User profile for user: wintermute101
wintermute101 Author
User level: Level 1
12 points

OS X web server folder in Dropbox folder: correct permissions?

Hello,


I have purchased & installed OS X server. I want to run a local web server test environment, using static HTML and PHP pages.

  • Everyone on the (W)LAN should be able to access the test site served from this machine.
  • I do not want/need outside access to the LAN/server.
  • As a logged-in admin, I need to be able to access the files in the server directory.
  • The folder I'm serving the site from ("site") is a subfolder of my Dropbox folder: /users/MYACCOUNT/Dropbox/work/site/ . Dropbox (the application / service) should be able to uplad/sync the files in /work/site/, so I can e.g. see and edit them on an iOS device.


I cannot figure out how to set the access permissions correctly. Here's what I tried:


  • OS X Server (2.2.1) is running.
  • Server's Websites service is running and configured to use the "site" folder.
  • Looking at the Account list in OS X Server, I see that there is a user "World Wide Web Server" ("_www"), but it is disabled and doesn't belong to any group.
  • I changed the owner of "site" to "_www".
  • I tried changing access privileges to "site" for "Everyone" to Read, then to Write, then to No Access.


Yet all I get when I try to access the site is "403: forbidden".


The web server error log has many "Permission denied: /Users/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable" entries. There is no ".htaccess" files in "/Users/", and I don't understand why the web server would even look there.

What am I doing wrong?


Do I need to set privileges for the parent folders of "site", too?


And once I have figured out/set correct privileges for the "site" folder - do I have to apply it recursively to all files and subfolders in it?


Thanks a lot!

Posted on Jul 9, 2013 3:39 AM

Reply
3 replies
User profile for user: Simon Slavin
Simon Slavin
User level: Level 4
1,405 points

Jul 9, 2013 5:01 AM in response to wintermute101

I do not definitely know what is wrong, but I have a guess: not only the permissions on your web folder need to be right but also the permissions on each file you want the web server to access. So move a file there by dropping it into your DropBox, let DropBox move the file onto the server, then use Get Info to look at the permissions of the file there.


The web server runs as the user _www you discovered. So to let the web server serve a file the permissions on that file need to allow user _www to read the file. It is generally considered bad security to give _www right privilages too, because a security bug may be discovered, and this would allow someone to ruin your web site. But while you are still experimenting and just trying to get things working, anything goes.

Reply
User profile for user: wintermute101
wintermute101 Author
User level: Level 1
12 points

Jul 9, 2013 7:05 AM in response to Simon Slavin

Hello Simon,


thank you - you pointed me in the right direction. The problem wasn't strictly Dropbox-related.


Obviously, the web server ("_www") really needs to see a .htaccess file in /Users/ to be happy. And as "_www" doesn't belong to the "Admins" Group, I had to change the permissions for /Users/ to 755 so it could access /Users/.htaccess (see here: http://wiki.apache.org/httpd/PcfgOpenfile ).


After that, I moved the actual website folder to /users/USER/Dropbox/somewhere/else/ . However, all folders and files I want to serve now need the same permission (755).


I don't think this approach is safe. It means that everyone on my local network now can go down that particular folder path and see/execute whatever is there, right?


What's a better approach so that only I and the web server can access these files? Should I add user "_www" to group "staff", so I can switch off access for everyone else?


Thanks!

Reply
User profile for user: Simon Slavin
Simon Slavin
User level: Level 4
1,405 points

Jul 9, 2013 7:45 AM in response to wintermute101

Unfortunately, that approach has problems of its own. It gives enough privs to Apache that anyone who gained control of Apache would be able to mess with your whole computer.


I suspect that you are going to have to use file sharing or some other method of editing your web site rather than being able to use Dropbox to synchronise with it. Your first step should be to move your web site so it's no longer any part of your /Users/ folder, back to some harmless part of your hard disk like


/Shared Items/website


move the files there and get the site working again. Then you might be able to mess with aliases (or hard or soft links) to make Dropbox think that a subdirectory of this folder is a subdirectory of your dropbox folder. But I don't know is this would work at all. You might need to use file sharing instead.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

OS X web server folder in Dropbox folder: correct permissions?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up