0

Yet another Apache 403 question I'm afraid, but the question here is a bit more specific. I gather that the error I'm encountering

(13)Permission denied: access to /~Rax/ denied (filesystem path '/Users/Rax/Sites') because search permissions are missing on a component of the path

can be fixed by giving execute permissions to every directory on the path to the User (_www) specified in /private/etc/apache2/httpd.conf. But this seems insane: it means _www has execute permissions for my home directory. Is this really the correct approach? Is there no way to reach the Sites folder by some kind of indirection ("skipping over" /Users/Rax/)?

Community
  • 1
  • 1
orome
  • 45,163
  • 57
  • 202
  • 418
  • Clearly `_www` needs these permissions for `Sites` so that Apache can serve from that directory, but requiring the same for `Rax`, **my** user directory, just doesn't sound right (or wise). – orome Feb 08 '14 at 04:05

1 Answers1

1

This isn't fabricated by Apache — execute man 7 path_resolution on your system. The three ways around it are to make your home directory world-executable, make your home-directory group-executable and share a secondary group with your webserver userid, or move your content out of your home directory.

orome
  • 45,163
  • 57
  • 202
  • 418
covener
  • 17,402
  • 2
  • 31
  • 45
  • Yeah, I've been looking into it and it seems there's no way around it. I use the sever on my machine for development, so what I've set up now is a script script that does `chmod -v o+X /Users/Rax; sudo apachectl start` when I need the server and `chmod -v o-x /Users/Rax; sudo apachectl stop` when I'm done. – orome Feb 08 '14 at 15:08
  • And in any case, all that `+x` does for `/Users/Rax` is let others list the contents, right? So all I've done is let people see what everyone knows is there anyway (the standard Mac folders). Or can they browse further down into my files that would have been possible with `-x`? – orome Feb 08 '14 at 15:10
  • Yes, but you didn't need to worry about readability of files under there when you had -x, so it is not really something I would call harmless. – covener Feb 08 '14 at 15:17
  • Ah, so (naive question): with `o+x` a file in `/Users/Rax` that's `o+r` will be readable to `o`; whereas with `o-x` such a file would not have been accessible (regardless of its `r` status). Does the same (in reverse) apply to directories in `/Users/Rax`: if they're `o+x` but `/Users/Rax` is `o-x` are then *not* browsable? – orome Feb 08 '14 at 15:21
  • 1
    I think that's right, but probably not 100% reliable to keep someone out (e.g. if you new more than the filename, without the ability to look at its directory). Preferrably the stuff you expect to be unreadable is actually unreadable, but on a system you mostly trust you might just be relying on the perms on $HOME – covener Feb 08 '14 at 15:25
  • So I should look to the perms within `/Users/Rax` anyway to make sure there's not too much `o+x` or `o+r` (not to mention `o+w`). – orome Feb 08 '14 at 15:28
  • I've checked and everything (except lots of hidden config stuff I have no control over like `.Xcode`) is `drwx------`, so I assume giving `o+x` has "no" effect (other than being able to list the contents of `/Users/Rax`). – orome Feb 08 '14 at 15:31
  • o+x doesn't allow listing the contents of the folder, it's o+r that controls that. +x controls accessing items in the folder *if* they know the file/folder names. That is, setting o=r allows others to look at filenames but not touch anything, o=x doesn't let them look, but if they can guess/know the names they can get at files, and o=rx allows them to see names *and* touch what they can see. (And in all of these cases, access to subfolders is also restricted by the subfolder's permissions.) – Gordon Davisson Feb 08 '14 at 15:55
  • @GordonDavisson: So if I have `o+x` on `/Users/Rax`, what would `o` be able to do with something there with (a) `drwx------`, (b) (a) `drwx---r--`, or (c) `drwx-----x`? – orome Feb 08 '14 at 16:09
  • @covener: Can you say a bit more about the option to "share a secondary group with your webserver userid" (which I presume is `_www`)? – orome Feb 08 '14 at 16:10
  • 1
    If /Users/Rax is `drwx-----x`, /Users/Rax/subdir was `drwx------`, then other users that cannot guess the name "subdir" can't do anything at all with it; other users that can guess/know the name subdir can see the folder's properties (e.g. its permissions) but not see into it at all. If subdir was `drwx-----x`, others who know/can guess the name "subdir" will be able to interact with files/subfolders only if they know/can guess *their* names. If subdir was `drwx---r-r`, others who know/can guess the name "subdir" will be able to see the names of items under subdir, but not interact with them. – Gordon Davisson Feb 08 '14 at 17:36