Why does Apache (and other browsers) throw 403 due to file system permissions?

apache-2.2 http
8,379

For historic reasons simply look at the older HTTP 1.0 specification from RFC 1945 (emphasis mine):

#403 Forbidden

The server understood the request, but is refusing to fulfill it.
Authorization will not help and the request should not be repeated.
If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it should describe the reason for the refusal in the entity body.
This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.

So a then 403 error was simply both convention and provides an error message that does not disclose unnecessary information.

In the much more recent RFC 7231 a 403 error becomes a much more generic "unauthorized", i.e. the user does not have the necessary permissions for the resource:

... If authentication credentials were provided in the request, the server considers them insufficient to grant access. The client SHOULD NOT automatically repeat the request with the same credentials. The client MAY repeat the request with new or different credentials. However, a request might be forbidden for reasons unrelated to the credentials.

Share:
8,379

Related videos on Youtube

Exit42
Author by

Exit42

Updated on September 18, 2022

Comments

  • Exit42
    Exit42 almost 2 years

    To forestall any confusion, I am not asking for help with a technical issue debugging my web server. I am asking about the history and logic behind Apache (and other web servers) throwing 403 when they don't have permissions on a file or its parent directory.

    e.g., suppose I have a file like this in my DocumentRoot:

    -rw-r----- 1 nobody staff 0 Apr 12 09:35 file.html

    And Apache runs under the user www who is not part of the staff group. If I try to open the URL for this file, I get HTTP 403 Forbidden.

    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated.

    I understand the technical reason why Apache cannot serve the file. But why use 403? Would not one of the 500 family of errors be more accurate (or 404)?

    My reasoning here is that the server is failing to serve the file because the file system permissions are either incorrect (misconfigured) or the admin intentionally wants the file in the document tree but not accessible to the web (think about it.. the error message often says "You don't have permission to access /file.html on this server.".. well who does? Is Apache configured to switch OS users based on who's logged into the web interface?).

    If the file is outside of the document tree (e.g., /etc/passwd), then I would expect the server to give 404.

    edit: writing/grammar

    • FooBee
      FooBee about 8 years
      Server Fault is not about "Let's discuss this random topic I thought about". We deal with answerable questions about actual technical problems you face.
    • Exit42
      Exit42 about 8 years
      Okay thanks @Sven, I suspected as much but didn't know where to ask. Where do I put it?
    • FooBee
      FooBee about 8 years
      Nowhere on Stack Exchange, because all sites are Q&A sites, not discussion forums. Other than that, I can't say.
    • Exit42
      Exit42 about 8 years
      Thanks. I appreciate the advice. However, I find you describing my question with the phrase "Let's discuss this random topic I thought about" a bit negative.. perhaps condescending or belittling. I didn't select this topic randomly or arbitrarily or frivolously. I asked it because I seek to understand the technology that I work with. Chalk it up to me being over-sensitive, if you like, but I don't think your comment had the appropriate level of constructiveness.
    • FooBee
      FooBee about 8 years
      From my point of view, it is just another random question that has no place here. I really think it's a good question in itself, but it won't solve an actual problem for you or change the way you operate your environment, which is one of the most fundamental requirements for questions here. Ignoring this kind of requirement, even when you don't know where else to ask, is widely considered as disrespectful against any online community whose time you wish to occupy for free, so please just accept that I won't sugarcoat my being a little bit annoyed with a metaphorical fake smile.
    • Exit42
      Exit42 about 8 years
      Makes sense, I get it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Automatic download a site with *wget*: how to prevent?
HTTP proxy - expect 100 and authentication
how to set any browser to no keep alive in apache httpd.conf
mod_ssl: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!] (System error follows)
Apache, ISPConfig3 & https to http redirection bug
Problem with "Transfer-Encoding: chunked" in Apache 2.2
Can't access my external ip address outside of my LAN, apache server on OS X
HTTP request does not reach the server occasionally. Why?
Apache failing with a 500 error
Disabling Apache compression