apache2, user www-data is in group of personal account, but access is still forbidden

Stanislav Hosek

5/3/24, 2:10 PM

after apache2 install, I added this user www-data to the group of personal account hosek.

root@hp:~# groups www-data 
www-data : www-data hosek
root@hp:~#

Group permissions to DocumentRoot folder are OK.

hosek@hp:/home$ ls -la
total 12
drwxr-xr-x  3 root  root  4096 kvě  1 23:13 .
drwxr-xr-x 20 root  root  4096 kvě  1 22:32 ..
drwxr-x--- 24 hosek hosek 4096 kvě  3 15:53 hosek
hosek@hp:/home$

But when I access site, it shows me Forbidden. Why?

Just note, when I set x for others on hosek folder, it works. But it should work in 1st case?

Thanks.

UPDATE

What is best practice in case you want website data in specific folder? About security related to /var/www/html/ via ssh, read level-up folders is possible, for example you can see files in /var or in /.

How can I restrict this browsing folder on level-up related to ssh connection? It is good practice? And really only this way? https://www.cyberciti.biz/faq/debian-ubuntu-restricting-ssh-user-session-to-a-directory-chrooted-jail/

Maybe some complete manual would be very useful?

Thank you.

127

0 + 5

permissions

apache2

Thomas Ward

5/3/24, 2:15 PM

For security reasons I'm going to direct you to https://askubuntu.com/questions/767504/permissions-problems-with-var-www-html-and-my-own-home-directory-for-a-website/767534#767534 which explains how to *not* use your home directory for access to site data, etc. but *not* have things in your home dir. Not to plug my own answer, but it's *safer* to not run things in your home directory space and just give yourself permissions elsewhere to access your website files (in `/var/www/` space for instance as my answer explains)

Stanislav Hosek

5/3/24, 2:54 PM

OK, in case I have all data in home folder (backup reason - because in past I forgot on `/var/www/html/` folder due reinstallation and I lost actual website data), what is best practice? Create `ln` from `home` to `/var/www/html`? Thanks.

waltinator

5/3/24, 7:05 PM

Did you Logout/Login after you made the changes to groups? Group membership is handled by `login`.

waltinator

5/4/24, 1:55 PM

Comments are designed for US to ask YOU questions about your Question. You should [Edit] your question to add information. By updating your Question, and using the formatting buttons, you make all the information available to new readers. People shouldn't have to read a long series of comments to get the whole story. AskUbuntu is a Question and Answer site, not a conversation site. If you have an update, [edit] your Question. If you have a new question, see [Ask].

Stanislav Hosek

5/4/24, 2:21 PM

@waltinator Yes, I did, same situation.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: apache2, user www-data is in group of personal account, but access is still forbidden

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.