Permission denied because search permissions are missing on a component of the path, after chmod and chgrp

Finally figured out a fix. I ran these 2 functions to recursively file the folder and file permissions of www and within.

find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;

I read this page here: https://wiki.apache.org/httpd/13PermissionDenied and it basically explained and reminded me that permissions are inherited, "do the same for the directory and each parent directory." So I ran those 2 and everything is working again.


Usually the execute permission for one path is not set, like it was in this question. The easiest way to solve this is the following command:

chmod a+rX -R /var/www

But on using CentOS7 or RHEL7 you might encounter problems with SELinux. If file permission are right and you still get the error, look at the following log:

tail -f /var/log/audit/audit.log

If you get a message like this:

type=AVC msg=audit(1464350432.916:8222): avc:  denied  { getattr } for  pid=17526 comm="httpd" path="/var/www/app/index.html" dev="sda1" ino=42021595 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=SYSCALL msg=audit(1464350432.916:8222): arch=c000003e syscall=4 success=no exit=-13 a0=7fde4e450d40 a1=7ffd05e79640 a2=7ffd05e79640 a3=7fde42e43792 items=0 ppid=17524 pid=17526 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

This means: SELinux blocks the access to your document root. You can try a command like this (Recursive and verbose on option -Rv):

chcon  --user system_u --type httpd_sys_content_t -Rv /var/www/app/public

To find the right settings, look into a working directory like /var/www/html with this:

ls -laZ /var/www/

It should look like:

drwxr-xr-x. server server system_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. root   root   system_u:object_r:var_t:s0       ..
drwxr-xr-x. server server system_u:object_r:httpd_sys_script_exec_t:s0 cgi-bin
drwxr-xr-x. server server system_u:object_r:httpd_sys_content_t:s0 html
drwxrwxr-x. server server unconfined_u:object_r:var_t:s0   app

For people who might have tried the above and are still experiencing problems, make sure none of the directories in the path have an ACL on them that is preventing apache access.

You can use:

getfacl <directoryname>

to get the permissions on the directory that might have been set using ACLs. You'll see something like that following that basically says the user has all permissions and the group has read and execute (or search) but not write:

# file: <directoryname>
# owner: username
# group: username
user::rwx
user:1000:rwx
group::---
group:username:r-x
mask::rwx
other::rwx

To give apache or a group access to using ACLs, use the following:

setfacl -m g:<groupname>:rx <directoryname>

just make sure the parent directories have the same. You can use the -R switch to make the change recursively on the top directory.

I ran into this same apache permissions problem and was banging my head trying to figure out why chmod and chown had no effect before I remembered I had set ACLs on the directory when using Samba awhile back.