# apache UserDir



## hirohitosan (Nov 29, 2008)

Hi there.
I have on my computer apache 2.2. and I cannot use UserDir directive.

I create in my home folder public_html dir
In /usr/local/etc/apache22/httpd.conf
I have 
	
	



```
LoadModule userdir_module libexec/apache22/mod_userdir.so
```
and after that 
	
	



```
# User home directories
Include etc/apache22/extra/httpd-userdir.conf
```

in /extra/httpd-userdir.conf
i have

```
# Settings for user home directories
#
# Required module: mod_userdir

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.  Note that you must also set
# the default access control for these directories, as in the example below.
#
UserDir public_html
UserDir disabled root toor daemon operator bin tty kmem games news man sshd bind proxy _pflogd _dhcp uucp pop www nobody mailnull smmsp 
#
# Control access to UserDir directories.  The following is an example
# for a site where these directories are restricted to read-only.
#
<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>
```

but if I try in web browser 
http://my.web.server/~user
I get 


> 403 Forbidden
> You don't have permission to access /~user on this server.



Can anyone tell me what I did wrong?

Thanks a lot


----------



## Djn (Nov 29, 2008)

Does the user apache runs under (www and group www, I believe) have access rights to the ~username/public_html folder?


----------



## Jeff (Nov 29, 2008)

I believe by default FBSD apache server denys all.

I had to change my httpd.conf 


```
Order deny,allow
```



```
Order allow,deny
```

And I think the line under that may say deny from all, I also changed that to allow from all.

Sorry, can't verify, FBSD box is currently off.

edit: Just noticed you are talking about user home directories, so not sure if the above will help.

edit: edit: Ok, time for a nap, saw you have allow from all in your conf.


----------



## cajunman4life (Nov 29, 2008)

Looks like a permissions problem to me. By default, apache22 runs as user www and group www. So your home directory needs to have the world read and execute bit set, as well as the public_html directory needs to have the same. Otherwise, apache can't get in to the proper directories. Also, make sure the read bit for world is set on the files in the public_html folder, or apache won't be able to read those either.


----------



## DutchDaemon (Nov 29, 2008)

-- obsoleted --


----------



## hirohitosan (Nov 29, 2008)

thanks guys it works now
I chown www:www to the public_html directory
and change order like Jeff suggested and it's working


----------



## gilinko (Nov 29, 2008)

Jeff said:
			
		

> I believe by default FBSD apache server denys all.
> 
> I had to change my httpd.conf
> 
> ...



Note that this is EXTREMELY dangerous if you are talking about this segment in httpd.conf:


```
<Directory />
    order deny,allow
    deny from all
</Directory>
```

Changing this to allow, gives apache the "right" to access the entire file system, eg it could read passwd and other things if your not running a jail. Neither source or any other distribution change this setting, and if you change it you have to know exactly what you are doing and be aware that you are opening a huge security hole to your server.


----------



## cajunman4life (Nov 29, 2008)

Also it should be noted that if you chown www:www the public_html directory, your users will not be able to place any files in the directory (unless you have the write bit turned on for the world, which is not advisable).

The solution I use on my servers is set up a seperate directory in /usr called www. I then make a folder inside this directory for each user, and chown the directory to <userid>:www, and have all bits (rwx) unset for world. That way, the users (and only the users) can write content to their directories, and apache can read those files. 

I don't use user directories, but rather I configure a virtualhost for each user. This not only allows you to control things like what users are able to have web content (you may not want all users to have a website), but you can also control things such as bandwidth limits via 3rd party tools.


----------



## Jeff (Nov 30, 2008)

gilinko said:
			
		

> Note that this is EXTREMELY dangerous if you are talking about this segment in httpd.conf:
> 
> 
> ```
> ...


How do you go about getting rid of the "permission denied" error if left at 

```
order deny,allow
deny from all
```
in httpd.conf?


----------



## brd@ (Nov 30, 2008)

In each Directory or Location section you'd have to add an allow, Looks like you could modify the extra/httpd-userdir.conf <Directory> block to allow it. This is what you would need to modify:

```
<Directory "/home/*/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order deny,allow
        Deny from all
    </LimitExcept>
</Directory>
```
See the following docs for Limit blocks for what you would need to do: http://httpd.apache.org/docs/2.2/mod/core.html#limit


----------



## gilinko (Nov 30, 2008)

Jeff said:
			
		

> How do you go about getting rid of the "permission denied" error if left at
> 
> ```
> order deny,allow
> ...



A very simple example is in the standard settings in httpd.conf

The first section is the above mentioned which should always be sett to deny. Just bellow you have an entry for your "standard" web directory

```
<Directory "/usr/local/www/apache22/data">
....
order allow,deny
allow from all
</Directory>
```

This means that the apache server first finds the "deny from all" rule for the entire file system, then it reads that you do want to grant some access to a very specific portion of your file system. The way all permission settings should be done.

But more likely it is a problem with the file system permissions as suggested before(the www user). Chown your public_html directory to $USERNAME:www, and that should be enough.


----------



## hirohitosan (Dec 27, 2008)

Hi guys. I tried to figure out how to set my userdir. I modified the /usr/local/etc/apache22/extra/httpd-userdir.conf like this:

```
UserDir public_html
UserDir disabled root toor daemon operator bin tty kmem games news man sshd bind proxy _pflo$

<Directory "/home/user/public_html">
    AllowOverride FileInfo AuthConfig Limit Indexes
    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
    <Limit GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST OPTIONS>
        Order allow,deny
        Allow from all
    </LimitExcept>
</Directory>
```
and the permisions for public_html are:

```
ls -al /usr/home/user/
total 36
drwxr-xr-x   8 user  wheel   512 Dec 27 12:17 .
drwx--x--x  15 root  wheel   512 Dec  9 13:59 ..
drwxrwxrwx   7 user  www     512 Nov 29 20:53 public_html
```
and still have 
	
	



```
Forbidden
You don't have permission to access /~user on this server.
```
what can I do more?


----------



## Pushrod (Dec 31, 2008)

cajunman4life said:
			
		

> The solution I use on my servers is set up a seperate directory in /usr called www. I then make a folder inside this directory for each user, and chown the directory to <userid>:www, and have all bits (rwx) unset for world. That way, the users (and only the users) can write content to their directories, and apache can read those files.



That is a very smart setup. It helps keep the real home dirs secure, and lets Apache read what it needs to read. I do the same thing with a lot of success. It's good to keep things like that separate. It's also better for backups.

You can always make a symlink in the user's homedir which points to their web root as well.


----------



## gilinko (Jan 1, 2009)

hirohitosan said:
			
		

> Hi guys. I tried to figure out how to set my userdir. I modified the /usr/local/etc/apache22/extra/httpd-userdir.conf like this:
> 
> ```
> UserDir public_html
> ...



What happens if you put a file in your directory called index.html and try to access it with a full path(eg http://www.example.com/~user/index.html). If the html is shown, then the problem lies with apache not being allowed to list the files in that directory. Otherwise it's probably still a filesystem issue.

If you still have problems, please post the relevant data from the the apache error_log, as a browser error message is not very informative.


----------

