How to display custom ErrorDocument when permission to folder is denied?

Question

I'm trying to deny access to everything within a folder on a server (running Linux signature 4.14.117). I set chmod for that folder to 0700:

and it worked fine (by denying access.)

Although now, instead of my own 403.php error page, that is defined in my .htaccess that is located in the root, I get this when I try to access anything within that folder:

Forbidden You don't have permission to access this resource.Server unable to read htaccess file, denying access to be safe

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I tried adding a shorter version of .htaccess to that folder and by setting its access to 0644 but it doesn't seem to change anything. Here's what was in that .htaccess:

Redirect 301 / https://example.com/blog

# Define priority of which index file is used first
DirectoryIndex index.php index.htm index.html

# Error pages:
ErrorDocument 401 /401.php
ErrorDocument 403 /403.php
ErrorDocument 404 /404.php
ErrorDocument 500 /500.php

What's the way to display my custom 403.php page in this case?

What user owns the file? What user does the web server run as? — Alex Howansky, Jan 02 '20 at 01:27
@AlexHowansky it's a shared web-hosting account. And all those files are owned/created by my logged-in user — c00000fd, Jan 02 '20 at 01:30

Alex Howansky · Answer 1 · 2020-01-02T01:51:07.477

Apache is trying to load an .htaccess file from that subdir, but your permissions have forbidden it from even looking. You could chmod 755 on the dir and then chmod 600 on all the files, so you have something like this:

0700 dir/
0600 dir/denied_file_1
0600 dir/denied_file_2

Or put in an .htaccess that denies everything:

0700 dir/
0644 dir/.htaccess
0600 dir/denied_file_1
0600 dir/denied_file_2

But if your goal simply is to outright deny all web access to a subfolder, then your best bet is always going to be moving the folder outside the web server's document root. This way, you are immune to mistakes in configuration and permissions.

[UPDATE]

Well, that folder will contain templates for my blog posts. I don't want them to be accessible (directly) via the web, but I need them to be readable from within my .php script. That was the goal.

That's fine. PHP can still read files that are outside the web root even though Apache can't. For example:

/path/to/your/dir/
/path/to/your/dir/src/ <-- put your library files here
/path/to/your/dir/public/  <-- point web server doc root here
/path/to/your/dir/public/index.php
/path/to/your/dir/templates/
/path/to/your/dir/templates/foo.template
/path/to/your/dir/templates/bar.template

As for changing perms on each file, it sounds kinda tedious and easy to miss.

Precisely why it's always better to put them outside the doc root.

Well, that folder will contain templates for my blog posts. I don't want them to be accessible (directly) via the web, but I need them to be readable from within my `.php` script. That was the goal. As for changing perms on each file, it sounds kinda tedious and easy to miss. — c00000fd, Jan 02 '20 at 01:46

How to display custom ErrorDocument when permission to folder is denied?

1 Answers1