Setting up Apache permissions properly

Question

Here's my understanding of the correct way to set up website permissions:

• Ownership of all directories and files in /home/website is website:website
• All directories are 0750
• All files are 0640
• apache is a member of the group "website" (as one of apache's secondary groups)

But it isn't working- I'm getting 403 errors with (13)Permission denied: /home/website/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable.

Not sure what is going on, as apache should be able to read everything, since it is in the "website" group.

One other thing of note is that there is no .htaccess in /home/website; it is in /home/website/public_html, so I'm not even really sure what is going on with the logs (The VirtualHost does point to the public_html directory).

Any ideas? If I set everything to 755/644 it works, but that is what I'm trying to avoid. This seems to indicate apache isn't actually in the "website" group, but I checked Webmin many times; "website" is in fact one of apache's secondary groups.

Thanks everyone.

Answer 1

/home/website needs to be searchable (executable) by the httpd userid. Apache is failing to search for the existence of an htaccess file because it's missing those bits.

Described in detail here: https://wiki.apache.org/httpd/13PermissionDenied

Answer 2

And did you update your Apache config to set the runtime group to 'website' (/etc/apache2/uid.conf on the machine in front of me) then restart it?

(Personally I usually give my webserver access to files as 'other' which simplifies deployment. Do you have users on your system who are not allowed to see the webserver files?)