Apache2 VirtualHost giving "403 Forbidden"

[mac65]

I have a strange effect on 10.11.1 that doesn't occur on my other Mac running 10.10.5:

When I add a virtual host, no matter via a different port or with a different host name, I get the error msg:

(13)Permission denied: ... AH00035: access to ... denied ... because search permissions are missing on a component of the path

Here's how the host is declared:

<VirtualHost *:80>
    DocumentRoot "/Development/mysite/public"
    ServerName mysite.local
    <Directory "/Development/mysite/public">
        Options All
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Of course, the path exists and is readable (i.e. folder permissions are 755 and files inside are 644).
There are no special ACLs set (checked with "ls -lae").

However, if I change the path from "/Development/mysite/public" to "/Library/WebServer/Documents", then it works, i.e. no more permission errors.
Same if I move my entire folder to "/Library/WebServer/mysite" and change the paths in the config accordingly, even if I leave the ownership of the folder to my normal user and the admin group (501:80).
And, as already said, the very same setup (same httpd.conf, same folder structure) works without this issue on 10.10.5.

So, somehow, the web server doesn't seem to get access to any files outside the /Library/WebServer folder. I wonder if that's also part of the new rootless changes, but I cannot find anything on the web on this particular issue.

Does anyone have an idea what's going on here and how to make this work?

 

[treekram]

I don't think you have a SIP issue. /Development doesn't sound like a directory SIP would care about. I didn't have this directory on my machine. I have SIP enabled . As root, I created the directory structure "/Development/mysite/public". Nothing seemed amiss. I would check to make sure the permissions are the same as your 10.10.5 machine for each of the component directories leading up to /Development/mysite/public. If you don't have execute permission on, say, mysite, you won't be able to read any files in /Development/mysite/public even though you have 755 permission on public and 644 on the files. Other than that, probably check Apache support sites.

 

[mac65]

I solved the issue by editing httpd.conf, changing the "User" and "Group" from "_www" to my user name and "admin" (and then issuing 'sudo apachectl graceful').

 

[leman]

You should also check if all the components of the path have proper permissions set.

 

[mac65]

You should also check if all the components of the path have proper permissions set.

Yeah. That is about as useful as saying "make sure you are not making any mistakes".
Also, I already mentioned permissions in my posting.

 

[leman]

Yeah. That is about as useful as saying "make sure you are not making any mistakes".
Also, I already mentioned permissions in my posting.

True, but it was not clear whether you only checked permissions on the target path or also on every component of that path. Anyway, sorry if my idea was not helpful.

 

[mac65]

If a parent folder's permission would not be right, I would not even be able to look into its subfolders, that's why I thought your advice was moot. I may be wrong, though. Clearly, something is screwed up with the permissions, after all.