Jim O. wrote:
What are the permissions for /usr/local/nginx ?
Hi -
Thanks for asking this question, because in trying to answer it I had to
carefully dig down a bit deeper into the subdirectories under
/usr/local/nginx … and I finally fixed the problem by:
- setting ‘r’ and ‘x’ permissions on /usr/local/nginx/html for the
‘world’ (‘other’) group
- setting ‘r’ permission on the *.html files in that directory
using the commands:
sudo chmod o+rx /usr/local/nginx/html
sudo chmod o+r /usr/local/nginx/html/*
Now I see “Welcome to nginx!” in my browser. Thanks.
===========================================================================
Gory details below for anyone who might be interested…
The permissions displayed on both servers are identical when doing ‘ls
-l /usr/local | grep nginx’:
$ ls -l /usr/local | grep nginx
drwxr-sr-x 8 root staff 4096 2008-11-26 21:23 nginx
…but doing ‘ls -l /usr/local/nginx’ on both servers showed that on the
bad server the html folder was missing ‘r’ and ‘x’ permissions for the
‘world’ (‘other’) group:
BAD-SERVER $ ls -l /usr/local/nginx
total 24
drwx–S— 2 nobody staff 4096 2008-11-28 22:03 client_body_temp
drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 conf
drwx–S— 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp
drwxr-s— 2 root staff 4096 2008-11-28 22:02 html
drwxr-sr-x 2 root staff 4096 2008-11-28 22:03 logs
drwx–S— 2 nobody staff 4096 2008-11-28 22:03 proxy_temp
GOOD-SERVER $ ls -l /usr/local/nginx
total 24
drwx–S— 2 nobody staff 4096 2008-11-26 21:23 client_body_temp
drwxr-sr-x 2 root staff 4096 2008-11-27 16:56 conf
drwx–S— 2 nobody staff 4096 2008-11-26 21:23 fastcgi_temp
drwxr-sr-x 6 root staff 4096 2008-11-27 15:11 html
drwxr-sr-x 2 root staff 4096 2008-11-28 04:57 logs
drwx–S— 2 nobody staff 4096 2008-11-26 21:23 proxy_temp
Then I noticed weird output from ‘ls -l’ on the *.html files on the
server that shows the ‘403’ error. A bunch of ‘?’ are displayed instead
of permissions info, apparently meaning the current user doesn’t have
permission to view these files.
Going down the lowest level (to view the *.html files), doing ‘ls -l
/usr/local/nginx/html’ on the server showing ‘403’ displays a bunch of
‘?’ instead of permissions info:
BAD-SERVER $ ls -l /usr/local/nginx/html
/usr/local/nginx/html:
total 0
?--------- ? ? ? ? ? /usr/local/nginx/html/50x.html
?--------- ? ? ? ? ? /usr/local/nginx/html/index.html
BAD-SERVER $ sudo ls -l html/*
-rw-r----- 1 root staff 383 2008-11-28 22:02 html/50x.html
-rw-r----- 1 root staff 151 2008-11-28 22:02 html/index.html
GOOD-SERVER $ ls -l /usr/local/nginx/html
total 8
-rw-r–r-- 1 root staff 383 2008-11-26 20:59 50x.html
-rw-r–r-- 1 root staff 151 2008-11-26 20:59 index.html
And doing ‘cat /usr/local/nginx/html/*’ on the “bad” server returned:
cat: /usr/local/nginx/html/50x.html: Permission denied
cat: /usr/local/nginx/html/index.html: Permission denied
I understand the basics but not the subtleties of permissions. Just now
I discovered an interesting detail about the need to set the ‘r’ and ‘x’
permissions for the ‘world’ (‘other’) group on all directories in the
path used by the webserver to access the *.html file(s):
======================================================================
http://wiki.debian.org/Permissions
Is there ever a place where you’d want “x” on a directory but not “r”?
Yes. This is useful when you want to allow people to get at files in a
directory if they happen to know the file’s name, but not to be able to
find out the names of the files. Also, it can be useful if you’re
setting up an anonymous upload place, and you don’t want people to be
able to see what others have uploaded until you have a chance to filter
out the undesirable files.
But the most common time you’ll see an “x” on a directory without its
“r” is when a user has a web site set up in her ~/public_html directory,
but doesn’t want her entire home directory to be visible to the world.
In order for Apache to get to the files in public_html, the home
directory has to be “x” (executable) for all users, and so does
public_html itself. So she might have it set up something like this:
drwxr-x–x 150 jane jane 19456 2005-03-11 10:29 /home/jane
drwxr-x–x 14 jane jane 5632 2005-02-11 08:48 /home/jane/public_html
-rw-r–r-- 1 jane jane 1226 2004-11-04 10:05
/home/jane/public_html/index.html
Now, other users on the system (outside of the “jane” group) can’t see
what files jane has in her home directory, and they can’t see what she
has in her public_html directory, but apache can open the index.html
file. (To recap, apache needs “x” permissions on all of the directories
leading up to the index.html file, and it needs “r” permission on the
file itself, in order to open it for reading.)
======================================================================
So on the “bad” server I set the ‘r’ and ‘x’ permissions for ‘world’ on
directory /usr/local/nginx/html:
$ cd /usr/local/nginx
/usr/local/nginx $ sudo chmod o+rx html
/usr/local/nginx $ ls -l
total 24
drwx–S— 2 nobody staff 4096 2008-11-28 22:03 client_body_temp
drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 conf
drwx–S— 2 nobody staff 4096 2008-11-28 22:03 fastcgi_temp
drwxr-sr-x 2 root staff 4096 2008-11-28 22:02 html ## r-x set for
‘other’
drwxr-sr-x 2 root staff 4096 2008-11-28 22:03 logs
drwx–S— 2 nobody staff 4096 2008-11-28 22:03 proxy_temp
And then I went into /usr/local/nginx/html and set the ‘r’ permission
for ‘world’ (‘other’) on both *.html files:
/usr/local/nginx $ cd html
/usr/local/nginx/html $ ls -l
total 8
-rw-r----- 1 root staff 383 2008-11-28 22:02 50x.html
-rw-r----- 1 root staff 151 2008-11-28 22:02 index.html
/usr/local/nginx/html $ sudo chmod o+r *
/usr/local/nginx/html $ ls -l
total 8
-rw-r–r-- 1 root staff 383 2008-11-28 22:02 50x.html
-rw-r–r-- 1 root staff 151 2008-11-28 22:02 index.html
I had to use ‘sudo’ because I’m not the owner or in the group for these
files/directories.
Maybe this had something to do with the user I was logged in as while
doing the nginx install - or maybe the nginx install itself was not
configured to set the permissions properly - but at any rate it’s
working now and I’m very happy to see “Welcome to nginx!” on my home
page.
Thanks.