Fixing Apache (13)Permission denied: access to / 403 Forbidden

Every so often I run into a 403 Forbidden response when I'm setting up something in Apache, checking the log files will yield something like:

(13)Permission denied: access to /

There are a few things that could be the problem:

Make sure it's not denied by Apache

Most apache Configurations have something like this in there:

<Directory />
    Order deny,allow
    Deny from all
</Directory>

The above will block access to all files. You should also see something like this:

<Directory /path/to/webroot>
    Order allow,deny
    Allow from all
</Directory>

So if you have created a VirtualHost or an Alias that does not fall under this /path/to/webroot apache will have denied access to it. The solution in that case is to add another Directory entry in your httpd.conf to allow access to that directory.

Make sure Apache has Read, Execute Permissions

The next thing to check is that Apache has read and execute permission (rx) on directories and read permission on files. You can run chmod 750 /dir (to give -rwxr-x--- permission) or chmod 755 /dir (to give -rwxr-xr-x permission), etc.

Make sure that the Directory Above has Execute Permission

This is the one that tends to get me. Suppose you are creating an Alias like this:

Alias /foo /tmp/bar/foo

Now you have made sure that apache can read and execute /tmp/bar/foo by running chmod 755 /tmp/bar/foo, but you also need to give Apache execute permission to /tmp/bar/ otherwise it cannot traverse the sub directory foo.

If Running Security Enhanced Linux (SELinux)

Another possibility for this error is that you are running SELinux (Security Enhanced Linux), in which case you need to use chcon to apply the proper security context type to the directory (and files within it).

First you should check to see if your linux server has SELinux enabled, and if so if it is configured in enforcing mode. To do this run:

sestatus

On a server with SELinux enabled and enforcing the output of sestatus might look something like this:

SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      33

Here's an error message cause by this:

(13)Permission denied: [client ::1:44624] AH00035: access to /index.html denied (filesystem path '/www/default/wwwroot/index.html') because search permissions are missing on a component of the path

Now to fix this we just need to apply the httpd_sys_content_t SELinux type to our web root and the files under it. We can do this recursively by running:

chcon -R -t httpd_sys_content_t -u system_u /www/default/wwwroot/