apache UserDir

Hi there.
I have on my computer apache 2.2. and I cannot use UserDir directive.

I create in my home folder public_html dir
In /usr/local/etc/apache22/httpd.conf
I have
Code:
LoadModule userdir_module libexec/apache22/mod_userdir.so
and after that
Code:
# User home directories
Include etc/apache22/extra/httpd-userdir.conf

in /extra/httpd-userdir.conf
i have
Code:
# Settings for user home directories
#
# Required module: mod_userdir

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.  Note that you must also set
# the default access control for these directories, as in the example below.
#
UserDir public_html
UserDir disabled root toor daemon operator bin tty kmem games news man sshd bind proxy _pflogd _dhcp uucp pop www nobody mailnull smmsp 
#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>

but if I try in web browser
http://my.web.server/~user
I get
403 Forbidden
You don't have permission to access /~user on this server.

Can anyone tell me what I did wrong?

Thanks a lot
 
I believe by default FBSD apache server denys all.

I had to change my httpd.conf

Code:
Order deny,allow


Code:
Order allow,deny

And I think the line under that may say deny from all, I also changed that to allow from all.

Sorry, can't verify, FBSD box is currently off.

edit: Just noticed you are talking about user home directories, so not sure if the above will help.

edit: edit: Ok, time for a nap, saw you have allow from all in your conf. :D
 
Looks like a permissions problem to me. By default, apache22 runs as user www and group www. So your home directory needs to have the world read and execute bit set, as well as the public_html directory needs to have the same. Otherwise, apache can't get in to the proper directories. Also, make sure the read bit for world is set on the files in the public_html folder, or apache won't be able to read those either.
 
thanks guys it works now
I chown www:www to the public_html directory
and change order like Jeff suggested and it's working :)
 
Jeff said:
I believe by default FBSD apache server denys all.

I had to change my httpd.conf

Code:
Order deny,allow


Code:
Order allow,deny

And I think the line under that may say deny from all, I also changed that to allow from all.

Note that this is EXTREMELY dangerous if you are talking about this segment in httpd.conf:

Code:
<Directory />
    order deny,allow
    deny from all
</Directory>

Changing this to allow, gives apache the "right" to access the entire file system, eg it could read passwd and other things if your not running a jail. Neither source or any other distribution change this setting, and if you change it you have to know exactly what you are doing and be aware that you are opening a huge security hole to your server.
 
Also it should be noted that if you chown www:www the public_html directory, your users will not be able to place any files in the directory (unless you have the write bit turned on for the world, which is not advisable).

The solution I use on my servers is set up a seperate directory in /usr called www. I then make a folder inside this directory for each user, and chown the directory to <userid>:www, and have all bits (rwx) unset for world. That way, the users (and only the users) can write content to their directories, and apache can read those files.

I don't use user directories, but rather I configure a virtualhost for each user. This not only allows you to control things like what users are able to have web content (you may not want all users to have a website), but you can also control things such as bandwidth limits via 3rd party tools.
 
gilinko said:
Note that this is EXTREMELY dangerous if you are talking about this segment in httpd.conf:

Code:
<Directory />
    order deny,allow
    deny from all
</Directory>

Changing this to allow, gives apache the "right" to access the entire file system, eg it could read passwd and other things if your not running a jail. Neither source or any other distribution change this setting, and if you change it you have to know exactly what you are doing and be aware that you are opening a huge security hole to your server.
How do you go about getting rid of the "permission denied" error if left at
Code:
order deny,allow
deny from all
in httpd.conf?
 
In each Directory or Location section you'd have to add an allow, Looks like you could modify the extra/httpd-userdir.conf <Directory> block to allow it. This is what you would need to modify:
Code:
<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>
See the following docs for Limit blocks for what you would need to do: http://httpd.apache.org/docs/2.2/mod/core.html#limit
 
Jeff said:
How do you go about getting rid of the "permission denied" error if left at
Code:
order deny,allow
deny from all
in httpd.conf?

A very simple example is in the standard settings in httpd.conf

The first section is the above mentioned which should always be sett to deny. Just bellow you have an entry for your "standard" web directory
Code:
<Directory "/usr/local/www/apache22/data">
....
order allow,deny
allow from all
</Directory>

This means that the apache server first finds the "deny from all" rule for the entire file system, then it reads that you do want to grant some access to a very specific portion of your file system. The way all permission settings should be done.

But more likely it is a problem with the file system permissions as suggested before(the www user). Chown your public_html directory to $USERNAME:www, and that should be enough.
 
Hi guys. I tried to figure out how to set my userdir. I modified the /usr/local/etc/apache22/extra/httpd-userdir.conf like this:
Code:
UserDir public_html
UserDir disabled root toor daemon operator bin tty kmem games news man sshd bind proxy _pflo$

<Directory "/home/user/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </LimitExcept>
</Directory>
and the permisions for public_html are:
Code:
ls -al /usr/home/user/
total 36
drwxr-xr-x   8 user  wheel   512 Dec 27 12:17 .
drwx--x--x  15 root  wheel   512 Dec  9 13:59 ..
drwxrwxrwx   7 user  www     512 Nov 29 20:53 public_html
and still have
Code:
Forbidden
You don't have permission to access /~user on this server.
what can I do more?
 
cajunman4life said:
The solution I use on my servers is set up a seperate directory in /usr called www. I then make a folder inside this directory for each user, and chown the directory to <userid>:www, and have all bits (rwx) unset for world. That way, the users (and only the users) can write content to their directories, and apache can read those files.

That is a very smart setup. It helps keep the real home dirs secure, and lets Apache read what it needs to read. I do the same thing with a lot of success. It's good to keep things like that separate. It's also better for backups.

You can always make a symlink in the user's homedir which points to their web root as well.
 
hirohitosan said:
Hi guys. I tried to figure out how to set my userdir. I modified the /usr/local/etc/apache22/extra/httpd-userdir.conf like this:
Code:
UserDir public_html
UserDir disabled root toor daemon operator bin tty kmem games news man sshd bind proxy _pflo$

<Directory "/home/user/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </LimitExcept>
</Directory>
and the permisions for public_html are:
Code:
ls -al /usr/home/user/
total 36
drwxr-xr-x   8 user  wheel   512 Dec 27 12:17 .
drwx--x--x  15 root  wheel   512 Dec  9 13:59 ..
drwxrwxrwx   7 user  www     512 Nov 29 20:53 public_html
and still have
Code:
Forbidden
You don't have permission to access /~user on this server.
what can I do more?

What happens if you put a file in your directory called index.html and try to access it with a full path(eg http://www.example.com/~user/index.html). If the html is shown, then the problem lies with apache not being allowed to list the files in that directory. Otherwise it's probably still a filesystem issue.

If you still have problems, please post the relevant data from the the apache error_log, as a browser error message is not very informative.
 
Back
Top