Can't get Apache httpd.conf permissions correct

Phil Latio · External Since: Jul 05, 2004 Posts: 32

I have the following setup:

2 users:
- user1
- user2

Each user has his own directory
- /home/user1
- /home/user2

Each user has one tld
- user1 owns domain1.com
- user2 owns domain2.com

If I set httpd.conf to the following, .
User: user1
Group: apache
only user1 website's is visable

If I set httpd.conf to the following:
User: user2
Group: apache
only user2 website's is visable.

If I set httpd.conf to the following:
User: apache
Group: apache
neither website's is visable.

- I have tried making both user1 and user2 members of the Group "apache" but
that makes no difference.
- I have tried changing the ownership of all the files and directories of
both /home/user1 and /home/user2 to the Group "apache" but no luck.

So the question is what do I have to set in in httpd.conf (or elsewhere) to
enable both both user1 and user2 websites don't get Error 403 forbidden?

Cheers

Phil

Linker3000 · External Since: Jul 22, 2007 Posts: 4

Phil Latio wrote:
> I have the following setup:
>
> 2 users:
> - user1
> - user2
>
> Each user has his own directory
> - /home/user1
> - /home/user2
>
> Each user has one tld
> - user1 owns domain1.com
> - user2 owns domain2.com
>
> If I set httpd.conf to the following, .
> User: user1
> Group: apache
> only user1 website's is visable
>
[Snip]

Try some virtual hosts...(without my '<--' comments!)

NameVirtualHost 192.168.1.10:80 <-- Your server's IP Address

<VirtualHost 192.168.1.10:80> <-- IP address again
Servername mydomain1.com <-- Domain name 1
ServerAlias *.mydomain1.com mydomain.com
ServerAdmin webmaster RemoveThis @whatever.com
DocumentRoot /home/user1 <--- Location of site 1
DirectoryIndex index.htm index.php
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
</VirtualHost>

<VirtualHost 192.168.1.10:80> <-- IP address again
Servername mydomain2.com
ServerAlias *.mydomain2.com mydomain2.com
ServerAdmin webmaster2 RemoveThis @whatever.com
DocumentRoot /home/user2 <-- Location of site 2
DirectoryIndex index.htm index.php
ErrorLog /etc/httpd/logs/error_log
TransferLog /etc/httpd/logs/access_log
</VirtualHost>

Save and restart Apache

HTH

L3K

Linker3000 · External Since: Jul 22, 2007 Posts: 4

Linker3000 wrote:
> Phil Latio wrote:
>> I have the following setup:
>>
>> 2 users:
>> - user1
>> - user2
>>
>> Each user has his own directory
>> - /home/user1
>> - /home/user2
>>
>> Each user has one tld
>> - user1 owns domain1.com
>> - user2 owns domain2.com
>>
>> If I set httpd.conf to the following, .
>> User: user1
>> Group: apache
>> only user1 website's is visable
>>
> [Snip]
>
> Try some virtual hosts...(without my '<--' comments!)
>
> NameVirtualHost 192.168.1.10:80 <-- Your server's IP Address
>
> <VirtualHost 192.168.1.10:80> <-- IP address again
> Servername mydomain1.com <-- Domain name 1
> ServerAlias *.mydomain1.com mydomain.com
> ServerAdmin webmaster RemoveThis @whatever.com
> DocumentRoot /home/user1 <--- Location of site 1
> DirectoryIndex index.htm index.php
> ErrorLog /etc/httpd/logs/error_log
> TransferLog /etc/httpd/logs/access_log
> </VirtualHost>
>
> <VirtualHost 192.168.1.10:80> <-- IP address again
> Servername mydomain2.com
> ServerAlias *.mydomain2.com mydomain2.com
> ServerAdmin webmaster2 RemoveThis @whatever.com
> DocumentRoot /home/user2 <-- Location of site 2
> DirectoryIndex index.htm index.php
> ErrorLog /etc/httpd/logs/error_log
> TransferLog /etc/httpd/logs/access_log
> </VirtualHost>
>
>
> Save and restart Apache
>
> HTH
>
> L3K

NB: First ServerAlias line should be:

ServerAlias *.mydomain1.com mydomain1.com

Ian Northeast · External Since: Mar 31, 2004 Posts: 185

On Mon, 23 Jul 2007 01:28:39 +0000, Phil Latio wrote:

> I have the following setup:
>
> 2 users:
> - user1
> - user2
>
> Each user has his own directory
> - /home/user1
> - /home/user2
>
> Each user has one tld
> - user1 owns domain1.com
> - user2 owns domain2.com
>
> If I set httpd.conf to the following, . User: user1
> Group: apache
> only user1 website's is visable
>
> If I set httpd.conf to the following: User: user2
> Group: apache
> only user2 website's is visable.
>
> If I set httpd.conf to the following: User: apache
> Group: apache
> neither website's is visable.
>
> - I have tried making both user1 and user2 members of the Group "apache"
> but that makes no difference.
> - I have tried changing the ownership of all the files and directories of
> both /home/user1 and /home/user2 to the Group "apache" but no luck.
>
> So the question is what do I have to set in in httpd.conf (or elsewhere)
> to enable both both user1 and user2 websites don't get Error 403
> forbidden?

Firstly don't run apache as a regular user, it's a security risk. Run it
as its own user, and ensure that this has no rights to damage anything in
the system, or as "nobody".

Ensure that the apache user has read access to all files it needs. This
includes having "execute" access to the directories containing them - I
suspect that this may be what you are missing. Normally this is done by
granting global read/execute access to the files in question. If you want
to do it using group access and not have the files globally readable
(although I can't think why you would want to, when they can be accessed
via the web server anyway) the files will have to belong to the "apache"
group.

Regards, Ian

Owen Rees · External Since: Nov 17, 2004 Posts: 8

On Mon, 23 Jul 2007 01:28:39 GMT, "Phil Latio"
<phil.latio.DeleteThis@f-in-stupid.co.uk> wrote in
<avToi.159680$oA4.147645@fe04.news.easynews.com>:

>So the question is what do I have to set in in httpd.conf (or elsewhere) to
>enable both both user1 and user2 websites don't get Error 403 forbidden?

One thing to do is to look in the server error log to see exactly what
it says about the failed attempts. It almost always contains additional
information that is very useful in solving the problem.

The information given so far suggests a file permission problem. You
need to make sure that the user:group that runs the web server has
permission to read the files to be served and to search the directories
that contain them. Note that this directory search permission must
extend all the way back to the root of the file system.

--
Owen Rees
[one of] my preferred email address[es] and more stuff can be
found at <http://www.users.waitrose.com/~owenrees/index.html>

Phil Latio · External Since: Jul 05, 2004 Posts: 32

> Firstly don't run apache as a regular user, it's a security risk. Run it
> as its own user, and ensure that this has no rights to damage anything in
> the system, or as "nobody".
>
> Ensure that the apache user has read access to all files it needs. This
> includes having "execute" access to the directories containing them - I
> suspect that this may be what you are missing. Normally this is done by
> granting global read/execute access to the files in question. If you want
> to do it using group access and not have the files globally readable
> (although I can't think why you would want to, when they can be accessed
> via the web server anyway) the files will have to belong to the "apache"
> group.
>
> Regards, Ian

Yep you hit the nail on the head. It made perfect sense when I read what
your solution.

I changed httpd.conf to:
User: apache
Group: apache

(apache has the shell of /sbin/nologin so that should be secure)

Then did:
chmod -R g=rx user1
chmod -R g=rx user2

All now works. Thanks very much.

Cheers

Phil