Managing permissions to prevent "Forbidden" error with Web Sharing

Depending on your account setup, or small modifications you may have done to your home folder, you may prevent people from being able to see any local Web sites you are hosting through the Web Sharing service, and your computer will issue a "Forbidden"

Written by Topher Kessler

Depending on your account setup, or small modifications you may have done to your home folder, you may prevent people from being able to see any local Web sites you are hosting through the Web Sharing service, and your computer will issue a "Forbidden" error instead of showing the requested Web page.

Apple discussion poster "Dan Vendel" writes:

"Have always access my own folder 'Sites' through localhost: 'http://127.0.0.1/~username/'. But now I'm denied access: 'Forbidden You don't have permission to access /~username/ on this server.'I checked permission on my "Sites" folder and they're saying that I do have permissions: 'username(Me) -> Read &Write'."

When this happens, you will need to set up permissions for the folders themselves, since this is how the system designates visibility of files to all users and processes. In this case, the system process "httpd" cannot read from your local "Sites" folder with the given user credentials. This may happen even though you can open and access files from that folder locally.

When a browser sends Web page requests to the "httpd" process, it does so anonymously by default. As such, any Web files you want to be displayed in browsers must be readable by the "Everyone" group in your system. Since the system is set up to read from the root of your home folder by default, you will need to ensure both the home folder and the folder containing the Web site can be accessed by this "Everyone" group.

To fix this problem, get information on your home directory and ensure the "everyone" group has "Read only" access. While doing this will allow anyone to view the contents of your home directory, this access will be view-only, and will be limited to the topmost directory of your home folder (the home folder itself, and not any personal folders, i.e.: Documents, Desktop, Music, etc., which should be set to "No Access" for the "everyone" group). This is how accounts are set up by default, so you can easily share items with other local accounts and network users via designated folders (Public and Sites).

After ensuring your home folder is readable, do the same with your "Sites" folder, and this time use the gear menu at the bottom of the information window to "Apply to enclosed items," which will ensure that all Web site files and subfolders are readable as well.

After doing this, Web sites should be functional again.

FileVault considerations

This problem may also happen if you enable FileVault, since home folder permissions are changed when the home folder is encrypted in a disk image. The security of the methods for enabling this on FileVault-enabled accounts are debated, but one that works without enabling read access for the "everyone" group is discussed in this article at MacOSXHints.com.

The best solution to avoid punching holes in FileVault's security is to set up publicly shared resources in folders outside of your protected home folder, and then change the Apache configuration files to point to the new folder. This can be done in a variety of ways, but one that works is to change the default sites location for all users as follows:

First create a "Websites" folder at the root of your drive (next to the "System" and "Users" directory), and then ensure the "everyone" group has "Read only" permissions for the folder. Then create a new folder within this one and name it the same as your short account name. This can be done in the Finder or in the Terminal with the following command (run from the current user account for which you are creating the Web site folder):

mkdir /Websites/$USER

Place your Web sites and support files in this new folder (copy them from your "Sites" folder), and then edit the Apache Web server configuration file to point to this new directory:

  1. Open the Terminal.
  2. Open the user Apache configuration file:

    sudo nano /private/etc/apache2/users/httpd-userdir.conf

  3. Change the "UserDir Sites" line to "UserDir ../../Websites/$USER"
  4. Press Control-O and then "Y" to confirm saving the file.
  5. Press Control-X to close the editor.

After this is done, restart Web Sharing by turning it off and back on in the "Sharing" system preferences, and now your Web site should load from the new /Websites/username/ folder. For additional system users, just create a new folder in /Websites/ that is the same name as their account name (using the "mkdir" Terminal command as described above will work), change the "everyone" permissions, and place personal Web content in that folder.

Questions? Comments? Send us feedback: http://www.macfixit.com/contact
Be sure to check us out on Twitter and the CNET Mac forums.


Topher has been an avid Mac user for the past 10-15 years, and has been a contributing author to MacFixIt for just over a year now. One of his diehard passions has been troubleshooting Mac problems and making the best use of Macs and Apple hardware both for family and friends, as well as in the workplace. He and the newly formed MacFixIt team are hoping to bring enhanced and more personable content to our readers, and keep the MacFixIt community going here at CNET. If you have questions or comments for Topher or the other MacFixIt editors, feel free to contact us at http://www.macfixit.com/contact

Resources
  • Dan Vendel
  • this article
  • http://www.macfixit.com/co...
  • Twitter
  • CNET Mac forums
  • More from Late-Breakers
  •  

    ARTICLE DISCUSSION

    Conversation powered by Livefyre

    Don't Miss
    Hot Products
    Trending on CNET

    Hot on CNET

    CNET's giving away a 3D printer

    Enter for a chance to win* the Makerbot Replicator 3D Printer and all the supplies you need to get started.