Permissions Issues (403 Access Denied)

When you publish web content, it will probably live in your home directory. The web server will need permission to read your files, or it will return "403 Access Denied" errors. Since your home directory is in AFS, normal UNIX permissions are irrelevant.

For instance, if you get a 403 error serving ~/public_html/otherdir/page.html, you might run this to see what's up:

$ fs listacl ~/public_html/otherdir
Access list for /afs/ is
Normal rights:
  system:administrators rlidwka
  system:anyuser l
  you rlidwka

Oops! Apache only matches the "system:anyuser" principal, so it only gets the "l" (= "list") permission and can only list your directory contents. Try this to fix it:

$ fs setacl ~/public_html/otherdir system:anyuser read
$ fs setacl ~/public_html system:anyuser read
$ fs setacl ~ system:anyuser l

The first two give full read permission on the mentioned directories. "l" permission is needed in every parent directory of a file to be able to access it, so the last line makes sure "l" is granted to system:anyuser on your home directory.

When your web content is accessed through your own virtual host, you can also grant read access to $USER.daemon instead of the broader system:anyuser, where $USER is your username. This is your bizarro-world twin, which Apache runs as when serving your content.

Note that your CGI directories and executables should be in the group nogroup; if this is not the case you may see cryptic warnings in your error.log along the lines of suexec policy violation: see suexec log for more details.

See the Getting Started chapter of the Member Manual, in particular the AFS section, for information on how to work with AFS's separate notion of permissions.