1

Question: What ownership does Apache need so that it does not require execute permissions for the world on public_html (751)?

Background: When I changed the php.ini settings through cPanel, there was an error "Error: The EUID, 1005, does not own /home/my_user_name/public_html/.htaccess." I understood this because it was the .htaccess file was owned by root:root,

So, as a green SHELL user I changed the ownership of every file using chown -R my_user_name:my_user_name .[^.]*. Sweet, I could now save my php.ini through MultiPHP INI in cPanel.

That's when this pretty error appeared when trying to visit any page on my Drupal 8 site:

Forbidden You don't have permission to access / on this server. Server unable to read htaccess file, denying access to be safe

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Even after deleting, reuploading, and changing the ownership back to root:root, it didn't work.

The only thing that worked was changing public_html to 751 (instead of 750). Why does Apache need the execute permissions for the world? And which owner/group do I need to change it to fix it?

754 also didn’t work

Chris Happy
  • 111
  • 5
  • Apache runs probably as the `www-data` user, at least if it is a debian-based system. If not, you can check the user with a `ps uxa|grep httpd`. This user need to have access. Alternatively, you can use the somehow forgotten [mpm-itk](http://mpm-itk.sesse.net/) to be able to specify a different user for any virtual hosts. – peterh Apr 23 '19 at 01:08
  • Thanks @peterh! I followed those exact steps and it fixed my problem :) – Chris Happy Apr 23 '19 at 01:17
  • @womble Edited question. – Chris Happy Apr 23 '19 at 01:17
  • My pleasure. Another important info: on directories, the "x" does not mean that it is executable, there is no sense, how to "execute" a directory. On directories, the "x" access flag means that you can enter it. Thus, an `o+x` means that everybody can enter it. You can also specify more detailed permissions with acls, `man setfacl` or `man getfacl`. – peterh Apr 23 '19 at 01:31
  • @peterh Oh, that makes a lot more sense about the execute permission. Does this mean that 751 would be exactly secure as 750 on the public_html? – Chris Happy Apr 23 '19 at 01:34
  • No, 751 on the public_html means that anybody can enter it. If the user on which your apache runs, is not the one who owns this directory, and it is also not in his group, then this 751 is needed for the apache to be able to enter the public_html directory. Note also, that permission to access public_html is not enough, it needs to have permission to access (at least, to enter) also its parent directory, its parent directory, and so on. – peterh Apr 23 '19 at 01:37
  • 1
    To test, what exactly can your apache do, best if you `su` him. `su www-data -s /bin/bash` is the command. Then you have a shell in the name of the apache. If you want to download any file with http, your apache need to be able to enter into its directory, and read that file. So, `cd`, `ls`, `cat`, and you will know, where is really the problem. – peterh Apr 23 '19 at 01:39
  • Okay, thanks a lot @peterh. I have learned something today :) – Chris Happy Apr 23 '19 at 01:44

1 Answers1

2

You need execute permission on a directory to access files inside.

Apache accesses files not as root, but as another user, either httpd or www or www-apache or apache... Depends in your setup.

If the directory owner is root and group is root without the world executable bit only root can access the files inside. Running chmod +x public_html should fix it.

chutz
  • 7,888
  • 1
  • 29
  • 59
  • Thanks for your answer. Based off your answer, I was curious if this was more of an ownership issue than a permission issue. So I researched, came across [this question](https://stackoverflow.com/q/5342956/) and fixed the issue with `chown my_user:nobody public_html`. Does this make sense to you? – Chris Happy Apr 23 '19 at 00:32