic/images/cats cats
Any files that fnibbic puts in
cats will be visible to
remote cat aficionados when they type
Except it doesn't work: they see
Forbidden 403 Access Denied.
Of course, now that they know your images are forbidden, they will want them
A symlink is always created with permissions 777, but it was owned by root because we were root when we created it. Just using chown doesn't work:
chown nobody.nogroup cats
To change ownership of a symlink, you need the -h option.
chown -h nobody.nogroup cats
Unfortunately, Apache still gives a 403. One wrong solution which was tried by a computer consultant that we used to employ was to change the permissions of every file on the server to 777. Boy, did that make a mess. Don't do this.
Apache doesn't tell you where the actual problem is. There might be a problem in httpd.conf,
or there might be a Unix permission problem. The easiest way to diagnose it is to use
su daemon (or whatever user httpd is running under) and follow the path
yourself. The general rule is:
Every step in the path from '/' to the destination must be executable by the user who wants to enter it.
Also, of course, the files themselves must have read permission.
su daemon cd /home cd /home/fnibbic cd /home/fnibbic/images Permission denied
The problem was that 'images' did not have world execute privileges.
ls -ld /home/fnibbic/images drwx------ 3 fnibbic users 69632 Jan 6 2010 images
Since the files are going out on the web anyway, there's no need for subtlety:
chmod a+x /home/fnibbic/images chmod a+r /home/fnibbic/images/*