Fixing 403 Forbidden on alias directory with Apache
Solution 1
I was having this issue on OS X too. It turned out gliptak was right, but I've some more detail to add.
We're both attempting to configure a virtual directory for a folder under a user's home folder; I think this is why we're having the problem. In my case, I had the following setup:
- Home folder is
/Users/calrion. - Virtual directory folder is
/Users/calrion/Path/to/www. - There's a symlink
/Users/calrion/Pathpointing to/Volumes/Other/Users/calrion/Path.
The problem was the user and group _www (which Apache runs as on OS X) lacked execute access to /Users/calrion and /Volumes/Other/Users/calrion.
Running chmod o+x /Users/calrion and chmod o+x /Volumes/Other/Users/calrion resolved the issue (on OS X 10.7.4).
The rule here is that Apache requires execute access to all folders in the path in order to serve files. Without this, you'll get a HTTP 403 (forbidden).
Solution 2
The last straw ;) Required local in the Directory Entry...
like
<Directory "/Users/user/Documents/example">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require local
Order allow,deny
Allow from all
</Directory>
if everything else doesn't work (correct Alias, Directory Entry in httpd.conf and correct mod/usr/grp).
keep in mind: if you put your site in user-space the apache user (running httpd) needs access to your home!
Solution 3
These are all very good answers. None of them worked for me.
I have an alias specified in OSX server pointing to a user directory. I spent a long while chmodding and messing with _www user, adding executable permissions recursively, uninstalling macports and all sorts of stuff trying to get this to work. I tried 777. Nope. No idea why it wasn't working.
Eventually, I just checked the "shared folder" checkbox in the Finder for that folder, and it worked, on the specified domain, with php active, the way I wanted it to. :/ ...so that was easy.
Solution 4
Check permission on /Users/user/Documents/, /Users/user/ (higher level permissions are enforced first ...)
/bin/su into the user running Apache (like www, www-data) and cat a file in the /Users/user/Documents/example directory. That might point you to permission problems with your setup.
Solution 5
I was just having this exact same issue. What I found was SE_Linux was enabled, and the security context of the files in my Aliased directory was incorrect, missing httpd_sys_content_t.
You can view the security context with ls -Z. If your files/folders don't have httpd_sys_content_t then apache won't server them up! You can add the proper context with something like chcon -R --type=httpd_sys_content_t /new_html_directory. This will change the context of the files currently in the directory, but not any files that are added afterwards (for that you'll need to work with semanage). Your other option is to just leave the files under /var/www.
sjking
Updated on August 05, 2020Comments
-
sjking almost 4 years
I am trying to setup an alias to point to some directory on my filesystem not in DocumentRoot. Now I get a 403 Forbidden response. These are the steps taken: 1. edit http.conf, adding:
Alias /example "/Users/user/Documents/example"then...
<Directory "/Users/user/Documents/example"> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny Allow from all</Directory>2. setting permissions with chmod in terminal:
chmod 755 /Users/user/Documents/exampleNow it should work? instead I get the access forbidden. This is the output from error_log:
[Sun Jul 24 06:57:57 2011] [error] [client xx.xx.xx.xx] (13)Permission denied: access to /example denied -
sjking almost 13 yearsI restarted apache. I changed user group too httpd user, www. and user owner to www. I rebooted. I removed the quotes, no difference. I put a test.php file in /Users/user/Documents/example... In document root, which is accessed by apache without any problems, ownership is set 755, and works.
-
Sean Kimball almost 13 yearshave you got a case issue? /Users/user/Documents/example > /Users/User/Documents/Example
-
sjking over 12 yearsthere is no -Z option for ls, I'm in BSD Mac OS. I've just been using the /Library/WebServer/Documents directory, I assume is the same as /var/www under linux. When I have time I am going to start with a fresh install, probably build apache from source.
-
sudol over 12 yearsI see. Sorry I don't have much experience running Apache on OS X, but if you don't have to deal with SELinux, then it must just be permissions. Apache on OSX runs as _www on my machine. Did you already give _www access to your /Users/user/Documents/example?
-
Calrion over 10 years@andi Are you sure you're having the same issue? When this issue occurs on OS X 10.9 I get an
error_logmessage: "(13)Permission denied: access to /url/path/ denied (filesystem path '/Users/calrion/path/to/folder') because search permissions are missing on a component of the path". If not, perhaps ask a question where you can provide more details about what's going on. -
andilabs over 10 years@Calrion it was caused by something else. Not properly configured httpd.conf. My fault.
-
Jun-Dai Bates-Kobashigawa about 10 yearsThis worked perfectly for me. However, is there any way to fix this by adjusting the httpd config rather than changing the folder permissions?
-
Calrion about 10 years@Jun-DaiBates-Kobashigawa Try setting AllowOverride to
none; that should prevent Apache looking for.htaccessfiles, which I believe is the only reason Apache needs access to all directories in the path. -
SobiborTreblinka about 10 yearsHad to also do this for OS X 10.9: wiki.apache.org/httpd/13PermissionDenied -
Marc Stober almost 10 yearsHere's the command that worked for me to login as _www:
sudo -s -u _www(or I should say it didn't work, it immediately told me I didn't have permission on the parent directory if I tried it from the folder I wanted to share). From apple.stackexchange.com/questions/126302/… -
Marc Stober almost 10 yearsBut I am thinking this means it's probably not a good practice security-wise to share web files out of my Home directory. Have to think of a different way to test web files generated in a subdirectory of code I have in ~/Documents.
-
Benjamin over 9 yearschecking the "shared folder" checkbox worked for me. I also had to remove Require local from my virtual host configuration. -
Lance over 9 yearsI spent an hour to config apache, none of them worked. But this works perfectly. Thank you!
-
Fer To about 9 yearsSounds crazy, but your code fixed it! -> Have changed to Yosemite and 1. "Options FollowSymLinks" was missing and 2. there were old apache 2.2 code. just added "Require all granted" / "denied" and everything works. -
Julian F. Weinert almost 9 yearsUsually the OS X updates rename thehttp.conftohttp.con~previouswhich can be recovered easily. Even though @edan is right, some fixing still needs to be done according to the updated apache. -
Diéssica almost 9 yearsFinally! Thank you so much for the 2nd step! Working fine on OS X 10.10.2. -
varagrawal about 8 yearsThe home access was my issue. Where should we be putting the static folder?
-
Firanto over 5 yearsThis Require all granted/denied is the one missing from standard httpd.conf on most tutorial. Once I re-add it, it works again. Thanks.
