Coding with Andrzej

It is always permissions

Configuring Apache really isn’t rocket science. There are a wealth of great tutorials online, the documentation is very well documented, and the defaults work more or less out of the box. But it’s one of those jobs that I do just infrequently enough that I always forget things in the interim, and end up making the same old mistakes.

And it almost always has to do with permissions.

So, I’m writing this post both as a means of christening this devlog (Hi! I’m Andrzej! Hire me!) and also as a reminder to myself that the home folder is not executable by default.

Please, Andrzej. Please. The next time you’re building a website, be it for a client or for yourself, and you find yourself scratching your head, wondering what error you may have made in the .confs, checking the permissions of your symlink again and again, ask yourself: is my symlink pointing to a directory in the home folder? Because Apache can’t open the home folder until you change the permissions!

What?

In Linux we open directories by ’executing’ them. A directory is an executable that maps part of the file-system for us. Now, by default, the home directory is only executable by its owner. This makes sense when you think about it – you don’t want your sister, or co-worker, or (more likely) whatever barely-audited application you’re installing today, to be able to open that directory. But you probably do want your webserver to be able to open it, especially if you are symlinking to it from /var/www or wherever.

There are lots of reasons why you’d want to deploy to the home directory of an unprivileged user. I do this exact same thing with Jenkins, and I wasted an hour troubleshooting this exact same problem when I set up that server too.

So, Andrzej of the future (did anyone non-ghoulish win an election yet?), for future reference, let’s say you’re deploying to /home/devlog/website:

  1. Add Apache to the ‘devlog’ user group.
sudo usermod -aG devlog www-data
  1. Change the permissions on /home/devlog to allow group members to open it.
sudo chmod 710 /home/devlog

IT’S THAT EASY.

Tags: