Linux Setup Notes

name and address
created sep 19, 2012

Solving Linux/Apache Permission Problems

Permission problems in Linux are easy to fix once the basic concepts are understood. Take a concrete example. Suppose you want to give user Buck Fnibbic a directory so he can post his cat pictures on the Internet. Ignoring for the moment the question of whether this really is a good thing to do, it's a good example because it demonstrates most of the permission problems you might run into.

Example situation

First we need to add Options FollowSymLinks in httpd.conf and restart Apache. Fnibbic has already created a directory to put the picture in:

mkdir /home/fnibbic/images/cats

Then we create a symlink in the htdocs directory:

ln -s /home/fnibbic/images/cats  cats

Any files that fnibbic puts in cats will be visible to remote cat aficionados when they type Except it doesn't work: they see Forbidden 403 Access Denied. Of course, now that they know your images are forbidden, they will want them even more.


A symlink is always created with permissions 777, but it was owned by root because we were root when we created it. Just using chown doesn't work:

chown nobody.nogroup cats

To change ownership of a symlink, you need the -h option.

chown -h nobody.nogroup cats

Unfortunately, Apache still gives a 403. One wrong solution which was tried by a computer consultant that we used to employ was to change the permissions of every file on the server to 777. Boy, did that make a mess. Don't do this.

Apache doesn't tell you where the actual problem is. There might be a problem in httpd.conf, or there might be a Unix permission problem. The easiest way to diagnose it is to use su daemon (or whatever user httpd is running under) and follow the path yourself. The general rule is:
Every step in the path from '/' to the destination must be executable by the user who wants to enter it.
Also, of course, the files themselves must have read permission.

su daemon
cd /home
cd /home/fnibbic
cd /home/fnibbic/images
 Permission denied 

The problem was that 'images' did not have world execute privileges.

ls -ld /home/fnibbic/images
drwx------ 3 fnibbic users 69632 Jan  6  2010 images

Since the files are going out on the web anyway, there's no need for subtlety:

chmod a+x /home/fnibbic/images
chmod a+r /home/fnibbic/images/*