Apache 403 issues

whyre

whyre

*nix Geek
I'm using 10.3.6, attempting to set up the Personal Web Sharing with sym links to share some directories and files.

Specifically, I have some music under iTunes of my own creation I'd like to share. To the best of my understanding, the doc root is /Library/WebServer/Documents

I've created a sym link called music that points to /Users/whyre/Music/iTunes/iTunes Music/whyre.

attempting to visit the music directory from antother PC gives me a 403 access denied problem. So I chmod -R 755 ~/Music in hopes of elminating the problem. No joy. I've sucessfully sym linked /tmp, and am able to browse from the web, as well as the default manual sym link pointing to the apache manual. There must obviously be some other layer of permission that I'm not seeing

(oh, and i do not have file vault on)

Any direction is greatly appreciated :D
 
I remember doing exactly that a while ago.

What you need to make sure of is that every folder between / and your music files is a+rx. If ./iTunes Music/whyre is a+rx but the preceeding iTunes/ folder is not, it won't work. That, unfortunately, includes /Users/whyre, which is slightly troublesome, but as long as the other sensitive folders like ~/Documents and ~/Library are o-rwx nobody will be able to see them.

Also, I'm not certain if this is a default in the Apache that comes with OS X, but often Apache won't allow directory listings. So if you don't have a DirectoryIndex file (specified in httpd.conf, by default index.html and/or index.php) in the folder being served you'll get a 403 message.

I'd suggest sticking an .htaccess file into your music library that reads simply: Options +Indexes first and see if that fixes your problem.

PS. Thanks for mentioning FileVault, since it would have made a difference, if enabled ;)

(hmm, my 1'666 th post ::evil:: )
 
I just did a check on my installation of Apache (2.0.52) and it does allow an index of a folder on my system.
 
michaelsanford said:
What you need to make sure of is that every folder between / and your music files is a+rx. If ./iTunes Music/whyre is a+rx but the preceeding iTunes/ folder is not, it won't work. That, unfortunately, includes /Users/whyre, which is slightly troublesome, but as long as the other sensitive folders like ~/Documents and ~/Library are o-rwx nobody will be able to see them.
Click to expand...

Okay, I'll give that a shot when I get back to my laptop. However, I do have a question on why a+rx flag must be set all the way down, when the ~/Sites directory works without ~ being a+rx? Is there something specially configured for ~/Sites that allows apache to display the contents?
 
Mine both are, and I haven't changed anything since I installed Panther:
drwxr-xr-x 6 amras amras 204 24 Nov 00:17 Sites
drwxr-xr-x 38 amras amras 1292 25 Nov 19:22 amras

Another example:
drwxrwxr-x 41 root admin 1394 21 Jun 2001 /Library
drwxrwxr-x 6 root admin 204 17 Nov 21:35 WebServer
drwxrwxr-x 37 root admin 1258 22 Sep 23:31 Documents

Think about it : Apache (www:www) is 'another user' as far as Darwin is concerned. I also assume you're not a member of the www group. So, as far as the permissions go, httpd is still 'another user' and unless you grant all other users read and search permissions, or reposess your folder to www, apache shouldn't be able to read it any more than any other user on your system.

All the superior folders have to be marked r-x also please if you can't read and search one of the folders higher in the heirarchy, you won't be able to see the folder nested within it.

If your system is configured differently, I'm at a loss to explain it. :D
 
michaelsanford said:
All the superior folders have to be marked r-x also please if you can't read and search one of the folders higher in the heirarchy, you won't be able to see the folder nested within it.
Click to expand...

Ah, I understood what you were saying, but for some reason I was under the impression that a user could read a directory or file under another directory they could not read. I've created an experiment to test this to find this is not the case... maybe I was thinking of an ACL system or something...

I created a directory in my home called rootonly, with the following attributes:
Code: 
drwx------  3 root root 72 2004-11-26 14:05 rootonly
then created a subdirectory under that directory called, allusers, with 777 permissions:
Code: 
drwxrwxrwx  2 root root 48 2004-11-26 14:11 allusers

Any attempt by any other user than root to cd or ls the ~/rootonly/allusers resulted in:
Code: 
$ ls -l rootonly
/bin/ls: rootonly/allusers: Permission denied

$ cd rootonly
cd: rootonly/allusers: Permission denied

However , if you simply add +x to the directory: (as root)
Code: 
# chmod a+x rootonly
other users can then access the files or directories underneath it if they know the name, seeing as how you cannot ls the rootonly directory:
Code: 
$ ls -l rootonly
/bin/ls: rootonly: Permission denied

$ ls -l rootonly/allusers
-rw-r--r--  1 whyre whyre 0 2004-11-26 14:16 userfile

So you only need to be able to execute the directory to access it's contents, granted you know the name/path of the file/directory you wish to manipulate (granting also that your user has access)

I post this in hopes of helping anyone else who may be having difficulty understanding unix filesystem permissions. :cool:
 
You must log in or register to reply here.
Back
Top